118b225a175e6ad0ca88270f0705b58c21bee2518a23f31564e557d2c1a699af

Analysis

max time kernel
88s
max time network
206s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
12/05/2024, 06:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

assets/input/tokens.txt
Size

738B
MD5

477668c4056a26aad8cfcda77d716ff2
SHA1

9a01ec2294ca1d66a295572745314e464b6f3069
SHA256

334d868dca9ac6305bc298256abc48baaf5392a33c1cc249a1fdabc78ff9d0f9
SHA512

7eef8ce93d85716645b5e38e6d76ccd49f230d0ea879f6c139fa19ec373465ba09da6d7f04e3de0fdc22b88daad16c9f766624f23c61e05025ce18f7de05eab2

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings	cmd.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1920	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 132 wrote to memory of 1920	132	cmd.exe	82
PID 132 wrote to memory of 1920	132	cmd.exe	82

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\assets\input\tokens.txt
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:132
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\assets\input\tokens.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...