Analysis

  • max time kernel
    122s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    31/10/2024, 02:34

General

  • Target

    Bilist/Blyants.ps1

  • Size

    51KB

  • MD5

    f33c58ea75c086600c12aabd70fe5ed3

  • SHA1

    4901a7a2708a0cdc628899801896cdd54e5d83e2

  • SHA256

    74ccc7d9f777f47ae3fc9bac599d05d6bb7af85228aea4834e36329297b5765b

  • SHA512

    52f45268ff703c6178a78662a38f765cdc4dcd57f962e574b42b6852522835fb22b534c0f1764b78807f0ec806ceef0b4c57964ffd9f566f0c16bffaa1830eb0

  • SSDEEP

    768:BFT6VjXLo/zpwczhgCOaUReDBW6aQwsihuZkZC6T3dpAAq8M:nGLobu6hXJUC95wsUS96TzAAqZ

Score
3/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Bilist\Blyants.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1580
    • C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1580" "912"
      2⤵
        PID:2752

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259481975.txt

            Filesize

            1KB

            MD5

            c24bc669996230dad7249fefc6a559e8

            SHA1

            5850586be5a592aaa9ec22d1d031bcdc1b547cd9

            SHA256

            0182fb87ca3d9b1d948bb9ed06b89f779570d4e5fed08cd3e0a90f9a7e0030b0

            SHA512

            2bc87e280b7f8f3a222ef201ace4dec5be3cf712b5b4e0959ddabc3ec06090cf00a4c2dee2911b58f56dc3019e4fbc7f28e4bb20ae72e394a1294c65aa8a6485

          • memory/1580-12-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

            Filesize

            9.6MB

          • memory/1580-14-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

            Filesize

            9.6MB

          • memory/1580-6-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

            Filesize

            9.6MB

          • memory/1580-8-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

            Filesize

            9.6MB

          • memory/1580-9-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

            Filesize

            9.6MB

          • memory/1580-10-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

            Filesize

            9.6MB

          • memory/1580-7-0x0000000002530000-0x0000000002538000-memory.dmp

            Filesize

            32KB

          • memory/1580-11-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

            Filesize

            9.6MB

          • memory/1580-13-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

            Filesize

            9.6MB

          • memory/1580-4-0x000007FEF58FE000-0x000007FEF58FF000-memory.dmp

            Filesize

            4KB

          • memory/1580-15-0x000007FEF58FE000-0x000007FEF58FF000-memory.dmp

            Filesize

            4KB

          • memory/1580-16-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

            Filesize

            9.6MB

          • memory/1580-17-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

            Filesize

            9.6MB

          • memory/1580-5-0x000000001B390000-0x000000001B672000-memory.dmp

            Filesize

            2.9MB

          • memory/1580-20-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

            Filesize

            9.6MB

          • memory/1580-21-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

            Filesize

            9.6MB