5b6264bc1a40d5c630e3142edc64d007624ad35bc2118efc400ed7ae88d0b309

Analysis

max time kernel
449s
max time network
451s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
01/06/2024, 04:57

Target

realistic astronaut.rbxm
Size

174KB
MD5

e2f216981746c8184e760f99101cc263
SHA1

fa9ad25380fd00c2f7de577bf76340a062789d43
SHA256

5b6264bc1a40d5c630e3142edc64d007624ad35bc2118efc400ed7ae88d0b309
SHA512

71054e576ad71e3aa31be3dcdc98846bb066fe7dc81aebd2cf20bed20f83e2e74c5a6fe38334c4088c303164fc0e3fe786c3f4d3642022a4471665bdc211e0db
SSDEEP

3072:DCLmuKorKZGeM4rfBRbUO85vuCP/Xlw7f:ulMXrHbULVP/Xlw7f

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2224	OpenWith.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\realistic astronaut.rbxm"
1⤵
- Modifies registry class
PID:716

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact