Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06-11-2024 02:42
Static task
static1
Behavioral task
behavioral1
Sample
5a99c490bd9b35a1efe9c4233023dc37641f78b67e34632c9833ec8c06c3c4af.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5a99c490bd9b35a1efe9c4233023dc37641f78b67e34632c9833ec8c06c3c4af.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Catchpoleship.ps1
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Catchpoleship.ps1
Resource
win10v2004-20241007-en
General
-
Target
Catchpoleship.ps1
-
Size
56KB
-
MD5
bea0253bd1d370c8bcc515e8ff7bb6e9
-
SHA1
9b1443ba1094479087b73d1999cbadfb8e2eacbd
-
SHA256
844e8c95af74d9b8b7ee184a61f16ce1221679b84556cb78b9acab1d0fb9936b
-
SHA512
1930e412af035f6a4ba452b3af21ba77c316fb757d32250fe343e648b3bee421c495f2607f3549cd20e1a079f9934a0ab5f7a7af0b648742ecd00b1f9e0c18be
-
SSDEEP
1536:M34qzsYB1X+FcuzJjBn0cfNI2egeqrDxe0U:M34UBP2zJjBn0k2eneJ
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 2092 powershell.exe 2092 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2092 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
powershell.exedescription pid process target process PID 2092 wrote to memory of 2552 2092 powershell.exe wermgr.exe PID 2092 wrote to memory of 2552 2092 powershell.exe wermgr.exe PID 2092 wrote to memory of 2552 2092 powershell.exe wermgr.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Catchpoleship.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2092" "856"2⤵PID:2552
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5bf2919c40e545c2c08eb7e570f8101ce
SHA19d264e24af7d471a49ee603e34868846c5fe9cda
SHA2561c51532bfc4fcf9538a9ea86907382d58a38d04e26b84d80eb1d701fa953cb77
SHA5120bb048bf92a1c88ed4bca479e8575add6fa2e500258f31ee7271e063dc50ebc2928a49eb20e05b8b1aef28d625e96ac58748b3e8ab9af4ec73e6a618c2389e47