Analysis
-
max time kernel
90s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
18-11-2022 13:42
Static task
static1
Behavioral task
behavioral1
Sample
QL63.iso
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
QL63.iso
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
SK.js
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
SK.js
Resource
win10v2004-20221111-en
Behavioral task
behavioral5
Sample
manacle/tries.dll
Resource
win7-20220901-en
General
-
Target
QL63.iso
-
Size
842KB
-
MD5
91e742988dfaf22dd473b2595a0fb1f2
-
SHA1
537c12d3dd983bddc03aa80e09d7384c575485fe
-
SHA256
9e1abf9980ebc84d56b0c780b9fce0c401cfacc66e014f3be1d25564d4763477
-
SHA512
58b63510eb651f7d82b78fd4f3e1eb87784859d73bdddf0ec74f8f6094e74832508306ed3657b93a4335358ca4ef8c1e2e610f6ed48f794051d5dfa9f170d763
-
SSDEEP
24576:INdpOK8zWcCTisQsC3BbYGQajBp6Pi1YWaw4:EQK8Ie3BbzQaNpx1Da
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
cmd.exedescription pid process Token: SeManageVolumePrivilege 4816 cmd.exe Token: SeManageVolumePrivilege 4816 cmd.exe