d5ecfec09e9e72bb3aa188e7a912e4d8adefe3771070ac3d710f40bc4caa20bf

Analysis

max time kernel
82s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
16-11-2022 14:37

Target

CVBT39.iso
Size

722KB
MD5

0bc1a3822c49c25944bd45ca89bd8aaf
SHA1

deba064c86baf56e47cea8218a96d50e042fc9ee
SHA256

d5ecfec09e9e72bb3aa188e7a912e4d8adefe3771070ac3d710f40bc4caa20bf
SHA512

064e1d1146f2a9b9ec9642503a5e8a24a3201da5fc95f5abd74282648bec887922ae00dfd8648662d109565ce771e0e82d685b0748e9ac2daf0a666c31ecca14
SSDEEP

12288:6Y5/TGcg+w9KC9JdcvXumiT3QOrT8Rk0zvInbiPCw18al1USuSZxHHTkG/8H8:6Y5/TGckKC930IAIQR3O7OjHHApc

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cmd.exe

description pid process

Token: SeManageVolumePrivilege 5108 cmd.exe
Token: SeManageVolumePrivilege 5108 cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	cmd.exe

description	pid	process
Token: SeManageVolumePrivilege	5108	cmd.exe
Token: SeManageVolumePrivilege	5108	cmd.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact