Overview

overview

10

Static

static

3

5a99c490bd...af.exe

windows7-x64

8

5a99c490bd...af.exe

windows10-2004-x64

10

Catchpoleship.ps1

windows7-x64

3

Catchpoleship.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    14s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    06-11-2024 02:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Catchpoleship.ps1

  • Size

    56KB

  • MD5

    bea0253bd1d370c8bcc515e8ff7bb6e9

  • SHA1

    9b1443ba1094479087b73d1999cbadfb8e2eacbd

  • SHA256

    844e8c95af74d9b8b7ee184a61f16ce1221679b84556cb78b9acab1d0fb9936b

  • SHA512

    1930e412af035f6a4ba452b3af21ba77c316fb757d32250fe343e648b3bee421c495f2607f3549cd20e1a079f9934a0ab5f7a7af0b648742ecd00b1f9e0c18be

  • SSDEEP

    1536:M34qzsYB1X+FcuzJjBn0cfNI2egeqrDxe0U:M34UBP2zJjBn0k2eneJ

Score
3/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Catchpoleship.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2536" "908"
      2⤵
        PID:2876

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259502615.txt
      Filesize

      1KB

      MD5

      d02c4252bec1fc5f7dc3d1e20f417203

      SHA1

      c26cfdb319b6918380b022a1fdbf977ed94e7356

      SHA256

      a75cd9c1c4444c10406ee4d52a586e72b48c7b2c13b48266d751e67a0423cd45

      SHA512

      f27dddd510712a5b5a5f635ee1bc93f8d0fff0c7c1a29cd561619fccbf5dc1fa366c1dae252fe17a836c822f8817d7a1ad90364c72cd0bafa9b043b6572607a8

      Download Submit

    • memory/2536-10-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2536-12-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2536-7-0x0000000001F40000-0x0000000001F48000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2536-8-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2536-9-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2536-4-0x000007FEF643E000-0x000007FEF643F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2536-11-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2536-5-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2536-13-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2536-14-0x000007FEF643E000-0x000007FEF643F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2536-15-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2536-6-0x000000001B270000-0x000000001B552000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2536-18-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2536-19-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

      Filesize

      9.6MB

      Download