Overview

overview

10

Static

static

1

f8b3078e40...aa.exe

windows7-x64

8

f8b3078e40...aa.exe

windows10-2004-x64

10

Saccate/Ch...no.ps1

windows7-x64

3

Saccate/Ch...no.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    07-11-2024 03:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Saccate/Chiriguano.ps1

  • Size

    51KB

  • MD5

    6c30e6cb99e14b8e5446a9a5726167ed

  • SHA1

    01d799ef731cf409d29a51696fd3380b296f8730

  • SHA256

    3a0443fe99e0be036a5747d6c6a4a0202f5f55ffb8a338af90f829d8bbf5d5f6

  • SHA512

    39358a6fa774429954c0a599f55685608220eabeef19b6c9be1040169b65577d51c9306d537a248779a79b092e820fef7e9ee4f256297434c3677be7f75b8696

  • SSDEEP

    1536:kVpjFOKIF51+UTMIKwoQTOxBrlGtGfZWShL+m:sFO1FChNBg5EL+m

Score
3/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Saccate\Chiriguano.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2388
    • C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2388" "852"
      2⤵
        PID:2108

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259438340.txt
      Filesize

      1KB

      MD5

      7d4e8dbb1ec14d3b527a9c4b532e7961

      SHA1

      f88a19433e9b9ad2414c00c386268ca65d621143

      SHA256

      212d3103c50bbc07f490d8075b53256d0471e0d4ee958e797d8f5c1b4164a1bc

      SHA512

      fdcca725c3ada454d9de886c63d2ca9737d0780f8a7f2d7cdc61469eaef2db4f018695550c01ca131369cf5a30d9ea7686bceb1e8ade7cfa1b12c9250e105d4b

      Download Submit

    • memory/2388-4-0x000007FEF664E000-0x000007FEF664F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2388-5-0x000000001B720000-0x000000001BA02000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2388-6-0x0000000002720000-0x0000000002728000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2388-7-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2388-8-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2388-9-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2388-11-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2388-10-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2388-14-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2388-15-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

      Filesize

      9.6MB

      Download