c620d50b8520abf843fb44373f53b57605221f030304c6b3eab42a432deafccc

Analysis

max time kernel
0s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22-12-2023 16:36

Target

gosh/go.sh
Size

94B
MD5

e8feac3a02de79f8564df80b02d83a51
SHA1

a831e7dace3c73ca3b539eb546d86c207f348664
SHA256

24ed8459a6aee307b47b64355c11eda8273b58403a47e800107126b520b3a69e
SHA512

16d7ea08bd009322a58a4f1eb8d3dd426b09f6587c579bb06383323b786316c955b31eb1de46fc4c6d33712b7468fd419f6523741d747041eda2526d6c9bd199

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 2776	1656	cmd.exe	16
PID 1656 wrote to memory of 2776	1656	cmd.exe	16
PID 1656 wrote to memory of 2776	1656	cmd.exe	16

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\gosh\go.sh
1⤵
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\gosh\go.sh
  2⤵
  PID:2776
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\gosh\go.sh"
    3⤵
    PID:2668

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact