3f2e89b07e7730999d80b41a44dc29f53aaba7875da5734b8158bfa74f645f3f

Analysis

max time kernel
7s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
19-11-2024 20:30

Target

public/steambootstrapper_german.txt
Size

4KB
MD5

5c026fd6072a7c5cf31c75818cddedec
SHA1

341aa1df1d034e6f0a7dff88d37c9f11a716cae6
SHA256

0828572e4fa00c186dbf1d9072a6154d65cb499c6a37e338f3305f77a2fee382
SHA512

f9d28714b2a05f8d9025f1692e4d7e8baa6daf6176353f65646a38814a242ef2adededa44419edd69f10cf96ffba506dab7cb6e52111457bf69cffef12174b12
SSDEEP

96:hn6e0CBtWTkRBtWTkcBMBcVRZY13nSYzBPCN0ayRzkxjhoG8IJ8N8S3vIKa3DOoo:h6erBtWwBtWDBMBcVrYF7+3tZcQTD38P

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings cmd.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1044 NOTEPAD.EXE
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

cmd.exe

description pid process target process

PID 3252 wrote to memory of 1044 3252 cmd.exe NOTEPAD.EXE
PID 3252 wrote to memory of 1044 3252 cmd.exe NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	cmd.exe

pid	process
1044	NOTEPAD.EXE

description	pid	process	target process
PID 3252 wrote to memory of 1044	3252	cmd.exe	NOTEPAD.EXE
PID 3252 wrote to memory of 1044	3252	cmd.exe	NOTEPAD.EXE

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\public\steambootstrapper_german.txt
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3252
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\public\steambootstrapper_german.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1044

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact