Overview

overview

10

Static

static

3

b476192616...fe.exe

windows7-x64

8

b476192616...fe.exe

windows10-2004-x64

10

Kodrivernes.ps1

windows7-x64

3

Kodrivernes.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    16-10-2024 05:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Kodrivernes.ps1

  • Size

    51KB

  • MD5

    26f8a8d3825e9c40a9a38dc4e1df576a

  • SHA1

    b374e6bd5d638466255e3045dab078925015404c

  • SHA256

    6468cdcafb15dcdcd616d53de9e64f6e56de157e47e3f23402ea281e09b2bd41

  • SHA512

    e8d5c2fc7bdc6dfc4f4b63abae2631555a0aa8080b4b8d6c6284faa23a882bd2b25acc6aeb91ca89aa0c6b74d6f4e5025532f1760e33a90dd2b931366f1db561

  • SSDEEP

    768:Fj4fAwN6sULxaVtVo88J5XUuBMvmsrqo6AUSQ80MubHhmZ452Dfv1yw/VoABGNSv:t4owUsUNIPQBYzrqo6Hu0MMqZb9j/LBN

Score
3/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Kodrivernes.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:620
    • C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "620" "852"
      2⤵
        PID:2508

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259434568.txt
      Filesize

      1KB

      MD5

      fa37c2a3a45063aedda88538e95e67b1

      SHA1

      863b2b1aceb19b1f4020f059ef27ec1c3450eddb

      SHA256

      2eb620969466bd3318926fd1d0fea9fc928f85b9330cb33c9d878facac3096bf

      SHA512

      856c72114c901d6e7e10c202f4963206344263d8723ebe9aed3e643d7632f6a079bb61fef401d66dddace33b43c5528f08b0d33deb6adc8c9c7560bc8692406f

      Download Submit

    • memory/620-10-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/620-7-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/620-6-0x0000000001D10000-0x0000000001D18000-memory.dmp

      Filesize

      32KB

      Download

    • memory/620-5-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/620-9-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/620-4-0x000007FEF570E000-0x000007FEF570F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/620-11-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/620-12-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/620-13-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/620-16-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/620-8-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/620-17-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

      Filesize

      9.6MB

      Download