2a59bc0228f5ddbf3112a888b958f5aef3162e1c3336af1eef77fe68666e03ef

Analysis

max time kernel
153s
max time network
200s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 17:05

Target

2a59bc0228f5ddbf3112a888b958f5aef3162e1c3336af1eef77fe68666e03ef.exe
Size

731KB
MD5

52af5cd33424729c446a48697842f210
SHA1

0e8674e9af41e9026f34b3c204656d2e61fdf20d
SHA256

2a59bc0228f5ddbf3112a888b958f5aef3162e1c3336af1eef77fe68666e03ef
SHA512

d3f21de4981307cb5c1dc579a466e78daf0bd6c6c74a211982a77b16734a899d82d558e555a82dfbd37bd727da278bbc727619f3bbf72b8d00febeac53c3e447
SSDEEP

12288:Yuud4YcGL//JWM01Vfby4QQvRO4mqPeQ9HXD4AQf1Ym1eGu8+VK4jogDOE:Yue4YT/hmflRBmqPeQ93D4AQhenlIIoM

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

2a59bc0228f5ddbf3112a888b958f5aef3162e1c3336af1eef77fe68666e03ef.exe

pid process

1664 2a59bc0228f5ddbf3112a888b958f5aef3162e1c3336af1eef77fe68666e03ef.exe

pid	process
1664	2a59bc0228f5ddbf3112a888b958f5aef3162e1c3336af1eef77fe68666e03ef.exe

C:\Users\Admin\AppData\Local\Temp\2a59bc0228f5ddbf3112a888b958f5aef3162e1c3336af1eef77fe68666e03ef.exe
"C:\Users\Admin\AppData\Local\Temp\2a59bc0228f5ddbf3112a888b958f5aef3162e1c3336af1eef77fe68666e03ef.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:1664

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact