5a99c490bd9b35a1efe9c4233023dc37641f78b67e34632c9833ec8c06c3c4af

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-11-2024 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Catchpoleship.ps1
Size

56KB
MD5

bea0253bd1d370c8bcc515e8ff7bb6e9
SHA1

9b1443ba1094479087b73d1999cbadfb8e2eacbd
SHA256

844e8c95af74d9b8b7ee184a61f16ce1221679b84556cb78b9acab1d0fb9936b
SHA512

1930e412af035f6a4ba452b3af21ba77c316fb757d32250fe343e648b3bee421c495f2607f3549cd20e1a079f9934a0ab5f7a7af0b648742ecd00b1f9e0c18be
SSDEEP

1536:M34qzsYB1X+FcuzJjBn0cfNI2egeqrDxe0U:M34UBP2zJjBn0k2eneJ

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2232	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2232	powershell.exe
2232	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2232	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2660	2232	powershell.exe	32
PID 2232 wrote to memory of 2660	2232	powershell.exe	32
PID 2232 wrote to memory of 2660	2232	powershell.exe	32

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Catchpoleship.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\system32\wermgr.exe
  "C:\Windows\system32\wermgr.exe" "-outproc" "2232" "860"
  2⤵
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259445143.txt

Filesize
1KB

MD5
5138d7bc314407a31da7c570f44a37d3

SHA1
93f18b55dc36d4d833a580d8bfffc0b1d7e4f9e5

SHA256
c5ddebb9247fd8fab942a5d1701088c350279f36c492f0401846bd9fb4c8328f

SHA512
bc5c79a83023ab5a6855bc459f43d42d0c11c35bf13a48c32688b9a01e50a439d1a90742481f4bf8f66385da06f961cd869493975481d2e634c12299bf1c3dc8

Download Submit
memory/2232-10-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/2232-6-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2232-8-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/2232-5-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2232-9-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/2232-4-0x000007FEF5D2E000-0x000007FEF5D2F000-memory.dmp

Filesize
4KB

Download
memory/2232-11-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/2232-12-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/2232-13-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/2232-17-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/2232-16-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/2232-7-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download