d57522a9f2ac0ddf6c4817f7ca137ec6cff448b3c6f55b43d6e5ab4a8b770e5f

Analysis

max time kernel
69s
max time network
73s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2022 19:09

Target

imagestore.dat
Size

5KB
MD5

eede441a0755fe0d346c95fd4442e252
SHA1

2c4d2276c74d7bfac2fb67e39d47e47d627e0c2e
SHA256

d57522a9f2ac0ddf6c4817f7ca137ec6cff448b3c6f55b43d6e5ab4a8b770e5f
SHA512

9df2a294ebc0b11dda3c9c2bd77a9845f6e4ca698a6146bdab45b7bb46fadc45d1e7ab1ce00a83afcb6df2e49929e439f7016ee2eda185701757e5609b17bb0e
SSDEEP

48:xwDaO7IJct3xItwDaYxG/7nvWDtZcdYLtX7B6QXL3aqG8f:YvIJct+MP47v+rcqlBPG9i

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2012	OpenWith.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\imagestore.dat
1⤵
- Modifies registry class
PID:748

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact