37e75479a1f81340df1523f38b37926b2376ec00972223e1087e56a5c73ba5d0

Analysis

max time kernel
91s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
14-02-2023 01:27

Target

thorse/installer_linux.py
Size

3KB
MD5

12cd0637b26410b41536143f22d7ea14
SHA1

047b7021c99cf8cf19d2e8b3a505c4bffba62858
SHA256

a8172618ca68b107f489dd91daa0cd5a7d70d2df44a9f8da8b7eb4fb1658badb
SHA512

ce45d2531512db6c13709648aa4c5d7b6af7235ff61c0a07282bf4674cc4d69d51787147904d0780ff0091a03f22009cb364cf8d95ddf6f144c6a9fa1245d74b

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

cmd.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

2204 OpenWith.exe

pid	process
2204	OpenWith.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\thorse\installer_linux.py
1⤵
- Modifies registry class
PID:1264

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact