e627d7709bd65f4c43157df5a13ae109d6cb6c4b9c991f26e1739c2422a1315a

Resubmissions

08/05/2024, 14:25

240508-rra2ksgg7y 3

08/05/2024, 13:07

240508-qcv8jaea8w 10

08/05/2024, 13:02

240508-p95ykagc48 3

08/05/2024, 12:59

240508-p7317adf7y 3

Analysis

max time kernel
199s
max time network
202s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 13:02

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

HL_ucheniy.jpg
Size

5KB
MD5

9ad53fcca40122a3c259fd5dc9776775
SHA1

05a701bfc794b31b4605df0d72b2109e2f1918ef
SHA256

e627d7709bd65f4c43157df5a13ae109d6cb6c4b9c991f26e1739c2422a1315a
SHA512

87bf5484ebcbb6f0e1320dc189dcda302bcf62ed64dd73ab0d6c20c982a180b4d9d681a5fb065d05d2bf949addf7356b0b06b831476a0dec593667fc3313fd36
SSDEEP

96:/WkR7QJRwPwpgtieTQAbTl31CnkZvxYdFH7VJY/818vLNFmnh6sPLspETMyZqh:/oSwpyi8skZveH7VK/A8jTmHjmEIyZqh

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4268	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1160	taskkill.exe

Modifies registry class 34 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	explorer.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2268	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 1396	3000	cmd.exe	116
PID 3000 wrote to memory of 1396	3000	cmd.exe	116
PID 3000 wrote to memory of 532	3000	cmd.exe	117
PID 3000 wrote to memory of 532	3000	cmd.exe	117
PID 3000 wrote to memory of 1596	3000	cmd.exe	118
PID 3000 wrote to memory of 1596	3000	cmd.exe	118
PID 3000 wrote to memory of 4568	3000	cmd.exe	119
PID 3000 wrote to memory of 4568	3000	cmd.exe	119
PID 3000 wrote to memory of 4396	3000	cmd.exe	120
PID 3000 wrote to memory of 4396	3000	cmd.exe	120
PID 3000 wrote to memory of 3988	3000	cmd.exe	121
PID 3000 wrote to memory of 3988	3000	cmd.exe	121
PID 3000 wrote to memory of 1736	3000	cmd.exe	122
PID 3000 wrote to memory of 1736	3000	cmd.exe	122
PID 3000 wrote to memory of 3376	3000	cmd.exe	123
PID 3000 wrote to memory of 3376	3000	cmd.exe	123
PID 3000 wrote to memory of 2220	3000	cmd.exe	166
PID 3000 wrote to memory of 2220	3000	cmd.exe	166
PID 3000 wrote to memory of 3852	3000	cmd.exe	125
PID 3000 wrote to memory of 3852	3000	cmd.exe	125
PID 3000 wrote to memory of 1192	3000	cmd.exe	126
PID 3000 wrote to memory of 1192	3000	cmd.exe	126
PID 3000 wrote to memory of 4684	3000	cmd.exe	127
PID 3000 wrote to memory of 4684	3000	cmd.exe	127
PID 3000 wrote to memory of 880	3000	cmd.exe	128
PID 3000 wrote to memory of 880	3000	cmd.exe	128
PID 3000 wrote to memory of 2664	3000	cmd.exe	129
PID 3000 wrote to memory of 2664	3000	cmd.exe	129
PID 3000 wrote to memory of 3568	3000	cmd.exe	130
PID 3000 wrote to memory of 3568	3000	cmd.exe	130
PID 3000 wrote to memory of 4640	3000	cmd.exe	131
PID 3000 wrote to memory of 4640	3000	cmd.exe	131
PID 3000 wrote to memory of 2604	3000	cmd.exe	132
PID 3000 wrote to memory of 2604	3000	cmd.exe	132
PID 3000 wrote to memory of 3576	3000	cmd.exe	174
PID 3000 wrote to memory of 3576	3000	cmd.exe	174
PID 3000 wrote to memory of 3320	3000	cmd.exe	134
PID 3000 wrote to memory of 3320	3000	cmd.exe	134
PID 3000 wrote to memory of 1020	3000	cmd.exe	135
PID 3000 wrote to memory of 1020	3000	cmd.exe	135
PID 3000 wrote to memory of 2296	3000	cmd.exe	136
PID 3000 wrote to memory of 2296	3000	cmd.exe	136
PID 3000 wrote to memory of 3068	3000	cmd.exe	137
PID 3000 wrote to memory of 3068	3000	cmd.exe	137
PID 3000 wrote to memory of 2844	3000	cmd.exe	138
PID 3000 wrote to memory of 2844	3000	cmd.exe	138
PID 3000 wrote to memory of 2540	3000	cmd.exe	139
PID 3000 wrote to memory of 2540	3000	cmd.exe	139
PID 3000 wrote to memory of 3388	3000	cmd.exe	140
PID 3000 wrote to memory of 3388	3000	cmd.exe	140
PID 3000 wrote to memory of 2388	3000	cmd.exe	141
PID 3000 wrote to memory of 2388	3000	cmd.exe	141
PID 3000 wrote to memory of 3780	3000	cmd.exe	142
PID 3000 wrote to memory of 3780	3000	cmd.exe	142
PID 3000 wrote to memory of 2392	3000	cmd.exe	143
PID 3000 wrote to memory of 2392	3000	cmd.exe	143
PID 3000 wrote to memory of 2776	3000	cmd.exe	144
PID 3000 wrote to memory of 2776	3000	cmd.exe	144
PID 3000 wrote to memory of 4964	3000	cmd.exe	145
PID 3000 wrote to memory of 4964	3000	cmd.exe	145
PID 3000 wrote to memory of 2028	3000	cmd.exe	146
PID 3000 wrote to memory of 2028	3000	cmd.exe	146
PID 3000 wrote to memory of 4376	3000	cmd.exe	147
PID 3000 wrote to memory of 4376	3000	cmd.exe	147

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\HL_ucheniy.jpg
1⤵
PID:1512

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\malwarebygmelitem.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:2268

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\malwarebygmelitem.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\explorer.exe
  explorer
  2⤵
  - Modifies registry class
  PID:1396
- C:\Windows\explorer.exe
  explorer
  2⤵
  - Modifies registry class
  PID:532
- C:\Windows\explorer.exe
  explorer
  2⤵
  - Modifies registry class
  PID:1596
- C:\Windows\explorer.exe
  explorer
  2⤵
  - Modifies registry class
  PID:4568
- C:\Windows\explorer.exe
  explorer
  2⤵
  - Modifies registry class
  PID:4396
- C:\Windows\explorer.exe
  explorer
  2⤵
  - Modifies registry class
  PID:3988
- C:\Windows\explorer.exe
  explorer
  2⤵
  - Modifies registry class
  PID:1736
- C:\Windows\explorer.exe
  explorer
  2⤵
  - Modifies registry class
  PID:3376
- C:\Windows\explorer.exe
  explorer
  2⤵
  - Modifies registry class
  PID:2220
- C:\Windows\explorer.exe
  explorer
  2⤵
  - Modifies registry class
  PID:3852
- C:\Windows\explorer.exe
  explorer
  2⤵
  - Modifies registry class
  PID:1192
- C:\Windows\explorer.exe
  explorer
  2⤵
  - Modifies registry class
  PID:4684
- C:\Windows\explorer.exe
  explorer
  2⤵
  - Modifies registry class
  PID:880
- C:\Windows\explorer.exe
  explorer
  2⤵
  - Modifies registry class
  PID:2664
- C:\Windows\explorer.exe
  explorer
  2⤵
  - Modifies registry class
  PID:3568
- C:\Windows\explorer.exe
  explorer
  2⤵
  - Modifies registry class
  PID:4640
- C:\Windows\explorer.exe
  explorer
  2⤵
  - Modifies registry class
  PID:2604
- C:\Windows\explorer.exe
  explorer
  2⤵
  - Modifies registry class
  PID:3576
- C:\Windows\explorer.exe
  explorer
  2⤵
  - Modifies registry class
  PID:3320
- C:\Windows\explorer.exe
  explorer
  2⤵
  - Modifies registry class
  PID:1020
- C:\Windows\explorer.exe
  explorer
  2⤵
  - Modifies registry class
  PID:2296
- C:\Windows\explorer.exe
  explorer
  2⤵
  - Modifies registry class
  PID:3068
- C:\Windows\explorer.exe
  explorer
  2⤵
  - Modifies registry class
  PID:2844
- C:\Windows\explorer.exe
  explorer
  2⤵
  - Modifies registry class
  PID:2540
- C:\Windows\explorer.exe
  explorer
  2⤵
  - Modifies registry class
  PID:3388
- C:\Windows\explorer.exe
  explorer
  2⤵
  - Modifies registry class
  PID:2388
- C:\Windows\explorer.exe
  explorer
  2⤵
  - Modifies registry class
  PID:3780
- C:\Windows\explorer.exe
  explorer
  2⤵
  - Modifies registry class
  PID:2392
- C:\Windows\explorer.exe
  explorer
  2⤵
  - Modifies registry class
  PID:2776
- C:\Windows\explorer.exe
  explorer
  2⤵
  - Modifies registry class
  PID:4964
- C:\Windows\explorer.exe
  explorer
  2⤵
  - Modifies registry class
  PID:2028
- C:\Windows\explorer.exe
  explorer
  2⤵
  - Modifies registry class
  PID:4376
- C:\Windows\explorer.exe
  explorer
  2⤵
  - Modifies registry class
  PID:3964
- C:\Windows\explorer.exe
  explorer
  2⤵
  - Modifies registry class
  PID:4436
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:432
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:1760
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:3696
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:4044
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:3324
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:2652
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:4748
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:3288
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:1980
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:2352
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:3200
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:3176
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:768
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:396
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:2812
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:1052
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:2220
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:1872
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:4268
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:3908
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:800
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:3144
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:428
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:852
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:3576
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:1924
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:2116
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:1752
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:940
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:1628
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:116
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:3444
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:2468
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:1668
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:400
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:624
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:4916
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:3648
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:1084
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:1920
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:3696
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:1280
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:2680
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:3544
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:1744
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:1664
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:1292
- C:\Windows\system32\timeout.exe
  timeout 15
  2⤵
  - Delays execution with timeout.exe
  PID:4268
- C:\Windows\system32\taskkill.exe
  taskkill /f /im svchost.exe
  2⤵
  - Kills process with taskkill
  PID:1160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\malwarebygmelitem.bat

Filesize
1KB

MD5
052dd73696dca6a98d3f7a7fc193719c

SHA1
c0f12f50f812591a681e97d9891b6ba8e9001e11

SHA256
2a3ce3b7ae99f4fe25b1e75ae8584838ee123edfdf6fb5d8db47a94c8bdf7e71

SHA512
4f23af2362fffd1d301a5a64c03a47c9db755246e3d9a496f296bff737355c1bf121256fce804a7ab1e90a5852e82d96db68fcd34b41844459d573419d6432f1

Download Submit