Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
22-10-2024 12:20
Static task
static1
Behavioral task
behavioral1
Sample
001_215_EA2047939_202410210815.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
001_215_EA2047939_202410210815.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Kontokurantens.ps1
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
Kontokurantens.ps1
Resource
win10v2004-20241007-en
General
-
Target
Kontokurantens.ps1
-
Size
50KB
-
MD5
8a4da8bab6993bc24f8ba89b1a5035ba
-
SHA1
0266616ebaff76b9027bdf4a52742bbb6d7dbf90
-
SHA256
d19add8d848501931650d9c2f77d4519b15ffe2399a161dac88ea99c07f1b62d
-
SHA512
1f604a65b0fb4543feab6eb9584aab3c47c5ebcabf251492c7be827e3c5d547f310ff05354bf30837fe8192be427c1855ec22783a0be14db15b40b1f05a13c50
-
SSDEEP
1536:em3/0wJ5Bo29iuM2fkfAFr6+nw0JefyiwDs:/3/0EbiuRcot6Ocfyiwo
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1792 powershell.exe 1792 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1792 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
powershell.exedescription pid process target process PID 1792 wrote to memory of 2108 1792 powershell.exe wermgr.exe PID 1792 wrote to memory of 2108 1792 powershell.exe wermgr.exe PID 1792 wrote to memory of 2108 1792 powershell.exe wermgr.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Kontokurantens.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1792" "864"2⤵PID:2108
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ed61505b4a963049494df79a8bdf3634
SHA1a352b5e52f951abfc01324a871210830952a9689
SHA25603d46428d111d1a83c9fb430935404a75b335442e62dbdcf6dc9131623d5d236
SHA512b1ea1bdfa3ce44cefd860ddc8b665829a320815d72b8cbc32833cdc0b2a0d1edb738c920bd9d56ad95efa565b44d406db62d98c51e0acbc25d33add163a35dad