5c9c32aa420fae051a0ba9ab1bda24f4e5ede0ed36347bf842c537aa11cf269e

Analysis

max time kernel
165s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2022 21:19

Target

BF53.iso
Size

842KB
MD5

b3ba9cb529778d0799a4ccf474b38a1b
SHA1

cacd71f4c5bb9625eb458fd5c259f8c29c585294
SHA256

5c9c32aa420fae051a0ba9ab1bda24f4e5ede0ed36347bf842c537aa11cf269e
SHA512

bba6b728d3604c13b9b1f59378408422a425376489164439b76d781b744bcf0d4984f2afdda68f017bb7406ce58c491eee2ceba9faeadf8d34d6e208619631a6
SSDEEP

24576:VN5pWbYGQajBp6Pi1YWaw46K8zWcCTikQsC3:JUbzQaNpx1DaIK8I23

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cmd.exe

description pid process

Token: SeManageVolumePrivilege 3924 cmd.exe
Token: SeManageVolumePrivilege 3924 cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	cmd.exe

description	pid	process
Token: SeManageVolumePrivilege	3924	cmd.exe
Token: SeManageVolumePrivilege	3924	cmd.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact