Overview

overview

8

Static

static

1

9a4147fcc9...15.ps1

windows7-x64

8

9a4147fcc9...15.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/10/2024, 01:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9a4147fcc9d6561e1548496ef1759ad73d93e1743e93d3c57490333eb9681915.ps1

  • Size

    1KB

  • MD5

    8f1d78748da0355f1e790721d367bf94

  • SHA1

    a38e5e771a7723685b4c7dcdd1aef475cd293a7a

  • SHA256

    9a4147fcc9d6561e1548496ef1759ad73d93e1743e93d3c57490333eb9681915

  • SHA512

    e0be1cbbe3630c7ba1174a2cfe0e4616bfb34f4f5cf77eaeb7be517f2188b48cfbfa2c75ff0cb018a4db8f6caf617aa3963af600288330881e74a4840af101cc

Score
8/10
execution

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\9a4147fcc9d6561e1548496ef1759ad73d93e1743e93d3c57490333eb9681915.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3004
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1248
    • C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "3004" "1368"
      2⤵
        PID:2776

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259455532.txt
      Filesize

      1KB

      MD5

      ca916e9c4f91decc9024bb0ed14ef6c3

      SHA1

      f3a2a534e97f714b0fb3346b32925b90e8e4bdd4

      SHA256

      00022f8cf1515283f2f1c76d24954afa7b6b534735cc40e57ed7687cd7c2315f

      SHA512

      6961e64aa3efcf5d121c1643e062a2fd428d25077d2ff341ac83cecd0ff6185b47a8b66efaf5c9db7cf891fa5af8393cb72a3bee6bf662331480e9caa615aef0

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      8b6d0217c61e5c6cef59b7d370b1f57a

      SHA1

      17e2f780ad6d7452e8901f9a3f505efb31c613ec

      SHA256

      8b302465f1ca8b54f48e2d5e5ceaa9598c431af8c77a7508b5171f4a369d5b7a

      SHA512

      3a5f9707e18e81ebbf0f7a6fd9d3f8ef8b6bbdb025dbe097cfd1e946ad1fec255921ab48ba9ed7ef16d80520c1b0d13b5e0e413b07d9ae3116f11b5392404bd2

      Download Submit

    • memory/1248-34-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1248-33-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1248-19-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3004-23-0x0000000002DE0000-0x0000000002E3A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/3004-24-0x000000001CFC0000-0x000000001D096000-memory.dmp

      Filesize

      856KB

      Download

    • memory/3004-12-0x0000000002AB0000-0x0000000002AE2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3004-11-0x0000000002AB0000-0x0000000002AE2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3004-13-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3004-9-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3004-8-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3004-4-0x000007FEF592E000-0x000007FEF592F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3004-22-0x0000000002DD0000-0x0000000002DDE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3004-21-0x0000000002C90000-0x0000000002CAC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/3004-20-0x0000000002C80000-0x0000000002C8C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/3004-10-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3004-25-0x000000001BF20000-0x000000001BFA6000-memory.dmp

      Filesize

      536KB

      Download

    • memory/3004-26-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3004-27-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3004-6-0x0000000001F00000-0x0000000001F08000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3004-30-0x000007FEF592E000-0x000007FEF592F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3004-31-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3004-32-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3004-7-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3004-5-0x000000001B770000-0x000000001BA52000-memory.dmp

      Filesize

      2.9MB

      Download