e8d703b18d3414500e79e89f2ddba867502528f1db5083976e871e82b27a3ad0

Analysis

max time kernel
439s
max time network
444s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
25/12/2024, 20:41

Target

Tweak Pack/Restore Point.lnk
Size

2KB
MD5

7e6ca5ff427e56332eb24781283902b9
SHA1

8d456fa51a975288678dafdf55c35f08168815fe
SHA256

c38003847f2a60e918fafe557d5bcc56fb82205e0665f440a00490e51d78ff03
SHA512

274930a9e9d3bd6a673e30064de80d35dff31fa160b9a0c2457465360855d6186d0e247ec6f191ded4571b7cb1864748fd7bf7f8bab157098ae423fa1f5b446e

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 964 wrote to memory of 4376	964	cmd.exe	78
PID 964 wrote to memory of 4376	964	cmd.exe	78

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Tweak Pack\Restore Point.lnk"
1⤵
- Suspicious use of WriteProcessMemory
PID:964
- C:\Windows\System32\SystemPropertiesProtection.exe
  "C:\Windows\System32\SystemPropertiesProtection.exe"
  2⤵
  PID:4376

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2832

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact