41a17ef940860c7ecc486581cc0ca9702fc264fbc2845c2c3b386b81c9b19150

Analysis

max time kernel
1776s
max time network
1587s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2023, 02:40

Target

NO ABRIR/Operacion SPEI-6279 a tu favor .msg
Size

25KB
MD5

d0844d9ddb4d67071ae71b62d1d3dbd4
SHA1

1ddb829d117eeb33e82dba3893b674c1cec39577
SHA256

109d756625fc89b66d36b04117f3ccd73df9787237bfc58cbcae3c19c48252bf
SHA512

e7b18b8e12d72366c5ac57e5f1e50213e9a826cf53ef515bdee905f6ab28fb619f0f8b97db1b4d462f2a1bf62ac034bf7bba1439e0b7c931e1384339523f33f6
SSDEEP

192:yVXXf9V7MfRMgSvdSV7NGOMmxiE+Vyi+3zuz0te980tegv+lJt0/VMH:cXf9V7MfdwSVRTi8uQtcft8jt09MH

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4232	OpenWith.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\NO ABRIR\Operacion SPEI-6279 a tu favor .msg"
1⤵
- Modifies registry class
PID:2648

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact