2194c5e9c048a6125373d6c43da58f81bc33595943d8c631ed7571eb43054d0b

Analysis

max time kernel
94s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
15-11-2022 23:10

Target

CVWC35.iso
Size

722KB
MD5

b506204da4446139f5fb282ad0f877b4
SHA1

2746ee2fbfd179c90c332fdc98872b958c6c79c0
SHA256

2194c5e9c048a6125373d6c43da58f81bc33595943d8c631ed7571eb43054d0b
SHA512

6202c47a0372c756355d28c6758cf838ad60220e6b3b41f6c8a6d98fa5f6f88877649294e8485a844f748a6251ccaa963b6e5a6bcb1aef7b8badf432d9aa3179
SSDEEP

12288:6YJ/TGcg+w9KCZJdcvXumiT3QOrT8Rk0zvInbiPCw18al1USuSZxHHTkG/8H8:6YJ/TGckKCZ30IAIQR3O7OjHHApc

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cmd.exe

description pid process

Token: SeManageVolumePrivilege 3416 cmd.exe
Token: SeManageVolumePrivilege 3416 cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings	cmd.exe

description	pid	process
Token: SeManageVolumePrivilege	3416	cmd.exe
Token: SeManageVolumePrivilege	3416	cmd.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact