5cb06d93dfb44c6d3e008ea0bab5269340d399a65340cc1ca2ed27f30dcb9f48

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 02:54

Target

0131f6aada5c7cba15c992960b6a0512.exe
Size

140KB
MD5

0131f6aada5c7cba15c992960b6a0512
SHA1

33e53b8b0e2260f5043b2cd27211610dee32ae29
SHA256

5cb06d93dfb44c6d3e008ea0bab5269340d399a65340cc1ca2ed27f30dcb9f48
SHA512

abb33447be122eb22b976e0c4204f69fbacae979298f035b914c08c98eef1e11e1bc903a2d855b74657e7f9a2a005e058caa84ca8264eb5df8b074e73d528ef4
SSDEEP

3072:iUoFt1bbFJ5ZJjbVEiR+Oh3q5HC32+aJe1mgawzxsBub86e:ixB1DXHnh3qmTV5ne

Score

4^/10

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	0131f6aada5c7cba15c992960b6a0512.exe
File opened for modification	C:\Windows\svchost.exe	0131f6aada5c7cba15c992960b6a0512.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

pid	Process
2408	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2204	0131f6aada5c7cba15c992960b6a0512.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2408	2204	0131f6aada5c7cba15c992960b6a0512.exe	28
PID 2204 wrote to memory of 2408	2204	0131f6aada5c7cba15c992960b6a0512.exe	28
PID 2204 wrote to memory of 2408	2204	0131f6aada5c7cba15c992960b6a0512.exe	28
PID 2204 wrote to memory of 2408	2204	0131f6aada5c7cba15c992960b6a0512.exe	28

C:\Users\Admin\AppData\Local\Temp\0131f6aada5c7cba15c992960b6a0512.exe
"C:\Users\Admin\AppData\Local\Temp\0131f6aada5c7cba15c992960b6a0512.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\chinexe.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2408

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\chinexe.txt

Filesize
90B

MD5
97239ef621539acfe8c6b72d66588d6d

SHA1
d38611c40f39e1d00b6cf658d5df61268f618c5e

SHA256
6f90735ff31a27fc149da65c16012ee14306f15a4f7f95c7a9d4eef9aae9190f

SHA512
7294028f8d80dbcee9beff7408e4baf71a00f230c10afb03751b6dc60da55325303ff3f394c059d601d0bac634c730a009ee42205baf06c49d0940bdec5353a9

Download Submit