c624cb7576bd5b2f9e43c254e2c56e34fccd2145f345e0d472da5cc0605655c1

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/01/2024, 12:36

Target

74b64a82f447487a3e86c545ea45d623.exe
Size

1.8MB
MD5

74b64a82f447487a3e86c545ea45d623
SHA1

0223379f6328524053497962a74f1f64d678dda4
SHA256

c624cb7576bd5b2f9e43c254e2c56e34fccd2145f345e0d472da5cc0605655c1
SHA512

4d0013aa96101118fb8b4777318bce08db0a83ab5d1d70fac4f8233ae2689a09802ba37eccacb921cbeba6b08aaa48c627362d8545b19ebfbc89ec8a27f05041
SSDEEP

24576:AI3VYIiC96Q35g3Z6hEYBOKKqw7gLS8wl2XIYToxEpYWX4+33IQk3:PmIfQf0L1MsToxyrIN

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

pid	Process
2596	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2060	74b64a82f447487a3e86c545ea45d623.exe
2060	74b64a82f447487a3e86c545ea45d623.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
480	Process not Found

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2060	74b64a82f447487a3e86c545ea45d623.exe
2060	74b64a82f447487a3e86c545ea45d623.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2596	2060	74b64a82f447487a3e86c545ea45d623.exe	28
PID 2060 wrote to memory of 2596	2060	74b64a82f447487a3e86c545ea45d623.exe	28
PID 2060 wrote to memory of 2596	2060	74b64a82f447487a3e86c545ea45d623.exe	28
PID 2060 wrote to memory of 2596	2060	74b64a82f447487a3e86c545ea45d623.exe	28

C:\Users\Admin\AppData\Local\Temp\74b64a82f447487a3e86c545ea45d623.exe
"C:\Users\Admin\AppData\Local\Temp\74b64a82f447487a3e86c545ea45d623.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\cpuz_driver_2060.log
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2596

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\cpuz_driver_2060.log

Filesize
1KB

MD5
2a36deae727da3718ae831a553971f93

SHA1
864e1d742efcf9fd6dc9b01844bf890676cea5f4

SHA256
32a13ba3c17520ccd1eaec94b6b121bfb4c7033ffd591d43d8945387f23344a1

SHA512
2d313c746f487b02a6d8d8337bde1bc3b904c017d1b8f6aa366232d566589103ea293adeca262268a9363b7517e16b7e798bfa98d2895e51e89276e65d91a521

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuz_driver_2060.log

Filesize
1KB

MD5
62d90ced379a0f2b921a1ee47e2905d2

SHA1
cb446ba5e5126dcb2ca00ee98a26e2fe3880e03d

SHA256
b3efead2f1b78822f0f49f83cea7c9e2acf689c4f73ba5d324f3a50e4604f410

SHA512
2ead96dad435678af3b522f98201cfb99da763518389bf87fbdc4135246c6939d56309cf1d1dfab32399e2c1c055f8e46477ff226c08652d68a140b99e292ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuz_driver_2060.log

Filesize
757B

MD5
b155abad20117f335f4f2e9b30ece11d

SHA1
eb99498860885419c05a2b4aff2b6a539074935a

SHA256
d8113032ba8623cda51d15e63f93f20a72105b02ecdf044c7a379d3f5f7095f2

SHA512
791cad60fc9a4a108f74b7f37600b558b540c823123234497df0e05f66f063328c6df6d15d70a3a0d3afa26552a7d4a63fd5be3bbe2dcd2d993a51f26307c7cb

Download Submit
memory/2060-0-0x0000000000400000-0x00000000005EA000-memory.dmp

Filesize
1.9MB

Download
memory/2060-31-0x0000000000400000-0x00000000005EA000-memory.dmp

Filesize
1.9MB

Download