d6273f528ad9fe35b2d8d46521359d5d19ff6c3fba44da01a1fd23796905be92

Analysis

Target

63aaf7e9b28cc5f9a48891e99256d866.docx.vir
Size

12.5MB
MD5

63aaf7e9b28cc5f9a48891e99256d866
SHA1

c3524aac7885c96c8ef8badeeb6a28037d964dff
SHA256

d6273f528ad9fe35b2d8d46521359d5d19ff6c3fba44da01a1fd23796905be92
SHA512

7d60abf1e4b8010f88ea11dd04a5edca43a1d9743b23aa60fce2433ab47d1dd88d29a7b0c7881aa26124e4fd9c8e4818f82b741e946726fddc95689585d4e388

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1276	OpenWith.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\63aaf7e9b28cc5f9a48891e99256d866.docx.vir
1⤵
- Modifies registry class
PID:3496

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact