cb71fe58d15d29096445faf4c3629f0b4a4b83214fdc0cfa56e58b1b6fec6e88

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/09/2024, 19:18

Target

9.exe
Size

464KB
MD5

12711cc0102713683b1143400defc843
SHA1

a654141e2d36887b6186f154c58192e388a3cba2
SHA256

cb71fe58d15d29096445faf4c3629f0b4a4b83214fdc0cfa56e58b1b6fec6e88
SHA512

c533d6a58e13dbe6a55874d64bf7ae10ab0b1f5280040e5f0924ff08a214b2aedaa616bba4ed4ca127b90a2d51d56459896fa2ac286ae8b9629079d2b6c367f7
SSDEEP

12288:yyveQB/fTHIGaPkKEYzURNAwbAgOT+t1A:yuDXTIGaPhEYzUzA0bA

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

pid	Process
2956	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 2956	1204	9.exe	30
PID 1204 wrote to memory of 2956	1204	9.exe	30
PID 1204 wrote to memory of 2956	1204	9.exe	30

C:\Users\Admin\AppData\Local\Temp\9.exe
"C:\Users\Admin\AppData\Local\Temp\9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\9.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2956

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact