Analysis
-
max time kernel
16s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
24-10-2024 09:52
Static task
static1
Behavioral task
behavioral1
Sample
226999705-124613-sanlccjavap0004-67.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
226999705-124613-sanlccjavap0004-67.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Alphabetism.ps1
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
Alphabetism.ps1
Resource
win10v2004-20241007-en
General
-
Target
Alphabetism.ps1
-
Size
52KB
-
MD5
cd7e46b01dd5a4d151b79a64c053c906
-
SHA1
de93ac5f7194e81de277bcafcd0deb8c00308e5a
-
SHA256
575008f2a446a1a6c7817a571622b79935b1a07316a7276b7b4308f773b7284b
-
SHA512
96d4892c094f415d3c635bb9e9493a6d1c7ada6ea97b9b6df6a23b548511181d24dd3fd27e49df497bdcc878fb0009d2710cebbd427558cf91f89a71aeb0afa9
-
SSDEEP
768:JDHUVejEYd2f1a5HumqMFowogGttz4h4fxdr+208dgxUr7U1yc9QCBVuQiiX:ZHUVAHd2fU5OmqMmwo3tzjdix6M7QcqY
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 848 powershell.exe 848 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 848 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
powershell.exedescription pid process target process PID 848 wrote to memory of 2480 848 powershell.exe wermgr.exe PID 848 wrote to memory of 2480 848 powershell.exe wermgr.exe PID 848 wrote to memory of 2480 848 powershell.exe wermgr.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Alphabetism.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "848" "856"2⤵PID:2480
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5db387bd5d24d3382e0e0270c0dcc7fa8
SHA15111586d25b1810ebbe8911f69791b91c42bdacd
SHA256e14707fb674e1bdcee1b85cc37d68c06db1401e21852c8920eb3f1fdd8e2461b
SHA512f94680fcb438341870765c47eab221be289f1cf70e4b962930b1dbb57be412ef4d409caed5fc42742cbba39d61934bf6140b16eba1a2be13dd1a9e8611daf806