Overview

overview

10

Static

static

3

2d3d809456...aa.exe

windows7-x64

8

2d3d809456...aa.exe

windows10-2004-x64

10

otherworldly.ps1

windows7-x64

3

otherworldly.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/11/2024, 02:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    otherworldly.ps1

  • Size

    54KB

  • MD5

    df1cc5262f98c2cf7f51cc5ed85528d7

  • SHA1

    3d9b2293d194ce127b040b28099591b197b18978

  • SHA256

    c547c1878b7c38fddc357939a52c840910f36b31c6a720af9a125c91eaaed735

  • SHA512

    8612721272dc45dc7b3ddad450ac8f66c48a458d249ff0c1adc5582f10daa644a05511c4837931490677c7c6b9d495d905bc610e4abd62b97c083804747c6b82

  • SSDEEP

    768:OvKcT9rR6ufYsYkYSow0DzhWYeTAISjcrQ6GXtvyRmVM7OgiQcfXkZOE4WD9ivaJ:OvhT9l63xrXV5gAP/xbVM7uOOI99

Score
3/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\otherworldly.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:328
    • C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "328" "860"
      2⤵
        PID:2348

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259442143.txt
      Filesize

      1KB

      MD5

      dbfa1200076ad5546e52b4a43b8a5173

      SHA1

      a4049ecd056dd8eaaa98d34b75c361c860eb04b8

      SHA256

      cfa98b63271822eeba633f6201af84b74f81aadcecbfe7933f7f26cafb599be4

      SHA512

      2f09ad1a7f8c9c499612ea522f76757c42fd3373cfdeeb60cc9d6817d0c7d799b515ca706b371b9daeec994174e0db8b2a27c072179a7c65a44bb1b6e74c824d

      Download Submit

    • memory/328-10-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/328-7-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/328-6-0x0000000001F10000-0x0000000001F18000-memory.dmp

      Filesize

      32KB

      Download

    • memory/328-8-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/328-9-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/328-4-0x000007FEF61CE000-0x000007FEF61CF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/328-11-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/328-13-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/328-12-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/328-5-0x000000001B790000-0x000000001BA72000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/328-16-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/328-17-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

      Filesize

      9.6MB

      Download