6ae7f4455360744b37a40a86260dff07e18e52d0675b4f944be9f3030f3a506d

Analysis

max time kernel
90s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2023 16:25

Target

DocumentsFolder_258273_Feb_03.one
Size

111KB
MD5

4633b7025030917786ceaf40ac0a422c
SHA1

48af4ef989e50f731f7163516e2365e0c3922c2f
SHA256

6ae7f4455360744b37a40a86260dff07e18e52d0675b4f944be9f3030f3a506d
SHA512

a13ce5fc4280634951c67a9c0b494d34fc2c690cfb0604199fa238d98064376333251e624383af33ab5da17631e0411c2f959d1d98a498c8ae3d937cf22bee43
SSDEEP

1536:6flBiZVfBWQdCj/UeG0wc4K0olXQwY2ZbhTh40EW3H7MApEIBvwZAIv:6bAVfBWQdmUeG33ovY8bhTh45W3bSAI

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4980	OpenWith.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\DocumentsFolder_258273_Feb_03.one
1⤵
- Modifies registry class
PID:2728

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact