b001e8ac5eaf49a73e8224562f307b55ba953d6f5d63c1bd1f0f27089c0ea194

Analysis

max time kernel
119s
max time network
143s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
21/10/2023, 19:48

Target

ADATA_128GB.lnk
Size

2KB
MD5

acd4984d4d8971f9d5143d350c6a806d
SHA1

92640bdc589f0d079b517500745817c8016112d3
SHA256

b001e8ac5eaf49a73e8224562f307b55ba953d6f5d63c1bd1f0f27089c0ea194
SHA512

dc15b912864155cc742b628ef5f4ef583fdf5fa89c0c11ddc705850efee6deb0697535af51a370f1b858c6ed6be07a782f3474d37186dd989910a30fd358f8c2

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2748	2960	cmd.exe	29
PID 2960 wrote to memory of 2748	2960	cmd.exe	29
PID 2960 wrote to memory of 2748	2960	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ADATA_128GB.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /V/R CMD<https://
  2⤵
  PID:2748

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact