a60b7a2ef406fd853f59afb392ba91901e059cb256ae7f09de38344c55de4fa0

Analysis

max time kernel
29s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-06-2023 23:27

Target

Play-Regular.ttf
Size

214KB
MD5

d90e0a0e734eb3816dec96b3e69cb6a8
SHA1

438e8cb85e38a298fe8227203dea6840b435f848
SHA256

6fb240521cfe3fe9983b590fdf0fac15e891b19b261ae382517066029eec46b3
SHA512

a5d09ce52c70215c45f11f8f87c16c8d6df731a2706361d8450d90b30e7ef8e4b3a98f03caf7357cf618c55fb8ed24a51d3e6f7fffd767ee353017aaf56b5d5b
SSDEEP

3072:vJYNPKh4rZSllDxYTW+PzyWjPyKvtgLA7me79mLUO2Rc98d2E8H7O1j7LA:vmpm4QlRxUVzyWjPyKvSLA7my9mb2RXA

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1264 wrote to memory of 548	1264	cmd.exe	fontview.exe
PID 1264 wrote to memory of 548	1264	cmd.exe	fontview.exe
PID 1264 wrote to memory of 548	1264	cmd.exe	fontview.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Play-Regular.ttf
1⤵
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\System32\fontview.exe
"C:\Windows\System32\fontview.exe" C:\Users\Admin\AppData\Local\Temp\Play-Regular.ttf
2⤵
PID:548

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact