Analysis
-
max time kernel
92s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19-11-2022 14:44
Static task
static1
Behavioral task
behavioral1
Sample
TZ67.iso
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
TZ67.iso
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
SK.js
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
SK.js
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
manacle/assignations.dll
Resource
win7-20220901-en
General
-
Target
TZ67.iso
-
Size
842KB
-
MD5
33bbe8729cb9ff3ccba095d0ac66060c
-
SHA1
dacad73e0a1cb1dcf649b30f58d4135005e4f955
-
SHA256
e117f232d9017bafab4854c0b73578f14e3d4311052ef9c69680804b2b733f03
-
SHA512
be39269f0b3121245159ea1fec251ea63c4e42ff3dc3c4988581a083e875e985623c3e544d4eedc047d1b86ecaa281f28bd2f442eafd024321927545b4ece2d3
-
SSDEEP
24576:YNlK8zWcCTi4QsC3bpWbYGQajBp6Pi1YWaw4:kK8IC3bUbzQaNpx1Da
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
cmd.exedescription pid process Token: SeManageVolumePrivilege 1200 cmd.exe Token: SeManageVolumePrivilege 1200 cmd.exe