Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2024 07:19

General

  • Target

    Tillgspensionen.ps1

  • Size

    53KB

  • MD5

    1e72916a0e82da66cf7753db11b602a2

  • SHA1

    322d0c1a058a5c4ba50f534137c45462dd8b989d

  • SHA256

    8a7aca1e042680f82f1703da26587d5058e55cdc50a9da8bc7bd226d1a6748d4

  • SHA512

    b32c7d41172e7df012277acb4f8662e1d5949db80d9a35a68433eaee8d740b46a0d3a068d6609140e86e846b0ac436e21e18ba7d85b17db3214cc7ef833af203

  • SSDEEP

    1536:PU0/q/xmGzkHZeRcFThmlZA4snsEKhBRLUM4it/xIC8ZYHg:L/WRkoEhmbA4snedgMRtx60g

Score
3/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Tillgspensionen.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2372" "856"
      2⤵
        PID:2896

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259446078.txt

      Filesize

      1KB

      MD5

      3e9726771cf01c3fd14e2431b07dc8d1

      SHA1

      4abac76e8bf6329daa37f2d6a72cb5b787ad3812

      SHA256

      80dd2ae6df77bfc32d36466a8298d9a28f7eb6370514b3b2566151c78df1b512

      SHA512

      1bb5e11acdb231c29d3ca9b42436ae67dab93a5a476b02afebcb3bb0d6e729866c432b13fe2777c2db3a20c7e378947c02c568e80baf4d7eb49a1555e2c0545a

    • memory/2372-10-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

      Filesize

      9.6MB

    • memory/2372-6-0x00000000022D0000-0x00000000022D8000-memory.dmp

      Filesize

      32KB

    • memory/2372-7-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

      Filesize

      9.6MB

    • memory/2372-8-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

      Filesize

      9.6MB

    • memory/2372-9-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

      Filesize

      9.6MB

    • memory/2372-4-0x000007FEF5F8E000-0x000007FEF5F8F000-memory.dmp

      Filesize

      4KB

    • memory/2372-11-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

      Filesize

      9.6MB

    • memory/2372-12-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

      Filesize

      9.6MB

    • memory/2372-13-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

      Filesize

      9.6MB

    • memory/2372-17-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

      Filesize

      9.6MB

    • memory/2372-16-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

      Filesize

      9.6MB

    • memory/2372-5-0x000000001B540000-0x000000001B822000-memory.dmp

      Filesize

      2.9MB