7bc26c7ef9089a1b72821fe50dd72359674b683eabd5089cdfea3f46c01c2daa

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-11-2024 07:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Autografere.ps1
Size

53KB
MD5

41d376695f4d2ba3de8a8fd41976cffa
SHA1

51c8832e28ecfd83020dc5cb125ed4adddfd480d
SHA256

070a3ec2310cb2b3742f535ca0e3d25a4209280d7757b0349522b6a905d77c45
SHA512

b6d176e6132a5445b2791637f073f32d93be65a1cdb0914e3fcfa706c89fbfc6e0bce0d748da32ccac51884241ec0996e15ffbf7aab7a985427e41456760ca60
SSDEEP

768:iPbW+iLXLP62G7zF/pKyEt8qoSTYiIzybFwuhAYwG4csOMlKQpd2bJz:IbW+iLXLWlhKyC8cYvUwAAiCZdU

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3048	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3048	powershell.exe
3048	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2408	3048	powershell.exe	31
PID 3048 wrote to memory of 2408	3048	powershell.exe	31
PID 3048 wrote to memory of 2408	3048	powershell.exe	31

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Autografere.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\system32\wermgr.exe
  "C:\Windows\system32\wermgr.exe" "-outproc" "3048" "852"
  2⤵
  PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259444278.txt

Filesize
1KB

MD5
aeb473b3d1ee430102a2c435ebeb27cc

SHA1
61e0c08d49bd4319f4a05dc3abdd051e50d08f91

SHA256
039f31f6d14e9cb2930151b7901cc402d4aab22ffffcd71ff60fdda4f2d9d026

SHA512
151dad944f6f5ff03adee6c34b91a9197e691620d4d71e5000c66724867bc1fab6614de4b90c17e7fae2123ab8cba1106898bd9e59a41380ab78111f6cc5b6e5

Download Submit
memory/3048-4-0x000007FEF5E6E000-0x000007FEF5E6F000-memory.dmp

Filesize
4KB

Download
memory/3048-5-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/3048-7-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download
memory/3048-6-0x00000000029E0000-0x00000000029E8000-memory.dmp

Filesize
32KB

Download
memory/3048-8-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download
memory/3048-10-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download
memory/3048-9-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download
memory/3048-11-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download
memory/3048-12-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download
memory/3048-15-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download
memory/3048-16-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download