fc82b563d313863573783df7d7b533da56a26e167db3a9143c7a780f1cab793d

Analysis

max time kernel
151s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11-03-2023 21:38

Target

System Volume Information/WPSettings.dat
Size

12B
MD5

bf8c557e1c3c28ed3bc3213920576ff1
SHA1

863e227e338d6b8e056f3286b4d66f3bbf4e1ac1
SHA256

410696eb28b1d2150b093aa2a392ce82c31afd887fd324600c4a9fe54d42a34f
SHA512

e80edc340a2f720eb24b94488362f3f2511c1fd02f3b5e280305e2a2be0b5c923f05f442951f6558d8b5a83eadd913a78c99d12334aa530d3e48db1207624f74

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\.dat\ = "dat_auto_file"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\dat_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\.dat	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\dat_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\dat_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\dat_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\dat_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\dat_auto_file	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 588	2012	cmd.exe	28
PID 2012 wrote to memory of 588	2012	cmd.exe	28
PID 2012 wrote to memory of 588	2012	cmd.exe	28
PID 588 wrote to memory of 564	588	rundll32.exe	29
PID 588 wrote to memory of 564	588	rundll32.exe	29
PID 588 wrote to memory of 564	588	rundll32.exe	29
PID 588 wrote to memory of 564	588	rundll32.exe	29

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\System Volume Information\WPSettings.dat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\System Volume Information\WPSettings.dat
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:588
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\System Volume Information\WPSettings.dat"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:564

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact