f2ff60957f197cf7781d73f0111bf3c7938e324cc8066eabe9f7eb34ee9c0c4f

Analysis

max time kernel
90s
max time network
93s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
13/06/2024, 00:03

Target

HWID Bypass/STEP 5 - Change the HWIDs of everything/_/Command Prompt.lnk
Size

1KB
MD5

6cba9707b339f1756673d2ed33b5a37a
SHA1

373e60b3c971605d783a4c6ae44c4ea50322c49a
SHA256

8bee776a81eedf942937bf03cdec43b1b37f9bc1f4e10a031fb2517fd181d8bc
SHA512

d670e3be8c72e923c89e3bd18457f8ee1155fca307eb2bcd3970381ff9e761a14eec3d926e5e2091811d4bc3b5bbcb008ee6115c99cf3309444d544966446360

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4632 wrote to memory of 3508	4632	cmd.exe	81
PID 4632 wrote to memory of 3508	4632	cmd.exe	81

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\HWID Bypass\STEP 5 - Change the HWIDs of everything\_\Command Prompt.lnk"
1⤵
- Suspicious use of WriteProcessMemory
PID:4632
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:3508

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact