8077016cb0e6290e1132887f46763062fead26b3b8ad1ae845511d0e65670181

Analysis

max time kernel
142s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2023 10:58

Target

HDFC_Copy.exe
Size

2.3MB
MD5

f69fee063def953ac8279c64841fee0b
SHA1

45d70ccdda374b1a88cb8f9bbef7e427a4fb8e77
SHA256

a9cd25eed4623fa4aff1724d5cfe10d8f289028d9e52251fe5ea0278773eb67b
SHA512

42144d3b3bd8245c85bebfd258f03b33a29ae53584d66d94f6c90c3967a38a49a81743df8c3284cff83fed736c0183f1d59a34cec6b3bf0bdb42fb053b2f2354
SSDEEP

49152:dkWk5cS7a+9XYaQiZehc4mTYJ78V9gyBn4cEfmP/SA8N:pajJBZ942KQV9hp4vfmP/SA8

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 3 IoCs

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4288 wrote to memory of 4500	4288	HDFC_Copy.exe	85
PID 4288 wrote to memory of 4500	4288	HDFC_Copy.exe	85
PID 4288 wrote to memory of 4500	4288	HDFC_Copy.exe	85

C:\Users\Admin\AppData\Local\Temp\HDFC_Copy.exe
"C:\Users\Admin\AppData\Local\Temp\HDFC_Copy.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:4500

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact