ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb | Triage

Analysis

max time kernel
36s
max time network
42s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2024 01:45

Sharing

Report Analysis Logs

General

Target

tfile.txt
Size

1B
MD5

0cc175b9c0f1b6a831c399e269772661
SHA1

86f7e437faa5a7fce15d1ddcb9eaeaea377667b8
SHA256

ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb
SHA512

1f40fc92da241694750979ee6cf582f2d5d7d28e18335de05abc54d0560e0f5302860c652bf08d560252aa5e74210546f369fbbbce8c12cfc7957b2652fe9a75

Score

1^/10

Malware Config

Signatures

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2572 NOTEPAD.EXE
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

cmd.exe

description pid process target process

PID 5004 wrote to memory of 1040 5004 cmd.exe format.com
PID 5004 wrote to memory of 1040 5004 cmd.exe format.com

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\tfile.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2572

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\system32\format.com
format
2⤵
PID:1040

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...