87a6c8d93a46da3487e69372704f9014a55ab43820d202b3bf58f28df1fa2bac

Analysis

max time kernel
90s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2022 14:42

Target

RJ01.iso
Size

842KB
MD5

0d156ab0973c1461a467b305264bc7e4
SHA1

b953b509d35f5c909774ec88db5920e68364792a
SHA256

87a6c8d93a46da3487e69372704f9014a55ab43820d202b3bf58f28df1fa2bac
SHA512

d76ae5bbce41e2a2febd8de5d394b4c9a2b8275f261722b6daa7ed54d024c844db8a650adb7a7e234698f66cf580f8c6ae7c97d26a36e81994a197c147b6f967
SSDEEP

24576:PNJK8zWcCTiRQsC3bpWbYGQajBp6Pi1YWaw4:vK8Ix3bUbzQaNpx1Da

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cmd.exe

description pid process

Token: SeManageVolumePrivilege 4960 cmd.exe
Token: SeManageVolumePrivilege 4960 cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe

description	pid	process
Token: SeManageVolumePrivilege	4960	cmd.exe
Token: SeManageVolumePrivilege	4960	cmd.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact