fd9559db98211fc18f2e26ccf53ccc8c89086c61a1522d3c5bb8a3aa8f3d080f

Analysis

max time kernel
1490s
max time network
1502s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
06/05/2024, 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RegBstkDrv.txt
Size

1KB
MD5

cb2fe93e5383e928d3cf0d3a1c747b5e
SHA1

b46c880f5d2ec189ff620920e13452a706c4ba3d
SHA256

d10152a315f569a2e69150beefa70f0f64e0eb9e3c9c5dfd2123424dd10e9f7b
SHA512

85fbcdc1dc016f3fd75e468d79f70d254b8f29b4433fcab0f66762d22d8f13c5b1b3ec19918cf090849dcd33d11d34ea9594c2170f74726530adeb978c1a394f

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings	cmd.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2268	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 2268	4900	cmd.exe	81
PID 4900 wrote to memory of 2268	4900	cmd.exe	81

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\RegBstkDrv.txt
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\RegBstkDrv.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...