Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-10-2024 01:37
Static task
static1
Behavioral task
behavioral1
Sample
9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Udlaanslofterne/Incuss.ps1
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Udlaanslofterne/Incuss.ps1
Resource
win10v2004-20241007-en
General
-
Target
Udlaanslofterne/Incuss.ps1
-
Size
52KB
-
MD5
f9bb610fdaf3e9fb1b4faa9ffddfab51
-
SHA1
b0858761694b149c52d79d915d24d6d8fe161d14
-
SHA256
9aaa17344e82a1134ff2b6c6e1eee773f703fd9f110b9b58fdfb87824f5def78
-
SHA512
34f0f7ce7e4cbeb1ce0b699cfc97e5f6619dcd238fba0d9b30645d4fbc4ad5d97149355703568484b5110c621acd8eb1a0fb748359d4473cd7bf4b85235def54
-
SSDEEP
768:y8ydwJkymbROj2OT/UOomJZlXFpMI7k9D1Og/7wVKlMhVaPCQc2jVT:y8ycmd0DUOoGXFZKcg8OmVuD5
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1732 powershell.exe 1732 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1732 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
powershell.exedescription pid process target process PID 1732 wrote to memory of 2480 1732 powershell.exe wermgr.exe PID 1732 wrote to memory of 2480 1732 powershell.exe wermgr.exe PID 1732 wrote to memory of 2480 1732 powershell.exe wermgr.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Udlaanslofterne\Incuss.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1732" "880"2⤵PID:2480
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58e1771160d5205ed81d8c53763931a87
SHA1cdc8d0c7d5d2e7c5acc7cab46ea61572de8478f2
SHA25645394b3416efe83cda3b8c8b59bd75e58a4e645b032a186c9185f8c67251bbda
SHA512f03c072ec0993853732c4e3a963b6d811b972ac79eeb8c5c6ca2e865a187a1fb4447f38b59902873ff9e983f908a4ff2b9d534ff2bcec3c6e4093261c951f1e3