a693fff41c4e738cfa6b7f0e9bcf51ae341b276b81189fa698f0c0ede4a8a54e

Analysis

max time kernel
88s
max time network
101s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
08-06-2024 21:40

Target

Kiwi X/bin/workspace/Self Bot RMA/saved_admins/Here.txt
Size

23B
MD5

118e5315caf3e357c30c45affa9e8e3e
SHA1

114e3cf096058a901a98443adb14aa035edeb7ff
SHA256

b52f4b1df7c635df62bbce27293474403020fe68b0f66d9547e170f3e6efe482
SHA512

c8f74cdef19ab610bf2f1d39b6f8b06c28669f39c281ef230cfec6ef596f4902a5b6f19abc07ae6bc6ce2c02c29107c3840037d9f24fbc8661d27e0bf359529f

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 240	4424	cmd.exe	78
PID 4424 wrote to memory of 240	4424	cmd.exe	78

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Kiwi X\bin\workspace\Self Bot RMA\saved_admins\Here.txt"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Kiwi X\bin\workspace\Self Bot RMA\saved_admins\Here.txt
  2⤵
  PID:240

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact