20e692e39fde6e577f412f3919fe1c8fb3200e9b3a37e05e8e16969dff2bb6a5

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 11:40

Target

0e22e6a1dc529008d62287cfddaed53c7f4cc698feec144f00c92594dc76d036.lnk
Size

2KB
MD5

9685dae9ed8d2bf13b66593c1d7cd2eb
SHA1

fbcc038644cd9a564902e8ff681063cb1a80538c
SHA256

0e22e6a1dc529008d62287cfddaed53c7f4cc698feec144f00c92594dc76d036
SHA512

0f660254648157f693fc3863ba7efa258e7b75ee912b6ddcbdeaeeaa4444d2d94f1049a23c75e95f5d2d7bdbd877bed0175800fdf142041aab6ebd2fbab69ec4

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 488 wrote to memory of 2816	488	cmd.exe	29
PID 488 wrote to memory of 2816	488	cmd.exe	29
PID 488 wrote to memory of 2816	488	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\0e22e6a1dc529008d62287cfddaed53c7f4cc698feec144f00c92594dc76d036.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:488
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\conhost.exe" cmd /c start .\$Recycle.Bin\windoc.exe && ".\$Recycle.Bin\bmw3.png"
  2⤵
  PID:2816

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact