10c389561c1ba93694020485c9ba784a9fdba5382a0106cbeadc11ce110641e0

Analysis

max time kernel
141s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2022 14:12

Target

YJ67.iso
Size

842KB
MD5

580497b1f86577786404d70e280841ba
SHA1

f0314eec44a22942c9249c5835cecb73ebcb0668
SHA256

10c389561c1ba93694020485c9ba784a9fdba5382a0106cbeadc11ce110641e0
SHA512

fd2ee9ac809d178c4e593617fad7c24907151330def89b476e29e3adbf3955488c48a0244d8d5d781329fbf5755110ba2c990d3bc0e358d17b545ec34db0ff2a
SSDEEP

24576:iNVK8zWcCTiQQsC3bpWbYGQajBp6Pi1YWaw4:eK8Iy3bUbzQaNpx1Da

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings cmd.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

cmd.exe

description pid process

Token: SeManageVolumePrivilege 3460 cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	cmd.exe

description	pid	process
Token: SeManageVolumePrivilege	3460	cmd.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact