9e1abf9980ebc84d56b0c780b9fce0c401cfacc66e014f3be1d25564d4763477

Analysis

max time kernel
90s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2022 13:42

Target

QL63.iso
Size

842KB
MD5

91e742988dfaf22dd473b2595a0fb1f2
SHA1

537c12d3dd983bddc03aa80e09d7384c575485fe
SHA256

9e1abf9980ebc84d56b0c780b9fce0c401cfacc66e014f3be1d25564d4763477
SHA512

58b63510eb651f7d82b78fd4f3e1eb87784859d73bdddf0ec74f8f6094e74832508306ed3657b93a4335358ca4ef8c1e2e610f6ed48f794051d5dfa9f170d763
SSDEEP

24576:INdpOK8zWcCTisQsC3BbYGQajBp6Pi1YWaw4:EQK8Ie3BbzQaNpx1Da

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cmd.exe

description pid process

Token: SeManageVolumePrivilege 4816 cmd.exe
Token: SeManageVolumePrivilege 4816 cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	cmd.exe

description	pid	process
Token: SeManageVolumePrivilege	4816	cmd.exe
Token: SeManageVolumePrivilege	4816	cmd.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact