Analysis
-
max time kernel
102s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
04/04/2025, 01:37
General
-
Target
Botox-0xb.exe
-
Size
170KB
-
MD5
8f0da65b1714819a26b959b6530cc576
-
SHA1
01145678908c0d379467e37f6679d248f1b7a3a4
-
SHA256
f2f15ed5568b4ea4c9ccf7f772347651c2aa13b266ddbbf3893795794214bb2f
-
SHA512
c4aa9db30de6cb03c2d24a8931e2ee2701aa634fdddd4d666e0b08e165ac9c190d28fb7fefbbbfa84ecda9bf2843fc15ca0a8387d15a4e18f85aa5cf45ad9dd3
-
SSDEEP
1536:4lX4Sg8k5hRaWsgB7VIzYn2YxBTpchbpMApZNoJj2010v0s0fqStAkGpV/ITZDdx:49tg5v5P7Vo010v0s0QRe3olYkbLdA
Malware Config
Extracted
C:\Users\Admin\Desktop\case_id.txt
Signatures
-
Renames multiple (2459) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Botox-0xb.exe"C:\Users\Admin\AppData\Local\Temp\Botox-0xb.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\case_id.txt2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\case_id.txt2⤵
- Opens file in notepad (likely ransom note)
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
804KB
MD5c5d87afb000aa72a18dec0ea0ea60be0
SHA1ad89b41502debc977366a0cbd71b6957e7543d41
SHA256cf91287ab77352d839a59860f84e0e643dd3488b3e377a3ba5809a1f315084b1
SHA512d839e11babc24190dca50b5d9f0491aab1a3a74b58d32790b5ddbd9d0d5fa2b4d2ea2fbc779fac5e1d7c6f753dcc66c3252d5249fee2a07b56711aead9abf433
-
Filesize
140KB
MD523c0914b702367a3f6630677b4896b92
SHA1fe8de35f31957b3330bd079a3f8a180585859198
SHA256f1404d57707147ffbc99377622c99a974f3837dbdf4bc8d650155198c2ad5b36
SHA512cb1bc5d4af8900950c7d61787090e73e12b06d34f8142be52cef0710d20036973b6fd4087039e6d62a113b988fdda7786c761e667801ecb40164a4c1573039d9
-
Filesize
16B
MD5df434fa48912e9471ac5324398ff86ae
SHA1c92790c4121e7530309bbc528765ae2c92fbcc6d
SHA256e6a34f449048b68ad995017938c3480440736ce7386f7dc498eff5f4acc0df57
SHA512868968ef9e7d3d4e5cf59a9d1a537b167a900c7f29a2b0f6238ca674c43d94919a3271913429785d53e18b8092eb9b0b529a3b74d9665ede3c3ca5330db90b89
-
Filesize
41B
MD5769601e2ebc6b065ecf49d67eb2dfeec
SHA1d7c2521fa2ee335c23060acd8ede1766ddafa653
SHA256c9805c748eedcbdc7b004f4b1252e9dec871f1b67789aee0474196b717d52afc
SHA5125e209141d6badb21922ff05b1e10ad3f4e9e819b5d9cde805823ee20ddda3402a9b0224cc0dc02d36ab6e40e89837d2fd6590b4d2930165b609915139474664a
-
Filesize
24B
MD543edf3cc2e010b3885381a2d5df809fc
SHA1d56703d7f9767400ed48b3db4efab2c45272b84f
SHA2563c17f31adecdc88338a0a5567459056c86593453a55d66a7081054f44e825fa7
SHA5129c0dd567d3aa3ca86b03ecf6a3c83ee8e20982bc63c9f876d3d65ed1f07949cea337a5c34d9c9f8717b42d800f65d4e54aa7769ee41594b158dcd2ff650e3434
-
Filesize
8KB
MD5131ac34226adf16bfa619ec7e6ee3fe4
SHA14ad766dbfcf01977b9c4702183e2f555af1823c4
SHA256815100ba68d93597ad551e28ac4576a51c6b65500bd282e1e0ba86ec3377218b
SHA5120ec087b00b05931eab7efc379a86771ae2a53ebcabae2bc4430120787bbc74fc2290ed496b527ad02077e4d0d8028d8e506153b9eeaa1bfb40d2fba9e99a9d9d
-
Filesize
8KB
MD52b993ab4181fe07618279f92e0646e5c
SHA1437540e59e795a404b5970ed54468ed3242ba57e
SHA2564d770e4b4d0566fb69f82e79510aa2dd5bac47f634dd2ea71dad990c381d1a52
SHA51243cf8826803a298a3e84690c0ec3dab125935bbb003f838320936a5eaa1a066045be0e924acb1c393986cf91e855d7600b468ccb592a262129150f60fe7781be
-
Filesize
264KB
MD5995780d673839e39bf1da7fb2687e5c3
SHA168e4f91ce0cd6d3930387282504716fccf2db90e
SHA2568b5eaececb0ce964779492381e35881abe0109622c003401198932d0f0ae3510
SHA512498569af33db0c7f77fd5c6a8d5a927b4c77b198137c26bdd5801f65f91e464fa0a6928ee1de7124d73404066559c0174208b7a622bcf39e514c392be58c95b0
-
Filesize
8KB
MD57aee1f1116e2c52e8ee957af3c025442
SHA1c52507b37ece0b357d00d01bfd70ab1d6f5ff816
SHA25669a76c5fa739549134747302a3c9f65789e0d37f5fe6aa8abcda039c0d1b97c4
SHA5127964db55f855507827998ddb1ec2c26bd4905af0d43866e4417139a1698420cde820c0099606da29c0028142d6bdb90ca2307714d4a6e11a684995cfe87f47b7
-
Filesize
4KB
MD5865b58ab6c51e8b5fc00009d9ee3fe8d
SHA1746e1784139ad05fdb9b52740c2c2c994e3f4c73
SHA256f81c5d2cc558e16dec52fed06a270c2d6f91136b9fdba1dad39bc3a2db51784a
SHA512ee9313d9d81cbfdb3aecfff0e02b1b139e392a46d105d483cc8757a1542b0cc51586e2cedfa4b8bccf343611e64f218234d8422fb6eddda913a547294f54612c
-
Filesize
8KB
MD51160fe79a99fb750e18999e6afecd177
SHA1d2605498daea0a6d5d8a149921032ca333576c8c
SHA25659f047d30b5378434a2939f1143b827e442c2b9df05cf65f56a6c1ec96984383
SHA512d65892f72477d9c5749333f96b15b80e9f8301fc75ad3e3a1d2a386a41b1ee2688b742a56a33b5c9cbd96f53e7b2f7e1c6e6521e270a2d6a8564692646bde9d5
-
Filesize
32KB
MD5fe2a795e98c771d70df76c7c31ff13c0
SHA14f64025338ce5b0353f93d3b2a2df6578901f79e
SHA25687ff1e4064c8b3d1617a603cc5a3808f88712988d78b7bfe5bb211268b84e741
SHA51284852c1584598f298c6f5306d93b4321ed208c84a472c1a7e928e58c2b9ce71ce7f4e1a94d61de331dc6d2e19f34a88cf5f28060b782493fccdaeaa6e12c6577
-
Filesize
48KB
MD5b384d1abf6f4658fafa958903642d5e6
SHA11e47fb05abd7b4c776726ff3d735c77e3cbd72d3
SHA25673b203739e68e00d9c3cb70067d5ef4eaf0ca5fafb6c724e26cba8c71f000f2a
SHA512cc6aec04d0c91f2a2b9af2e4393b0f9cbf5ea3c227268c14c3a012b1bd475c054e2c1ee6dfedcaffe3933dcad6fe56f8ecc18bd4a16bc6efc09fedc42ebea862
-
Filesize
1KB
MD58bbd9b9f922eac20c8680b0b62e6aa9f
SHA1b55ad995226a6ee39a49449b98e881fea26218d8
SHA25614f86150259e2bf83ea8759db7363415c3f824b7878cf85d1c33e6c1972e0ed4
SHA512d3bc3e07d851fe727c050310a32a7d146009779a51e2ca03b3713924e765917e641de8a78f09f9ce5780ea4cf724c58e9bbc4a03b7ab5e08ca09566cd223d910
-
Filesize
512KB
MD5ace6308ff6e482ac93fd90180019345d
SHA18077d122d800648ed5e9da0a9e3af59cdf4ff940
SHA2565937355ee0f6339fa166c6c8abc0c44d7599026bd5c77caf5ed527fd98eb3602
SHA51247128b2550e85ae7f3c2a8b3423c6a754a94d8a1f8a5b4e15d199bcdb351c3d6a4f8f5863a02492953f0a2292d96b33f808d759c15d45d2e1bd248ac44252c00
-
Filesize
176KB