2ad578e2800423b80a5f162f3518742f7ca94a75f97d54ce0a7eb7ac7adfa68f

Analysis

max time kernel
30s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
24/03/2023, 15:15

Target

panupv2-all-contents-8690-7941.file
Size

64.7MB
MD5

561d94b6b60456b32446540fd4abbc7c
SHA1

44fb75857b1a935915f801f6cadda6e3f0a49015
SHA256

2ad578e2800423b80a5f162f3518742f7ca94a75f97d54ce0a7eb7ac7adfa68f
SHA512

f757c3dbcc2094a5eaf124c0f516b0aa21c6afe9c69a903053c1dc4b8f8301be372bc7e6a23aba5f1d432dd43c68a238d9f607abde168e19832c42132be25d5f
SSDEEP

1572864:TnXa4VfbaAVSZPH/IleJpTf8Y3kjo9Sy/6iA73TBNV8yxBadGJ3fg:7XaGWAy/IWpTEY3ku/GnnVg

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\file_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.file\ = "file_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\file_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\file_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\file_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\file_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\file_auto_file\shell\Read\command	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1176	2044	cmd.exe	28
PID 2044 wrote to memory of 1176	2044	cmd.exe	28
PID 2044 wrote to memory of 1176	2044	cmd.exe	28
PID 1176 wrote to memory of 1764	1176	rundll32.exe	29
PID 1176 wrote to memory of 1764	1176	rundll32.exe	29
PID 1176 wrote to memory of 1764	1176	rundll32.exe	29
PID 1176 wrote to memory of 1764	1176	rundll32.exe	29

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\panupv2-all-contents-8690-7941.file
1⤵
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\panupv2-all-contents-8690-7941.file
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\panupv2-all-contents-8690-7941.file"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1764

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact