Resubmissions

02-10-2022 15:25

221002-stk51adhdn 10

30-09-2022 13:52

220930-q6sdqsdga9 10

Analysis

  • max time kernel
    475s
  • max time network
    517s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-10-2022 15:25

General

  • Target

    Invoi_PDF#2092.iso

  • Size

    1MB

  • MD5

    4fbb948db5431bffabfb1acd743a52f4

  • SHA1

    3ae2779c2ab2a9b7d1a1b62e5583f0f9077a4420

  • SHA256

    98761de8cb4e91079b0c34a1e5558dba347d976fc0ab0250a9f66ad706a93db9

  • SHA512

    784ac4391b442ce160c521cc7c49b844242602ad3fff118cf02c4a0f3c2545470a89866e07a4fb0047adbf70ed599cd28e1bb4482de181510d23ec1f71ab76ee

  • SSDEEP

    24576:+oa4+wzDswZwbwPHOHHH+Ygr3n9XupumT1y+leq1i6qgVK9abNhM8wtwdwYMwlwz:k4+wzDswZwbwPHOHHH+Yg7n9XsumpVex

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices ⋅ 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class ⋅ 1 IoCs
  • Suspicious use of AdjustPrivilegeToken ⋅ 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Invoi_PDF#2092.iso
    Modifies registry class
    Suspicious use of AdjustPrivilegeToken
    PID:4072
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    PID:3016

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Execution

            Exfiltration

              Impact

                Initial Access

                  Lateral Movement

                    Persistence

                      Privilege Escalation

                        Replay Monitor

                        00:00 00:00

                        Downloads