7f3a7ba2f2449abcf2b8f6f28ae234a66b8d306608c9c8a2b81ff39d724255e6

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 10:51

Target

a/a.pdf.lnk
Size

1KB
MD5

4bf104198f8fabd8d7a5925eaf791685
SHA1

1a9a646ed41bd5b2180b1a53e3b11219fdda1c0c
SHA256

8d9df9d8ac2fae61469225e72bc088160c0cfb5e462fab7bf8ed89f199ce9259
SHA512

8dd5d02964c30436fca667d0c71d22187f79c0b6ce66aebaeb8744160f478ba832ac50ca379bb60ce6143110dca25787fc4e3a498b4a6cac771d228df96035e2

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2560	1976	cmd.exe	31
PID 1976 wrote to memory of 2560	1976	cmd.exe	31
PID 1976 wrote to memory of 2560	1976	cmd.exe	31
PID 2696 wrote to memory of 1716	2696	explorer.exe	33
PID 2696 wrote to memory of 1716	2696	explorer.exe	33
PID 2696 wrote to memory of 1716	2696	explorer.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\a\a.pdf.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" ".\__MACOS__\__MACOS__\__MACOS__\__MACOS__\__MACOS__\setup.exe"
  2⤵
  PID:2560

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Users\Admin\AppData\Local\Temp\a\__MACOS__\__MACOS__\__MACOS__\__MACOS__\__MACOS__\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\a\__MACOS__\__MACOS__\__MACOS__\__MACOS__\__MACOS__\setup.exe"
  2⤵
  PID:1716

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact