114c6067d10194b8638eba3f01e6c3e44576d09d74546b7014d637b352b10e23

Analysis

max time kernel
142s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2022 04:03

Target

AB63.iso
Size

970KB
MD5

728ca18376d08499c84ef75beaa30de5
SHA1

989d0f183ff6c188dc10aaf2d2685521dad61ead
SHA256

114c6067d10194b8638eba3f01e6c3e44576d09d74546b7014d637b352b10e23
SHA512

0b56d6ca945e01f46a1b73c5f2bae877827af44a06bd854c3a116fa3de621f5b5509e55d7a9d16d96a459c2a446f01b5a7d3a5b129b92a68b799f47a78639b1d
SSDEEP

12288:Mo16F+DfZxL4+Dir8lkQ5z4hbUmKFX4GfOs5VBNYRbWAUWWvoYPiwBPhKwnONVvo:Mo16F+DRt4Tr8lkBhQp2QOUDKw9

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cmd.exe

description pid process

Token: SeManageVolumePrivilege 4468 cmd.exe
Token: SeManageVolumePrivilege 4468 cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	cmd.exe

description	pid	process
Token: SeManageVolumePrivilege	4468	cmd.exe
Token: SeManageVolumePrivilege	4468	cmd.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact