2d3e89c5cc0b38ded52cebfaca28ba1fbf759a0ac578968487076af2a7449390

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2022 11:34

Target

IY37.iso
Size

842KB
MD5

17c30d260aeba5b69eec6ac5510db9ed
SHA1

5f4dadaf72c35d28a45b154359cc359516757cba
SHA256

2d3e89c5cc0b38ded52cebfaca28ba1fbf759a0ac578968487076af2a7449390
SHA512

e9ae031a44f260e3aec456ecc9def770f6b7efbc10e353e4fc27dca32c46b60aaee12f9fc356a1b4d50cb2be12d260d9c85486b7948fd9f47e6c120bb1428f23
SSDEEP

24576:fN9pOK8zWcCTi7QsC3BbYGQajBp6Pi1YWaw4:DQK8Ir3BbzQaNpx1Da

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cmd.exe

description pid process

Token: SeManageVolumePrivilege 1724 cmd.exe
Token: SeManageVolumePrivilege 1724 cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	cmd.exe

description	pid	process
Token: SeManageVolumePrivilege	1724	cmd.exe
Token: SeManageVolumePrivilege	1724	cmd.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact