6f2826909d7cc11f2c297cae935a606c36bef1758d191d06deb82a6cd7600d0e

Resubmissions

24/03/2023, 16:32

230324-t167gshf8v 7

24/03/2023, 15:54

230324-tcj22sfd66 7

Analysis

max time kernel
79s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24/03/2023, 15:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Adobe PS CS6.rar
Size

73.7MB
MD5

29ad271054dc7a7fcfb691ac9515ab3b
SHA1

96e9489824c0944188d48384efb7d0d4ac74eaeb
SHA256

6f2826909d7cc11f2c297cae935a606c36bef1758d191d06deb82a6cd7600d0e
SHA512

259598be80d8634dd8fafcda7c81c3ae605ea510dfd8259df63db097bab606adfd7dd3c72e8479ff7731fdc1af78312cfe31d82e41db3965ffe6740a04f068ef
SSDEEP

1572864:JKT3GWkokgm1Pia0dgTqHXwTvQ6GH0FBEJNJ5TOLOx7fSTtjIvmEx4:JKTWWMia0mDAUrEzvOG6T2e+4

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2060	OpenWith.exe

Suspicious use of SetWindowsHookEx 37 IoCs

pid	Process
2060	OpenWith.exe
2060	OpenWith.exe
2060	OpenWith.exe
2060	OpenWith.exe
2060	OpenWith.exe
2060	OpenWith.exe
2060	OpenWith.exe
2060	OpenWith.exe
2060	OpenWith.exe
2060	OpenWith.exe
2060	OpenWith.exe
2060	OpenWith.exe
2060	OpenWith.exe
2060	OpenWith.exe
2060	OpenWith.exe
2060	OpenWith.exe
2060	OpenWith.exe
2060	OpenWith.exe
2060	OpenWith.exe
2060	OpenWith.exe
2060	OpenWith.exe
2060	OpenWith.exe
2060	OpenWith.exe
2060	OpenWith.exe
2060	OpenWith.exe
2060	OpenWith.exe
2060	OpenWith.exe
2060	OpenWith.exe
2060	OpenWith.exe
2060	OpenWith.exe
2060	OpenWith.exe
2060	OpenWith.exe
2060	OpenWith.exe
2060	OpenWith.exe
2060	OpenWith.exe
2060	OpenWith.exe
2060	OpenWith.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Adobe PS CS6.rar"
1⤵
- Modifies registry class
PID:3144

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2060

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads