d5e9ccf1171f5f24addd7f454eb758f4b0921b94da3097ce540d9f9f25e6f5bd

Resubmissions

05/10/2022, 13:11

04/10/2022, 16:13

max time kernel
91s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2022, 16:13

Target

Flux.app/Contents/Resources/geoloc-arrow.tiff
Size

7KB
MD5

63528f3ba49d8f42ddde36bbe350ad44
SHA1

e704dbf1cc980a0b8826488dbd2c254237d7597a
SHA256

0813af1849aa2ae37950f6bdb135a6f0e2e6044072e712e271b6bdf847542c28
SHA512

a601d828a176e6d8d4660fa71d43fcce8cc3a4a13d32eb24f34eb7b50ee9cabf64f7726affb2f406ba5e62c3b09ca92f9064bec9c9c452c0418a03b91e585ca8
SSDEEP

96:IcI5N26MT0D5MdtbZPAVwzVvdNdgEcN26MT0D5MdtbZPAVwzV0:IcvYNMtKw5dTHbYNMtKwy

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4572	rundll32.exe

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\Flux.app\Contents\Resources\geoloc-arrow.tiff
1⤵
- Suspicious use of FindShellTrayWindow
PID:4572

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact