b564b2c1e682db9c8683a83d3330e7f03e8ad9c2b76379d6f7dada987ebcd714

Analysis

max time kernel
121s
max time network
161s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 22:27

Target

b564b2c1e682db9c8683a83d3330e7f03e8ad9c2b76379d6f7dada987ebcd714_JC.lnk
Size

2KB
MD5

320adae62315731cb146c3e7fce6b9be
SHA1

c105b7f1b1e8c19fe0adac5d366edce8becd1267
SHA256

b564b2c1e682db9c8683a83d3330e7f03e8ad9c2b76379d6f7dada987ebcd714
SHA512

a36d54f43398fe7fca759e79b9918de936b2355a8d4071ef2e60a436096213e365d2e9789034aceb7255d5e29d437b39c7f76580e2194aaa56cd89ac5f17ba85

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 1652	2624	cmd.exe	31
PID 2624 wrote to memory of 1652	2624	cmd.exe	31
PID 2624 wrote to memory of 1652	2624	cmd.exe	31

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\b564b2c1e682db9c8683a83d3330e7f03e8ad9c2b76379d6f7dada987ebcd714_JC.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c other\\4a\\cleaner.bat
  2⤵
  PID:1652

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact