6ef19e48e59231eda0dc2697bbd84db7d4b47b5f5a57e189e58dfc4a056b6a5b

Analysis

max time kernel
361s
max time network
369s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01/05/2024, 16:25

Target

archive-010524-04_05_20.rar
Size

2.9MB
MD5

2ed11e162649cf60cb6a71b7f77af051
SHA1

afe10e0447d3a3d4f6781c81c8a3404da809f5ae
SHA256

6ef19e48e59231eda0dc2697bbd84db7d4b47b5f5a57e189e58dfc4a056b6a5b
SHA512

f9b3b625d83e1c1c0fbd2b843f6a8347c13df5b7af8a91883df8a0a2ba6da1638e3dc67b7a49b487601f25a6b7dae191a2cbdb8d2d0ecf6355d87b3da4e5e372
SSDEEP

49152:HjZOVQSEpa66v4UEQHyxg8jLY/LuSO8Tnb62pji3mDv2+R4EMwXjVB+j:HjZOsATJyxg8juKD8TnXse4EMwXjT+j

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	2616	7zFM.exe
Token: 35	2616	7zFM.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2616	7zFM.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2616	2892	cmd.exe	29
PID 2892 wrote to memory of 2616	2892	cmd.exe	29
PID 2892 wrote to memory of 2616	2892	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\archive-010524-04_05_20.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\archive-010524-04_05_20.rar"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2616

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact