Overview

overview

10

Static

static

1

a681f4e8af...f8.exe

windows7-x64

8

a681f4e8af...f8.exe

windows10-2004-x64

10

$_8_/Ricke...ox.ps1

windows7-x64

3

$_8_/Ricke...ox.ps1

windows10-2004-x64

8

$_8_/nsis.ps1

windows7-x64

3

$_8_/nsis.ps1

windows10-2004-x64

3

$_8_/powershell.ps1

windows7-x64

3

$_8_/powershell.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-11-2024 03:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $_8_/Rickettsialpox.ps1

  • Size

    50KB

  • MD5

    7ddef591261053bd7fac766023859e2d

  • SHA1

    db5c60aa8f81599094f85eee67a47b12d4404c36

  • SHA256

    e84d88ddf388bd9de757eca740cd8ad6fdbb0e84b83de05074300a368cd397f6

  • SHA512

    0da27755fbe80c98b2bf5db1e7555b4cd7366f0804e0df8be343b2b4ab4256fb0e1e44bf4f5eaca9b4e4e5bc02121f6880437c30f4fbfda41ec04508773951f6

  • SSDEEP

    768:e9wSywMc0WWm6zNVoc0YTGv8lVw6C17NauD2J6tZDF7Uras+aH5Ox/ppQUJ6Z:MwBz9NV5ltVwNauD2JcDFSa+HMlpaJ

Score
3/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\$_8_\Rickettsialpox.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2780
    • C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2780" "852"
      2⤵
        PID:2756

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259459914.txt
      Filesize

      1KB

      MD5

      926457315e042763866a458e89053f49

      SHA1

      8bfe96723929a58aa38abd4b938342498a0e05bc

      SHA256

      a61f645d81bb0517d5b7ed9c73ec0fc3e06151b40c73ac1567f845b9dffaecc4

      SHA512

      118e51f0b939365f643ac940668dbaf9321839031b640cc6c548872f41abbbf263295a9cea803d947a4c80a12ed6906d5226826d69507b309ef9f709612d1b21

      Download Submit

    • memory/2780-4-0x000007FEF5EBE000-0x000007FEF5EBF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2780-5-0x000000001B570000-0x000000001B852000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2780-6-0x00000000028E0000-0x00000000028E8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2780-7-0x000007FEF5C00000-0x000007FEF659D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2780-8-0x000007FEF5C00000-0x000007FEF659D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2780-9-0x000007FEF5C00000-0x000007FEF659D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2780-10-0x000007FEF5C00000-0x000007FEF659D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2780-11-0x000007FEF5C00000-0x000007FEF659D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2780-14-0x000007FEF5C00000-0x000007FEF659D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2780-15-0x000007FEF5C00000-0x000007FEF659D000-memory.dmp

      Filesize

      9.6MB

      Download