158a8552791daf6d1edada33ce30a16fb459b8f585e2c1821e943f973c282e7f

Analysis

max time kernel
127s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2022 00:06

Target

gta_sa.pdb
Size

1.9MB
MD5

e0288df086a13dd6ff9a65d680df95d4
SHA1

46cf21500c307f8183e71430f8984bf6ed97d408
SHA256

06026c84b595fbee16737b0c095abba85206a8dc2ae9618cb9d870620370eed4
SHA512

f528ad3d993fe4abc277331db09f28dd31d0a423bf5dd4c8761c20c85e847a6c371aa621c89e64222a8dcacbe074586ac12f776af51c703d7716c974dafc2292
SSDEEP

49152:jOD8gkftU5/brZussfusM+KBy+XMTXMfOEj/urE4//hWzXFnZSJ4pgF:YFOE0

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

cmd.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

1876 OpenWith.exe

pid	process
1876	OpenWith.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\gta_sa.pdb
1⤵
- Modifies registry class
PID:504

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact