125b4582b7dd2221044fb257f580da57e4dc61b03a6c35e208fed973f71c28a1

Analysis

max time kernel
20s
max time network
20s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/10/2024, 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Paraffinerer.ps1
Size

53KB
MD5

6f2c225ff02a35f64c6157286f9e90b1
SHA1

fdfb286088fd3cb3c3fa39f39e2e7ba48b3c6624
SHA256

0f4caa809a6b9ad70a305958af34e60b82f3080bbb7067f316ca85702ffba443
SHA512

c5fb4eafb4c29b774648bcec26736ad0808815d10618c95b723de9296240e6f9cbc35e90cc4439266f013810f16dde0f44a840fa928d8be2a8562cc5ac8d2eb5
SSDEEP

1536:qBW8/PWnOQz17PFJoL9Wt34bzGFC3fm5Xa5Z9YwsklLt7:qj/PWnOa7NG9034fGQ3fmFTI7

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2172	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2172	powershell.exe
2172	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2172	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 3044	2172	powershell.exe	30
PID 2172 wrote to memory of 3044	2172	powershell.exe	30
PID 2172 wrote to memory of 3044	2172	powershell.exe	30

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Paraffinerer.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\system32\wermgr.exe
  "C:\Windows\system32\wermgr.exe" "-outproc" "2172" "912"
  2⤵
  PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259538970.txt

Filesize
1KB

MD5
a8f6a802fc872073d7e0a48a68ba7c96

SHA1
d3275e1e5b853f95c0dd4534e1b1d786b2c4c1ef

SHA256
33a08509d6ce82ecc8347a283e0cdc1c29802ee504292088f10f640c12ace0ec

SHA512
a1d177d19090fb89c6d966c1f60e20290e203731d9f0d2093c25b3ba223ca85b4bf13e69440889556b636c7d95a86ef71c13db00a2ac65034809b3ff7bc91e6c

Download Submit
memory/2172-12-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/2172-14-0x000007FEF620E000-0x000007FEF620F000-memory.dmp

Filesize
4KB

Download
memory/2172-7-0x0000000002620000-0x0000000002628000-memory.dmp

Filesize
32KB

Download
memory/2172-8-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/2172-9-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/2172-10-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/2172-11-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/2172-4-0x000007FEF620E000-0x000007FEF620F000-memory.dmp

Filesize
4KB

Download
memory/2172-6-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/2172-15-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/2172-13-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/2172-16-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/2172-17-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/2172-18-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/2172-5-0x000000001B3B0000-0x000000001B692000-memory.dmp

Filesize
2.9MB

Download
memory/2172-20-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/2172-22-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download