eda3f677b0c88fadd019daef042891e49ec92f3cb4637e34103d6ffe77145484

Analysis

max time kernel
139s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 07:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ABT_1.2.2/ABT_English/ABT_L_1.2.2.gz
Size

1.3MB
MD5

bb999f14ce391760923b736ab32f3c13
SHA1

c230ebabad036598f89be43390758f04571a1481
SHA256

5a4af143d3d677d33a74eb95c30780fa43bde238efa0895def4e30aa0e2164cb
SHA512

a89f4ce14065f918a9152cba1650ddd433a1aaabfaeaffc8a283cf829ac50cde7872efbace55e3d5dd902acca036bc967a290a110ee76141c44898bbcad5be27
SSDEEP

24576:5/xyKm6oMXKKgv4R43i55TQz8mD24HKgN1Ycx0Rg92gwCkgGOYyzkQDNlIcMg:5JyH4qyLT3e24qgnb0Rg92gwCkXOBwQd

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1924	NOTEPAD.EXE

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1336	OpenWith.exe
1336	OpenWith.exe
1336	OpenWith.exe
1336	OpenWith.exe
1336	OpenWith.exe
1336	OpenWith.exe
1336	OpenWith.exe
1336	OpenWith.exe
1336	OpenWith.exe
1336	OpenWith.exe
1336	OpenWith.exe
1336	OpenWith.exe
1336	OpenWith.exe
1336	OpenWith.exe
1336	OpenWith.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 1924	1336	OpenWith.exe	109
PID 1336 wrote to memory of 1924	1336	OpenWith.exe	109

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ABT_1.2.2\ABT_English\ABT_L_1.2.2.gz
1⤵
- Modifies registry class
PID:4316

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ABT_1.2.2\ABT_English\ABT_L_1.2.2.gz
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads