4ce154cc8c0d952cd7364d9f295b37bb9fdf4efbed369464bbf95ba97cc7bf5d

Analysis

max time kernel
388s
max time network
451s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2023, 21:09

Target

Office Tool/files/preferences/en-us/settings-onent-en.json
Size

64KB
MD5

a26509c932254e3e7f856b5cdb7b3487
SHA1

49c46bf63f52d19fe53b10d27d2452c4aaa94fc7
SHA256

4bc96239b0a6bf0596de11c434089e9a5e267ec074975ee7d7e846fd884a63e8
SHA512

179a47f62145e6a63ebbe26240079aa56b4f63222f87e6f2d7c708dda76f30953a60aedadee508569314032532d14d74e6c36dc6aa520ef6fe1cfdf25d5a1926
SSDEEP

1536:+mNEztH92XHO6RGGdsVagOlwphDQCbKOP30uRshnO9fNdHqiVOqMqWAPft64XOEl:9NKH92XGH3RshnO9l9q+OqH7H7

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3244	OpenWith.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Office Tool\files\preferences\en-us\settings-onent-en.json"
1⤵
- Modifies registry class
PID:4404

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact