Analysis
-
max time kernel
14s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
06-11-2024 02:46
Static task
static1
Behavioral task
behavioral1
Sample
5a99c490bd9b35a1efe9c4233023dc37641f78b67e34632c9833ec8c06c3c4af.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5a99c490bd9b35a1efe9c4233023dc37641f78b67e34632c9833ec8c06c3c4af.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Catchpoleship.ps1
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
Catchpoleship.ps1
Resource
win10v2004-20241007-en
General
-
Target
Catchpoleship.ps1
-
Size
56KB
-
MD5
bea0253bd1d370c8bcc515e8ff7bb6e9
-
SHA1
9b1443ba1094479087b73d1999cbadfb8e2eacbd
-
SHA256
844e8c95af74d9b8b7ee184a61f16ce1221679b84556cb78b9acab1d0fb9936b
-
SHA512
1930e412af035f6a4ba452b3af21ba77c316fb757d32250fe343e648b3bee421c495f2607f3549cd20e1a079f9934a0ab5f7a7af0b648742ecd00b1f9e0c18be
-
SSDEEP
1536:M34qzsYB1X+FcuzJjBn0cfNI2egeqrDxe0U:M34UBP2zJjBn0k2eneJ
Malware Config
Signatures
-
pid Process 2536 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2536 powershell.exe 2536 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2536 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2536 wrote to memory of 2876 2536 powershell.exe 31 PID 2536 wrote to memory of 2876 2536 powershell.exe 31 PID 2536 wrote to memory of 2876 2536 powershell.exe 31
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Catchpoleship.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2536" "908"2⤵PID:2876
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d02c4252bec1fc5f7dc3d1e20f417203
SHA1c26cfdb319b6918380b022a1fdbf977ed94e7356
SHA256a75cd9c1c4444c10406ee4d52a586e72b48c7b2c13b48266d751e67a0423cd45
SHA512f27dddd510712a5b5a5f635ee1bc93f8d0fff0c7c1a29cd561619fccbf5dc1fa366c1dae252fe17a836c822f8817d7a1ad90364c72cd0bafa9b043b6572607a8