e9a38e3e55cd254266ee569aa4f18ba33d572ec982ebee71d4cb60e0369ddbdb

Analysis

max time kernel
91s
max time network
99s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
18-09-2024 19:21

Target

AdminHack-main/wordlist.txt
Size

393KB
MD5

f9053a1e81c89c2d4db79b3d16029bf2
SHA1

d60586ec1b6bdf4e3c297b0a305d00d50a230205
SHA256

ac398048b7d24382ea7595134c50ae2ec123fc81c76ef3649512f7f153f47ed4
SHA512

56c39ab8132c6c273b07436309f972846ae0f8e774e9d0b2d565a8dd5dadeaa9878aa0d3379cda111b475d9295b253545cdc012fc232b078d42188ab40b9db1b
SSDEEP

3072:w19+J1hfyRUVgLAU5ngEu2jlZQj3pvLjVM0kfDK+goMPPhNkFFKoVwWPs+MjmCkC:qWhaROgLJn3uY7Qj3pvtXN+t54qPa

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4196 wrote to memory of 4184	4196	cmd.exe	81
PID 4196 wrote to memory of 4184	4196	cmd.exe	81

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\AdminHack-main\wordlist.txt
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\AdminHack-main\wordlist.txt
  2⤵
  PID:4184

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact