579da36c31cc4e5d556f6298ee204184a357a3bdeeb8b94586ae217900408c72

Analysis

max time kernel
473s
max time network
485s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28-09-2022 22:29

Target

ForwardMails/ForwardEmlFile.pdb
Size

15KB
MD5

cb40c7baa655a67aad338edaabc2aa51
SHA1

bff944b8b0aef8d4fcd04593597b5429a9d9fbfd
SHA256

e02788db7d322e31fa84dea1e00fd96b98eca31e5bf91a62a6f2b8559bf82819
SHA512

41a40a0930392f1d1c0edeca122884579078466b95a881572e094849fab5026ba1604599642bca82246943182ef270c0d0f62ed8f3c8a9c23826ffef51a521db
SSDEEP

384:qvPvPvNpskLbie/dzRsLaVV6tD7jZszQZczXWCNS6RHKfujk3KeGXtJppVcRwgGo:qnnvsMbiOHc0BHtJmHjn

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

cmd.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

808 OpenWith.exe

pid	process
808	OpenWith.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ForwardMails\ForwardEmlFile.pdb
1⤵
- Modifies registry class
PID:2432

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact