c6021e59df4ef15a6590e4cc4b5d2a75c7c881397f154163849f969ebfbf8933

Analysis

Target

reconstructed_core/2022-06-04/core/license.dat
Size

334KB
MD5

c3db0f946699412e8f3a2775516116a2
SHA1

a01448e2760dcb2fbed70a634baaae559d3b6de0
SHA256

dbe9743c9c57247cb9275a23a84909dd78aca59f584df62197bde07cb87bd1ed
SHA512

50b2e9b3446463f4b02980587b3f4bd716f5b018e26085f10d38c42fd0f6e07891438d13ccc5b36f38ab9c7f1ea874814ed266f8551a970c8ca3eb73ac6b4950

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

cmd.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

700 OpenWith.exe

pid	process
700	OpenWith.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\reconstructed_core\2022-06-04\core\license.dat
1⤵
- Modifies registry class
PID:4200

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact