98383ef197201c1b093e3feb6217bb285b4f7e83dd0f2a77f7dc809871601f39

Analysis

max time kernel
105s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23/09/2022, 07:22

Target

王云雷-北京航空航天大学-安全研发岗位-个人简历PDF/王云雷-北京航空航天��.exe
Size

501KB
MD5

c6893da36a9a16f013cd344f988b3d18
SHA1

bc64b8f40c2045cec9e248a8d15223c3349df0ba
SHA256

5f32ef64abeaf8f0f15037fa273662067ed9b22714a77ceaee5e132832befb5b
SHA512

19d1d365f71834c11085003e2e43885b136b02d02f261a0e269068c4d1c419ff68cad807a2f14625a1e891615b199f273f84761f352ad4f0c199700c507f636f
SSDEEP

12288:mL9TkUbi4zfHfb3pjerSnetOdwZP77tksMt5U/d:Y9UcnrpA1ZD7tksAO1

Score

1^/10

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

pid	Process
4384	tasklist.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 4384	632	王云雷-北京航空航天��.exe	79
PID 632 wrote to memory of 4384	632	王云雷-北京航空航天��.exe	79
PID 632 wrote to memory of 4384	632	王云雷-北京航空航天��.exe	79

C:\Users\Admin\AppData\Local\Temp\王云雷-北京航空航天大学-安全研发岗位-个人简历PDF\王云雷-北京航空航天��.exe
"C:\Users\Admin\AppData\Local\Temp\王云雷-北京航空航天大学-安全研发岗位-个人简历PDF\王云雷-北京航空航天��.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:632
- C:\Windows\SysWOW64\tasklist.exe
  "C:\Windows\System32\tasklist.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:4384

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact