e716752ad3f7040eb9e930d8289dfafac109fbb180096950bcf2a1791afbe0dd

Analysis

max time kernel
112s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
15-11-2022 20:41

Target

CVIM20.iso
Size

722KB
MD5

16bb685de34f4b20da290acbbd95ae20
SHA1

1440da1e5f09301e336b02a17a25363589c09481
SHA256

e716752ad3f7040eb9e930d8289dfafac109fbb180096950bcf2a1791afbe0dd
SHA512

9eef0a83cfa95e4557f5300ec2d0dd7a69d43e9392a4a7c4cc39efb3561de1a2a50bd6ff4f3699f3127139c95cd7de655f9aa40183b84746673e9b4b11b21182
SSDEEP

12288:XYH/TGcg+w9KC1JdcvXumiT3QOrT8Rk0zvInbiPCw18al1USuSZxHHTkG/8H8:XYH/TGckKC130IAIQR3O7OjHHApc

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings cmd.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

cmd.exe

description pid process

Token: SeManageVolumePrivilege 2324 cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	cmd.exe

description	pid	process
Token: SeManageVolumePrivilege	2324	cmd.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact