Overview

overview

10

Static

static

3

3951abe6ee...9d.exe

windows7-x64

8

3951abe6ee...9d.exe

windows10-2004-x64

10

Tekstkonstanten.ps1

windows7-x64

3

Tekstkonstanten.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/10/2024, 20:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Tekstkonstanten.ps1

  • Size

    52KB

  • MD5

    b7100b439da004e306b332532e9697f0

  • SHA1

    923b22694140ea4707ca2b40d08d967a6ef0bd0b

  • SHA256

    4ab525ad237617513c28f375eb23f6dba4147d348ecc00938ce63f4fb8125b94

  • SHA512

    9c4752ea813ee232da955763462c9c6ed2df11480879ee791f2522fe26e7379142ac58088541ec7dfd0573bb33485a38e5eee699270b804d115ebdfbcd6b060c

  • SSDEEP

    1536:u9Kg2/eZoqNY0AEmfYF10jP7bBfGy1Vg3IEY:3gQec0sgFKz7bgy+IEY

Score
3/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Tekstkonstanten.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2828
    • C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2828" "860"
      2⤵
        PID:2812

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259453916.txt
      Filesize

      1KB

      MD5

      0a8056ac7b15d1498f7079867d78d737

      SHA1

      114e44f4b10d0334626e31e3c700b4470efa79a0

      SHA256

      afa193e9fa9e90f82ff8c91c6bb01e23d5642a4ad21e2a04a22c465a9ec406e1

      SHA512

      45770f7078fcd7401528c72d121e6ea59ad842b96109c93fcc0ed48ee76569708c1241094cf8cf1cdc791ed4d8ca3e87354d6c61cfd9968dd61f31fb39a57059

      Download Submit

    • memory/2828-10-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2828-6-0x0000000002870000-0x0000000002878000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2828-7-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2828-8-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2828-9-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2828-4-0x000007FEF573E000-0x000007FEF573F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2828-11-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2828-13-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2828-12-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2828-5-0x000000001B6B0000-0x000000001B992000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2828-17-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2828-16-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

      Filesize

      9.6MB

      Download