df53d5d9fd823812fe6f8da727dda6c5422eb6f10ec45db2325fa0fc2db91684

Analysis

max time kernel
384s
max time network
446s
platform
windows10-1703_x64
resource
win10-20230220-es
resource tags

arch:x64arch:x86image:win10-20230220-eslocale:es-esos:windows10-1703-x64systemwindows
submitted
11-04-2023 14:15

Target

LBOTS V2 FREE LOGIN/cache.json
Size

182B
MD5

4ef075d8e40fc198e9f7be938f6243a6
SHA1

89c5f04f664bf87d7e96cc2355303c6171ec4c94
SHA256

7ed48cee90df2421c342fdb36f0c1dd989a3d5ff324edcd8c7e64d0ad47fa8b1
SHA512

d224819c16664f2cec3696f60b22f8be2bb4c788416fbfd224f111996a3611ad18b46eb38d2ae95514ffbda5f67773934673b23cdf5b914709154cdd2aee2766

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

cmd.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

5080 OpenWith.exe

pid	process
5080	OpenWith.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\LBOTS V2 FREE LOGIN\cache.json"
1⤵
- Modifies registry class
PID:3576

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact