10fbb4e3487e4260d9d7b1ccb1ee0cdaf9120f0259c7d64fed715c04c8030ddf

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
23/05/2024, 12:14

Target

修改远程端口.bat
Size

2KB
MD5

3458c4b1dc2e10cc3b6541b8ead6d7bf
SHA1

d7501be713f7e27dbf4e671400f13512f432b565
SHA256

10fbb4e3487e4260d9d7b1ccb1ee0cdaf9120f0259c7d64fed715c04c8030ddf
SHA512

c06336a000c48a8a80d603e5f6ffd9d8e3a0f36e84282c3dbeae2953ec0459d485f41d38dfa765577b39b2c62dd45a58df12f2b50f026d5ba38255ba1e634a45

Score

8^/10

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 1944	1084	cmd.exe	29
PID 1084 wrote to memory of 1944	1084	cmd.exe	29
PID 1084 wrote to memory of 1944	1084	cmd.exe	29
PID 1944 wrote to memory of 1624	1944	cmd.exe	30
PID 1944 wrote to memory of 1624	1944	cmd.exe	30
PID 1944 wrote to memory of 1624	1944	cmd.exe	30

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\修改远程端口.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber
    3⤵
    PID:1624

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Remote Services

Remote Desktop Protocol

Collection

Command and Control

Exfiltration

Impact