b20506eb3b8da2b97259b48af3b300870ae20995d3c1f05c203eff73c9bde8c2

Analysis

max time kernel
1s
max time network
4s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 15:09

Target

invite-yourself.py
Size

374B
MD5

b34c0d75548cba5853438f9dab6075fb
SHA1

241221aaa190c05242e073d11bef5efd3236a7df
SHA256

9340ba5621d0b45d84a9817222be9431e2ce9cb8ae6421753e0ae86c387bb357
SHA512

2fa00700fd11dcbf2a6dd6ecb7ee9255bad06a946869b1e06208705f8b73765b63783df01ce8f66b7a34f522ef7f242da2fe33259a7f14a92ece8bcdeafac0dd

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 3064	2884	cmd.exe	29
PID 2884 wrote to memory of 3064	2884	cmd.exe	29
PID 2884 wrote to memory of 3064	2884	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\invite-yourself.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\invite-yourself.py
  2⤵
  - Modifies registry class
  PID:3064

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact