2d3d809456f1b8181541bafb523c4ec83b4c4a4183378da9d9bd7b8d23aa79aa

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/11/2024, 14:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

otherworldly.ps1
Size

54KB
MD5

df1cc5262f98c2cf7f51cc5ed85528d7
SHA1

3d9b2293d194ce127b040b28099591b197b18978
SHA256

c547c1878b7c38fddc357939a52c840910f36b31c6a720af9a125c91eaaed735
SHA512

8612721272dc45dc7b3ddad450ac8f66c48a458d249ff0c1adc5582f10daa644a05511c4837931490677c7c6b9d495d905bc610e4abd62b97c083804747c6b82
SSDEEP

768:OvKcT9rR6ufYsYkYSow0DzhWYeTAISjcrQ6GXtvyRmVM7OgiQcfXkZOE4WD9ivaJ:OvhT9l63xrXV5gAP/xbVM7uOOI99

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2888	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2888	powershell.exe
2888	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2888	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 1048	2888	powershell.exe	32
PID 2888 wrote to memory of 1048	2888	powershell.exe	32
PID 2888 wrote to memory of 1048	2888	powershell.exe	32

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\otherworldly.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\system32\wermgr.exe
  "C:\Windows\system32\wermgr.exe" "-outproc" "2888" "860"
  2⤵
  PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259449686.txt

Filesize
1KB

MD5
502006d9d0ee641eb4c70559e7e28534

SHA1
d591bc0c1f020e219546525c964e1f9597cd01ef

SHA256
6450505eecd25a731ec57b0b918ef77211afa8fe321dfe29f296b1ce05f5f4d2

SHA512
1b8126715e0c1a42255a77659b10c657d0bd37de419009ab7ea05d1f1c7d5ef8ede49d40d0d557decffe941d08746fb0bb628cac4fb5e2248c2678de5605f331

Download Submit
memory/2888-11-0x000007FEF6440000-0x000007FEF6DDD000-memory.dmp

Filesize
9.6MB

Download
memory/2888-6-0x00000000020C0000-0x00000000020C8000-memory.dmp

Filesize
32KB

Download
memory/2888-7-0x000007FEF6440000-0x000007FEF6DDD000-memory.dmp

Filesize
9.6MB

Download
memory/2888-8-0x000007FEF6440000-0x000007FEF6DDD000-memory.dmp

Filesize
9.6MB

Download
memory/2888-9-0x000007FEF6440000-0x000007FEF6DDD000-memory.dmp

Filesize
9.6MB

Download
memory/2888-4-0x000007FEF66FE000-0x000007FEF66FF000-memory.dmp

Filesize
4KB

Download
memory/2888-10-0x000007FEF6440000-0x000007FEF6DDD000-memory.dmp

Filesize
9.6MB

Download
memory/2888-13-0x000007FEF6440000-0x000007FEF6DDD000-memory.dmp

Filesize
9.6MB

Download
memory/2888-12-0x000007FEF6440000-0x000007FEF6DDD000-memory.dmp

Filesize
9.6MB

Download
memory/2888-16-0x000007FEF6440000-0x000007FEF6DDD000-memory.dmp

Filesize
9.6MB

Download
memory/2888-17-0x000007FEF6440000-0x000007FEF6DDD000-memory.dmp

Filesize
9.6MB

Download
memory/2888-5-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download