32e1eebf2af8d36857b3a9ea3a2653e8e7ad6b6eab8ca4665b252b5fb609d993

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 10:14

Target

32e1eebf2af8d36857b3a9ea3a2653e8e7ad6b6eab8ca4665b252b5fb609d993.lnk
Size

1KB
MD5

8fd497870926cbca338475287214572e
SHA1

2626e891b55d0132eda86841ab648e47dd0d6bae
SHA256

32e1eebf2af8d36857b3a9ea3a2653e8e7ad6b6eab8ca4665b252b5fb609d993
SHA512

43ea429f8e5bf8a623d28034cc1e287534fc347322339e0a633121d88a4188a8f07a53f9f587d72d78bc61a6a297a7de8db6769c2c6b0a6f41d546a0f44fd4cb

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2592	2916	cmd.exe	29
PID 2916 wrote to memory of 2592	2916	cmd.exe	29
PID 2916 wrote to memory of 2592	2916	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\32e1eebf2af8d36857b3a9ea3a2653e8e7ad6b6eab8ca4665b252b5fb609d993.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /k start agenda.exe
  2⤵
  PID:2592

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact