a6cb0a1b99a567ea125b5ec3940579d680b99f2c71e1f350ce4578044e0ba6fe

Analysis

max time kernel
94s
max time network
31s
platform
windows7_x64
resource
win7-20230220-es
resource tags

arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows
submitted
07/03/2023, 17:29

Target

mYm.cfg
Size

3KB
MD5

ddc483a581386f8f9baa71b6ed8f6d60
SHA1

f4bd4b886a741ea7ea100aa8b5de8a0ea5f40bd4
SHA256

a6cb0a1b99a567ea125b5ec3940579d680b99f2c71e1f350ce4578044e0ba6fe
SHA512

b26519cb6f75bc37c931de8cb5cc8274bbe611b61514100b3b0d7cf4ee3677ecd9d66c2b91ddbbc7a872efd5c5858a4cd71ca2e842b2c06b28d328822bec21fb

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
476	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 476	1164	cmd.exe	29
PID 1164 wrote to memory of 476	1164	cmd.exe	29
PID 1164 wrote to memory of 476	1164	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\mYm.cfg
1⤵
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\mYm.cfg
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:476

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact