Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-10-2024 01:35
Static task
static1
Behavioral task
behavioral1
Sample
963d35a92ffdbbdd35c71fc392a73ce49e242ca1b80f94204ef714cc42bbf8d0.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
963d35a92ffdbbdd35c71fc392a73ce49e242ca1b80f94204ef714cc42bbf8d0.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Kontokurantens.ps1
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Kontokurantens.ps1
Resource
win10v2004-20241007-en
General
-
Target
Kontokurantens.ps1
-
Size
50KB
-
MD5
8a4da8bab6993bc24f8ba89b1a5035ba
-
SHA1
0266616ebaff76b9027bdf4a52742bbb6d7dbf90
-
SHA256
d19add8d848501931650d9c2f77d4519b15ffe2399a161dac88ea99c07f1b62d
-
SHA512
1f604a65b0fb4543feab6eb9584aab3c47c5ebcabf251492c7be827e3c5d547f310ff05354bf30837fe8192be427c1855ec22783a0be14db15b40b1f05a13c50
-
SSDEEP
1536:em3/0wJ5Bo29iuM2fkfAFr6+nw0JefyiwDs:/3/0EbiuRcot6Ocfyiwo
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 2440 powershell.exe 2440 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2440 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
powershell.exedescription pid process target process PID 2440 wrote to memory of 1624 2440 powershell.exe wermgr.exe PID 2440 wrote to memory of 1624 2440 powershell.exe wermgr.exe PID 2440 wrote to memory of 1624 2440 powershell.exe wermgr.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Kontokurantens.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2440" "864"2⤵PID:1624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD561c4c4e1cd43d4e86a39daf6feb0b559
SHA136ed6602dce7608c517ff73abe13b93311bf2d4d
SHA256d73cc4dc091a6e01dcce8092b9adab8b3b988b9d4888dad487feb5c87a4610fa
SHA512d4918c3f1b5189b68ee87032afb5451fb3292395267a30a22a09db9ca3527215232dd4b6a979f8d087be4a4bdbc29969e4b69bcee14026902710c714dbe037a7