d47cf218c7f1a32c556e0501c3d1f00c420fa75ace47ad2b4fd6242aec388580

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-11-2024 03:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Analytiske.ps1
Size

52KB
MD5

64473712892d67203242c7904c6ffd81
SHA1

72d869d49607487d0ae85da693aacc42709339e2
SHA256

9c845196deca4a4738d5bee70cc2169f1dbec420b7d340b5d40642a41287a9a6
SHA512

0c8ad907a17bda49371ebca2c4d390347c99c48c13c10c245691113aa087b3ea65fb0811ea623dcd4257f3cc0eca1615ce40d5e2b1cda623356a84e9c18b0383
SSDEEP

1536:/5kp6eLO4rqfz/CetjrxBy9IiNS0DDMWOSq1+:yp61Dbaan8BDDMr31+

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2764	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2764	powershell.exe
2764	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2764	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2876	2764	powershell.exe	32
PID 2764 wrote to memory of 2876	2764	powershell.exe	32
PID 2764 wrote to memory of 2876	2764	powershell.exe	32

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Analytiske.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\system32\wermgr.exe
  "C:\Windows\system32\wermgr.exe" "-outproc" "2764" "856"
  2⤵
  PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259453405.txt

Filesize
1KB

MD5
6967c528f5b7608e07969fba885a431c

SHA1
ff477e183c9beb38bcdd2c5612070ee605f91c30

SHA256
e22d9f75078fc8e79bf79d75ba4d70c978df0e597a60d30c639b915c1f39e33a

SHA512
234d63d7c832c6f2ddb6ee80423baf0711aceb131b915798ef374f32229e6dbff7662e12db84764f97fad16d58509e8df7c55abbc635faf028950118d11836fb

Download Submit
memory/2764-10-0x000007FEF5D10000-0x000007FEF66AD000-memory.dmp

Filesize
9.6MB

Download
memory/2764-4-0x000007FEF5FCE000-0x000007FEF5FCF000-memory.dmp

Filesize
4KB

Download
memory/2764-7-0x000007FEF5D10000-0x000007FEF66AD000-memory.dmp

Filesize
9.6MB

Download
memory/2764-8-0x000007FEF5D10000-0x000007FEF66AD000-memory.dmp

Filesize
9.6MB

Download
memory/2764-9-0x000007FEF5D10000-0x000007FEF66AD000-memory.dmp

Filesize
9.6MB

Download
memory/2764-6-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2764-11-0x000007FEF5D10000-0x000007FEF66AD000-memory.dmp

Filesize
9.6MB

Download
memory/2764-13-0x000007FEF5D10000-0x000007FEF66AD000-memory.dmp

Filesize
9.6MB

Download
memory/2764-12-0x000007FEF5D10000-0x000007FEF66AD000-memory.dmp

Filesize
9.6MB

Download
memory/2764-5-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2764-16-0x000007FEF5D10000-0x000007FEF66AD000-memory.dmp

Filesize
9.6MB

Download
memory/2764-17-0x000007FEF5D10000-0x000007FEF66AD000-memory.dmp

Filesize
9.6MB

Download