6966e43ce060fb6ebbcc8d3b40bce306fb516900776d51cf1e3dea5fe9080064

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
05/10/2024, 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6966e43ce060fb6ebbcc8d3b40bce306fb516900776d51cf1e3dea5fe9080064.ps1
Size

1KB
MD5

5a206fa97e0bb7f18d83016cfd58aa82
SHA1

ca74c816f8867a44a04cbfee6d929b901ca07dd6
SHA256

6966e43ce060fb6ebbcc8d3b40bce306fb516900776d51cf1e3dea5fe9080064
SHA512

01d027a8d1dad2da3fa833b0fe7ba223c3ab8d5cfb1e0d882b644f1879e62af8c27d9ff4ab6e5328eb9198cedd7e3bfef606b97aeee4334f35420e5a675a649d

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
996	powershell.exe
2840	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
996	powershell.exe
2840	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	996	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 996 wrote to memory of 2840	996	powershell.exe	32
PID 996 wrote to memory of 2840	996	powershell.exe	32
PID 996 wrote to memory of 2840	996	powershell.exe	32
PID 996 wrote to memory of 2560	996	powershell.exe	35
PID 996 wrote to memory of 2560	996	powershell.exe	35
PID 996 wrote to memory of 2560	996	powershell.exe	35

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\6966e43ce060fb6ebbcc8d3b40bce306fb516900776d51cf1e3dea5fe9080064.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\system32\wermgr.exe
  "C:\Windows\system32\wermgr.exe" "-outproc" "996" "1324"
  2⤵
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259449925.txt

Filesize
1KB

MD5
2b71608faa5fe62a331fb9fb4fa4b965

SHA1
038b13a7941475d21d273b18d41ad8f57673da33

SHA256
4c3e380f198afbc1ca16946d4dfe73906e6ff25f89d72608a06d49dd73aab4e3

SHA512
db65055b3c75bd8a136b7b6599fcdf06de32c1c1cac793b1a8f8285fd3bb205c8602b19bdeb3e652ca4f20db2b4a413424ba005c3e8c421eeef1f44b9132bc18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
62276295bfe35363b16af4064ff55175

SHA1
4fd94e23387c13809a02894cfbcc6d9919017e2b

SHA256
38b58e66d1f99a22c9c6a57e1ac682662d1a13880a5f36d770ca5de9c529ff79

SHA512
1817d951f316c63e44fd258551ec91d3deec2098a414eb04e9f09a74e8aaa4a7e1625e7e56072fae6cc79cccdcc0b5f39ed4c368fbdc3ff9c70665a70a8b2c64

Download Submit
memory/996-9-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

Filesize
9.6MB

Download
memory/996-23-0x000000001BDD0000-0x000000001BE2A000-memory.dmp

Filesize
360KB

Download
memory/996-8-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

Filesize
9.6MB

Download
memory/996-4-0x000007FEF5CEE000-0x000007FEF5CEF000-memory.dmp

Filesize
4KB

Download
memory/996-10-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

Filesize
9.6MB

Download
memory/996-11-0x0000000002B90000-0x0000000002BC2000-memory.dmp

Filesize
200KB

Download
memory/996-12-0x0000000002B90000-0x0000000002BC2000-memory.dmp

Filesize
200KB

Download
memory/996-13-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

Filesize
9.6MB

Download
memory/996-6-0x0000000002040000-0x0000000002048000-memory.dmp

Filesize
32KB

Download
memory/996-28-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

Filesize
9.6MB

Download
memory/996-20-0x0000000002C90000-0x0000000002C9C000-memory.dmp

Filesize
48KB

Download
memory/996-21-0x0000000002CA0000-0x0000000002CBC000-memory.dmp

Filesize
112KB

Download
memory/996-22-0x0000000002CC0000-0x0000000002CCE000-memory.dmp

Filesize
56KB

Download
memory/996-7-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

Filesize
9.6MB

Download
memory/996-24-0x000000001CB20000-0x000000001CBF6000-memory.dmp

Filesize
856KB

Download
memory/996-25-0x000000001CC90000-0x000000001CD16000-memory.dmp

Filesize
536KB

Download
memory/996-5-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/2840-19-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

Filesize
9.6MB

Download
memory/2840-29-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

Filesize
9.6MB

Download