256db0908300f15df913308453012fbd76f0010f8a4f98d040fc58702913cbcf

Analysis

max time kernel
0s
max time network
4s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
16/10/2024, 11:14

Target

xniggerskid.pyc
Size

261B
MD5

b663003b879a93d45561a0750e1a070a
SHA1

6a801c9c09cb8bb9784d8a0d9406bcaa7116fbf8
SHA256

256db0908300f15df913308453012fbd76f0010f8a4f98d040fc58702913cbcf
SHA512

6c35407d86f76cd462636b65b4407d8fcbbc5a05619427cf24c57d77411fd08bb291cd07afca9500383fdd96c80ac6f0710e88c22178853103c5e4fb59716a24

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2864	2124	cmd.exe	30
PID 2124 wrote to memory of 2864	2124	cmd.exe	30
PID 2124 wrote to memory of 2864	2124	cmd.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\xniggerskid.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\xniggerskid.pyc
  2⤵
  PID:2864

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact