f7bf20885774e44212aafb6fe28e0f08899c7647ef345d83efc978044289877a

Analysis

max time kernel
30s
max time network
34s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
05-07-2023 19:34

Target

f7bf20885774e44212aafb6fe28e0f08899c7647ef345d83efc978044289877a.exe
Size

1.9MB
MD5

b1652f2b4cd5bdc366e751dee52a073e
SHA1

c6014e156e0abba8e31d4683c49f5ba2e3f0732a
SHA256

f7bf20885774e44212aafb6fe28e0f08899c7647ef345d83efc978044289877a
SHA512

52d0e9a16484301d0c805cd124625f4903cd0fd6d8f6eb23e195e4a8abe28fa65d512b4c382216144d20dd9b5bc776c231f68cda69359effc0c71e673a0e97c5
SSDEEP

24576:UW6VXRhhnzyhPIVcz9XUIRmQpLKcxafX0djRbEcPQ5Aeax+q4GZSKSnB3kqA9yoY:p6zyhPIaJXRmQZAXCjfwB4QKSnBUFmtT

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 908	3056	f7bf20885774e44212aafb6fe28e0f08899c7647ef345d83efc978044289877a.exe	28
PID 3056 wrote to memory of 908	3056	f7bf20885774e44212aafb6fe28e0f08899c7647ef345d83efc978044289877a.exe	28
PID 3056 wrote to memory of 908	3056	f7bf20885774e44212aafb6fe28e0f08899c7647ef345d83efc978044289877a.exe	28
PID 3056 wrote to memory of 908	3056	f7bf20885774e44212aafb6fe28e0f08899c7647ef345d83efc978044289877a.exe	28
PID 908 wrote to memory of 1684	908	cmd.exe	30
PID 908 wrote to memory of 1684	908	cmd.exe	30
PID 908 wrote to memory of 1684	908	cmd.exe	30
PID 908 wrote to memory of 1684	908	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\f7bf20885774e44212aafb6fe28e0f08899c7647ef345d83efc978044289877a.exe
"C:\Users\Admin\AppData\Local\Temp\f7bf20885774e44212aafb6fe28e0f08899c7647ef345d83efc978044289877a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\工具条设置.bat" /工具条设置.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Windows\SysWOW64\mode.com
    mode con cols=60 lines=16
    3⤵
    PID:1684

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\工具条设置.BAT

Filesize
285B

MD5
1782b3575feec9e9ef09b22cfe53ba48

SHA1
81b7de2cb701c42a3c4b49779e48cebdcef90202

SHA256
17bd2e2c5fe7d7d960885fff27af03bea6edd9a368bbb08a8170dc822d843af2

SHA512
53ef8036dfc10a68548a2258ac925b59e56321ffa87f35ae728eea66471fce6ceecf6231f566863fb1e692c1fc7d4320406e8dafd8bc27bcffbe96768c55fc59

Download Submit
C:\Users\Admin\AppData\Local\Temp\工具条设置.BAT

Filesize
285B

MD5
1782b3575feec9e9ef09b22cfe53ba48

SHA1
81b7de2cb701c42a3c4b49779e48cebdcef90202

SHA256
17bd2e2c5fe7d7d960885fff27af03bea6edd9a368bbb08a8170dc822d843af2

SHA512
53ef8036dfc10a68548a2258ac925b59e56321ffa87f35ae728eea66471fce6ceecf6231f566863fb1e692c1fc7d4320406e8dafd8bc27bcffbe96768c55fc59

Download Submit