c7d3f799015e5372929825edcd99d8b47b480ae707638a7d1a90edfbdc0af568

Analysis

max time kernel
125s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2022 15:16

Target

Agreement_KOA16.iso
Size

662KB
MD5

dc68236d27e1d850413758a191153a99
SHA1

44a8277591b02fcec0b5e9e4880ccb867e29692a
SHA256

c7d3f799015e5372929825edcd99d8b47b480ae707638a7d1a90edfbdc0af568
SHA512

7ee8b242fc0aaf32970528f88c954a01ea4351a5bfd3208f57da370b136a2610951ce513c0412437cd5bbf7d6dfe25b89147f549098171f1d80aedf6bd63bfda
SSDEEP

12288:XNv6E1YF7P01JSdCLjqa/9ANdMxgligH8QLxwOQH:XNv6VP0/Ssfh9AUMFLxSH

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cmd.exe

description pid process

Token: SeManageVolumePrivilege 4876 cmd.exe
Token: SeManageVolumePrivilege 4876 cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	cmd.exe

description	pid	process
Token: SeManageVolumePrivilege	4876	cmd.exe
Token: SeManageVolumePrivilege	4876	cmd.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact