f6c77098906f5634789d7fd7ff294bfd95325d69f1be96be1ee49ff161e07733

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 15:04

Target

f6c77098906f5634789d7fd7ff294bfd95325d69f1be96be1ee49ff161e07733.lnk
Size

255KB
MD5

5b232b7417cb3965a942201de88f5055
SHA1

f01472fd8ffbcd0c2b54075ee01bde6a2cc4f4e6
SHA256

f6c77098906f5634789d7fd7ff294bfd95325d69f1be96be1ee49ff161e07733
SHA512

9c865aad6434ee3e7d907fc3905fca02b9206501659f1c3a52b769c1113e9187d86c5185cd8ed1e352164baf2bcf407d043792e54017fc37cdc30db5d8c9aef5
SSDEEP

6144:gPpc9kwvZC4EJwk+nO+EYl+1qR6UrPtowErqfZLILswjCe2hqTOidVH:B9kgZMJwk+OH7KD+MZ0LFCe2a9H

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2448	2376	cmd.exe	31
PID 2376 wrote to memory of 2448	2376	cmd.exe	31
PID 2376 wrote to memory of 2448	2376	cmd.exe	31

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\f6c77098906f5634789d7fd7ff294bfd95325d69f1be96be1ee49ff161e07733.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\system32\conhost.exe
  "C:\Windows\system32\conhost.exe" --headless cmd /k "cmd < ~tmp.pdf:Participation & exit"
  2⤵
  PID:2448

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact