fe90a80ee54f5b67a780f04d8d05681e4c5819815efb854813e8bc5a98312084

Analysis

max time kernel
87s
max time network
89s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2023, 11:40

Target

vnme.oqu
Size

1.0MB
MD5

2719c2e3387bfc7d4ebad5a477600d4d
SHA1

a5cec43ca072c50b3b159aeae01dac573c5c266c
SHA256

1182d0e595ab3e1a4f14749b00a5e8cec78f5ace1dab23b9eb3155712ee5d89f
SHA512

38a36c3ecd0a1e6472e3e2617b2292ffe5cfae322167e399cef766f9c147d6295963e67623fe19729621d8ca5e6b300d12a17fae5ec41b5dd681bbfc8c710ca3
SSDEEP

24576:whDGLR/GnhYzWHkCmdHn1F551gP23Rg+bb/qaVfYEi:2D/hlIH4R+XCTE

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4084	OpenWith.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\vnme.oqu
1⤵
- Modifies registry class
PID:1120

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact