4dd9c958a16b5b360a1fa1a253df9cee7d2c0ccd8650056f1e9ad000f32f21f4

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
14/03/2024, 14:45

Target

Resource/Font/CourierStd-BoldOblique.otf
Size

31KB
MD5

6804e7413898972e05823add91b1dfc5
SHA1

4dfc3cecd9d3c26afaca087a69376eb6abfedeaf
SHA256

698fd9169ad62bd6faedd1c8e8637abc9cc65b3b1a5ba8698242b1447303fbee
SHA512

f89a494aa7dae22022cb4bddf911c9fb8f40220c5d49bba79e5b7f97191fcc2740088437d3e56e6903e0b10aaf5535b4ce08dbe793a0e800d23038196ebf5fc6
SSDEEP

768:edluzc2NPniJMT9BvYsWShVcbZks6AnkXhUZxX:edluz3piJMpusWShVcbZkfAnk2Z1

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 2876	1056	cmd.exe	29
PID 1056 wrote to memory of 2876	1056	cmd.exe	29
PID 1056 wrote to memory of 2876	1056	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\Font\CourierStd-BoldOblique.otf
1⤵
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Windows\System32\fontview.exe
  "C:\Windows\System32\fontview.exe" C:\Users\Admin\AppData\Local\Temp\Resource\Font\CourierStd-BoldOblique.otf
  2⤵
  PID:2876

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact