5b4e091f4ff55c2d426ca3ab68714562387fb615b820bb32dd696a150f3330cd

Analysis

max time kernel
143s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20231222-en
resource tags

arch:x64arch:x86image:win11-20231222-enlocale:en-usos:windows11-21h2-x64system
submitted
13-01-2024 04:57

Target

ovpn/openvpn-license.txt
Size

17KB
MD5

a5aa9694cc581daf09c7f75d1bc64c30
SHA1

484b11367024a690fbd459fb4f45fd044f42d63a
SHA256

a45afcd949cb0e29a3ca81801c7b72666e585ac039a0e1eac63546bcb7273d4c
SHA512

5dd967d247732aa4d718e25347224ea93a15c597c47507deeea30be84c87283e984daf39798492167a422acdc5af174eebd7f7220162f0907ad89d3730c7b306
SSDEEP

384:H4j2PmwE3b6k/iAVX/dUY2ZpEGMOZ77oPoqHZ:H46uh1iYWrTXoPoqHZ

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3212 wrote to memory of 1856	3212	cmd.exe	23
PID 3212 wrote to memory of 1856	3212	cmd.exe	23

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ovpn\openvpn-license.txt
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3212
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ovpn\openvpn-license.txt
  2⤵
  PID:1856

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact