98383ef197201c1b093e3feb6217bb285b4f7e83dd0f2a77f7dc809871601f39

Analysis

max time kernel
72s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23/09/2022, 07:22

Target

王云雷-北京航空航天大学-安全研发岗位-个人简历PDF/zlib1.dll
Size

86KB
MD5

688369c0213be161e8b1280198dbe567
SHA1

f2dfa6c7ac04c2785479d2827348bad823497e9b
SHA256

d60a13933b003f4f3a8b69a90a09827baf68bbb72f42fdd453e75cd5cc17f107
SHA512

ab72881ddc6919e2092ae12bd37433e9676e0ed517fd5471f5041c6ac6d09dcba671f819b7ba3405ae0575b2175669bbcb275fa0135947c0a92cf99d0e093ff4
SSDEEP

1536:nkHE/4NDs/WEfIvI5/6GZlryfhUrrfvFEG66ZC8tsWxcd5UYhp/CzpZiC:kHEWI/WTI5yGZlChUrr66xA5U6/CzpZi

Score

1^/10

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

pid	Process
3928	tasklist.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 936	1420	rundll32.exe	80
PID 1420 wrote to memory of 936	1420	rundll32.exe	80
PID 1420 wrote to memory of 936	1420	rundll32.exe	80
PID 936 wrote to memory of 3928	936	rundll32.exe	81
PID 936 wrote to memory of 3928	936	rundll32.exe	81
PID 936 wrote to memory of 3928	936	rundll32.exe	81

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\王云雷-北京航空航天大学-安全研发岗位-个人简历PDF\zlib1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\王云雷-北京航空航天大学-安全研发岗位-个人简历PDF\zlib1.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Windows\SysWOW64\tasklist.exe
    "C:\Windows\System32\tasklist.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:3928

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact