Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-11-2024 12:23
Static task
static1
Behavioral task
behavioral1
Sample
7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Dokumentationsniveau/Stockings.ps1
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Dokumentationsniveau/Stockings.ps1
Resource
win10v2004-20241007-en
General
-
Target
Dokumentationsniveau/Stockings.ps1
-
Size
54KB
-
MD5
6bacab132c443a2683b2d0de8cc9b00a
-
SHA1
fb935821154d82a76d41876899bb2a608b13647b
-
SHA256
96583ae3cc6a5dfdebf1422de15fde533d7fda45f63aa36a10de9103db1860fe
-
SHA512
ecc8c0d080115eb41ccae723bf86a7e6a25ffa73d5f0e632dddd650d0fa4a6b7219a5bee09429f58f2418552b4102d8b28f8bd769c3434fdf14a4126497bb2b1
-
SSDEEP
768:cNVo4vvGuo0L8Ow1Yo//K2q8ywBKQnZ63/TYs8eDZHBA4+LeOghlXWhCUE0dHXQj:eo400L813a2q8BPKTYjedWNMWkWXJLg
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid Process 1800 powershell.exe 1800 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid Process Token: SeDebugPrivilege 1800 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
powershell.exedescription pid Process procid_target PID 1800 wrote to memory of 1536 1800 powershell.exe 31 PID 1800 wrote to memory of 1536 1800 powershell.exe 31 PID 1800 wrote to memory of 1536 1800 powershell.exe 31
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Dokumentationsniveau\Stockings.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1800" "852"2⤵PID:1536
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD573706364989587b9a50e33c9ddf66ea2
SHA1366ed9448d22797161c3bdce72c94bde76679ecf
SHA256b2ad7e2f27af6df1138c3600386e70980b34fe428ea54c5244eafc08d3e136b2
SHA512ec2f7859bbbdcbad7f223da6a531f857872152af7ffe0af233c60c7f39800d14e20fcc1a63a136536e0f3d6c31eed57cd2b782028c24fa09b7b819b53ade627e