5f8ef68ce4db869cc4458c4727067422e34fb6b55f50f1959e8877d0484728fb

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2024 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MultiMC/themes/custom/themeStyle.css
Size

80B
MD5

dd96d2e9d593a1eca66cc72c6750e5a6
SHA1

b0126baafff44463767e5eb350945d20979f16d4
SHA256

12618cc9271af83a210ddedb26670e40ba2d6a740cfaa262c069e71be2c16898
SHA512

e41c9ed9acf4c32f17ec63e2b0509e62fa970cc6eb64e7b1329dc71baf4f4a99ddd57f4a613fcb11780711eb5afeda471248e76452bd20dc8f1b5918335017f5

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings cmd.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1040 NOTEPAD.EXE
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

cmd.exe

description pid process target process

PID 2740 wrote to memory of 1040 2740 cmd.exe NOTEPAD.EXE
PID 2740 wrote to memory of 1040 2740 cmd.exe NOTEPAD.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	cmd.exe

pid	process
1040	NOTEPAD.EXE

description	pid	process	target process
PID 2740 wrote to memory of 1040	2740	cmd.exe	NOTEPAD.EXE
PID 2740 wrote to memory of 1040	2740	cmd.exe	NOTEPAD.EXE

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\MultiMC\themes\custom\themeStyle.css
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\MultiMC\themes\custom\themeStyle.css
2⤵
- Opens file in notepad (likely ransom note)
PID:1040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads