2da16bd4a3990c4db524feecdb41d25884c37ab7891948b957c81109c442c2b0

Analysis

max time kernel
22s
max time network
18s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
19-07-2023 09:18

Target

tm5.rar
Size

20KB
MD5

d3d5988326119ac9e2e142a45113d0ca
SHA1

f141a919d7d1cfb1baaea671fb6dcd3bf213cdf7
SHA256

2da16bd4a3990c4db524feecdb41d25884c37ab7891948b957c81109c442c2b0
SHA512

fdde502bc838aca152148411c573c8570f76dc6d20a2a941985ee4e61f322861cb37aabc2a774fde37b54c33552d9057d9921277dd1af858c500e349bdf42015
SSDEEP

384:g6d70ufcvOpJUv5pV/nYYKnwpTkFFedL9MRnckG6b7LjjGveEW2:ga70uUmDUvLCYKcYFYsJck1Go2

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_Classes\Local Settings	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2428	2416	cmd.exe	29
PID 2416 wrote to memory of 2428	2416	cmd.exe	29
PID 2416 wrote to memory of 2428	2416	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\tm5.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\tm5.rar
  2⤵
  - Modifies registry class
  PID:2428

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact