e7ec8e39fdfb299ab485a701fa6b18853e5e5fced4360abe9a65037d3457c731

Analysis

max time kernel
253s
max time network
259s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25-02-2023 09:28

Target

Activador OFFICE.rar
Size

40.6MB
MD5

6dcdeda7d808d660c35a872284c6cfaf
SHA1

d9e6b6decaa0020b67b18acc53b1faf0d2c850a4
SHA256

e7ec8e39fdfb299ab485a701fa6b18853e5e5fced4360abe9a65037d3457c731
SHA512

e880e0d0ccc5b3c90e07e18788e2176ac1cefbc5f7d98a2efd1cf328588a290a87e3c11c818062c79e2160cee6186bfa2636bc983664832ce41375c30a52e439
SSDEEP

786432:RmSZpsuIYDHRyi5ICvdGIUZwQ9+wnL3/LYdvcTwJuPRU1Mk/2OVkXcG9QMRDgG:R7gYzr+CvdGIG/W2wJcU1leOVEcG9QMH

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

cmd.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

1620 OpenWith.exe

pid	process
1620	OpenWith.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Activador OFFICE.rar"
1⤵
- Modifies registry class
PID:1432

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact