282b2bba57bb185fb81d4f401425efa9b6a6f99111640d99521b86b088f9aab9

Analysis

max time kernel
119s
max time network
137s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
21-09-2023 20:33

Target

DF CONNECTED v2.7.6c (Windows)/execute_shell_simple.dll
Size

75KB
MD5

31fa2a28d6a3bf937e5b40d48351d889
SHA1

517c38765d92860b0fef5d52d8dc119848430677
SHA256

6d1a616f0109886278b6fdc5d8320eb164809e0d23b2326d29218c5edece2445
SHA512

adac0989af8ff6be4d964e7e8be209ecb65737f6e6575ff004c22a434f95b8b6156219314bf98a290b1227ff9861b80ae2c736d8dcbddd1bc0130299ecf9da5f
SSDEEP

1536:NKLawL7agDpi7rwzIHkwgEzuqoFuaC2ZRxsWdKcdb3skjEuJ:NnwL7agDp1zIHfbuqokX2JbckjEuJ

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2996	2964	rundll32.exe	29
PID 2964 wrote to memory of 2996	2964	rundll32.exe	29
PID 2964 wrote to memory of 2996	2964	rundll32.exe	29
PID 2964 wrote to memory of 2996	2964	rundll32.exe	29
PID 2964 wrote to memory of 2996	2964	rundll32.exe	29
PID 2964 wrote to memory of 2996	2964	rundll32.exe	29
PID 2964 wrote to memory of 2996	2964	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DF CONNECTED v2.7.6c (Windows)\execute_shell_simple.dll",#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DF CONNECTED v2.7.6c (Windows)\execute_shell_simple.dll",#1
  2⤵
  PID:2996

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact