6432c9cb0eac5654c6c0cd987298e294b1413e22f7eb2a4a1a06c5ec7566e35e

Analysis

max time kernel
91s
max time network
33s
platform
windows7_x64
resource
win7-20230703-es
resource tags

arch:x64arch:x86image:win7-20230703-eslocale:es-esos:windows7-x64systemwindows
submitted
12-07-2023 01:20

Target

GI-Model-Importer-main/.github/FUNDING.yml
Size

781B
MD5

f1770bddd7f5a74bb2314cfcd3d934e2
SHA1

1594811dcfebdf9d14a8a7f4e0005f52fb459628
SHA256

76911a12d4417e6b1b414135ddc755abe546fee7127ff332bcc71979cd770a4b
SHA512

5576578590b69241a397ddffc152f0ef596961a1482c6b7387d47315affe4542d0b2b248fa11427f7491cfc2500ffa681a364545e470a6188b268c2b171509fa

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2240	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2240	2336	cmd.exe	30
PID 2336 wrote to memory of 2240	2336	cmd.exe	30
PID 2336 wrote to memory of 2240	2336	cmd.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\GI-Model-Importer-main\.github\FUNDING.yml
1⤵
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\GI-Model-Importer-main\.github\FUNDING.yml
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2240

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact