1a70915f0169d0a92414ae58337809372ed09b75f877fc570e905abe83d50550

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
31-12-2022 19:55

Target

Roboto-Black.ttf
Size

164KB
MD5

d6a6f8878adb0d8e69f9fa2e0b622924
SHA1

3f8e401d808f6ce84b542266726514ac8be73171
SHA256

5ace0d0833ab83ff18ea94e4a7745f919c458ae4eabc298218226df4275ccd4d
SHA512

7c1505b4fa1a2800c91f6e6e178ef8a75856c462f5fd781b6bc5466f14e581373b770b35e0b1d6f5662824a824e36ff046e4f1a27156a8c1dd07838721172dcb
SSDEEP

3072:1D1zjYz01Og87sw7Comqu/xccsqkobOi33XNFRS3eCk1XqmSMOoDRuQKSgPTPgSt:1D1zjYz01Yh7yqu/mcsFobOi33nGk16N

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 456 wrote to memory of 1312	456	cmd.exe	29
PID 456 wrote to memory of 1312	456	cmd.exe	29
PID 456 wrote to memory of 1312	456	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Roboto-Black.ttf
1⤵
- Suspicious use of WriteProcessMemory
PID:456
- C:\Windows\System32\fontview.exe
  "C:\Windows\System32\fontview.exe" C:\Users\Admin\AppData\Local\Temp\Roboto-Black.ttf
  2⤵
  PID:1312

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/456-54-0x000007FEFB8A1000-0x000007FEFB8A3000-memory.dmp

Filesize
8KB

Download