bf5d5227318352f2b376464b64e55a6e7d3d4b1dc962fd5533233d457a8fdf66

Analysis

max time kernel
150s
max time network
162s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 14:14

Target

1b1c231de0b26c9c29fe7daf143383a2.exe
Size

19KB
MD5

1b1c231de0b26c9c29fe7daf143383a2
SHA1

577e269000b9b3add3d55e13134071978c037c4e
SHA256

bf5d5227318352f2b376464b64e55a6e7d3d4b1dc962fd5533233d457a8fdf66
SHA512

2f0f846ccbb34a032832d05afd7f74acfb9b3905e8787232daf894f5be0119de7ddca49adaccc3dc8d0831b45373400d77fd2b23cd541e98197537748bb857a0
SSDEEP

192:TfHj3tcikMEiZ3fCBq+AAyRyo0+tmDXCGiyfHjwF4Y/JUCDe:lEiZvCBqBAyb0+tmrPs6Y/Jzq

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2548	2808	1b1c231de0b26c9c29fe7daf143383a2.exe	31
PID 2808 wrote to memory of 2548	2808	1b1c231de0b26c9c29fe7daf143383a2.exe	31
PID 2808 wrote to memory of 2548	2808	1b1c231de0b26c9c29fe7daf143383a2.exe	31
PID 2808 wrote to memory of 2548	2808	1b1c231de0b26c9c29fe7daf143383a2.exe	31
PID 2808 wrote to memory of 1156	2808	1b1c231de0b26c9c29fe7daf143383a2.exe	33
PID 2808 wrote to memory of 1156	2808	1b1c231de0b26c9c29fe7daf143383a2.exe	33
PID 2808 wrote to memory of 1156	2808	1b1c231de0b26c9c29fe7daf143383a2.exe	33
PID 2808 wrote to memory of 1156	2808	1b1c231de0b26c9c29fe7daf143383a2.exe	33
PID 2808 wrote to memory of 1632	2808	1b1c231de0b26c9c29fe7daf143383a2.exe	35
PID 2808 wrote to memory of 1632	2808	1b1c231de0b26c9c29fe7daf143383a2.exe	35
PID 2808 wrote to memory of 1632	2808	1b1c231de0b26c9c29fe7daf143383a2.exe	35
PID 2808 wrote to memory of 1632	2808	1b1c231de0b26c9c29fe7daf143383a2.exe	35

C:\Users\Admin\AppData\Local\Temp\1b1c231de0b26c9c29fe7daf143383a2.exe
"C:\Users\Admin\AppData\Local\Temp\1b1c231de0b26c9c29fe7daf143383a2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:svchost.exe
  2⤵
  PID:2548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:lsass.exe
  2⤵
  PID:1156
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:msnmsgr.exe
  2⤵
  PID:1632

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1156-67-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/1632-105-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/2548-29-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/2808-0-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download