Overview

overview

10

Static

static

3

Order&pict...DF.exe

windows7-x64

8

Order&pict...DF.exe

windows10-2004-x64

10

Shoofa.ps1

windows7-x64

3

Shoofa.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    15s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    12-11-2024 06:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Shoofa.ps1

  • Size

    52KB

  • MD5

    bec5624e576379638737b54edd121409

  • SHA1

    8bfc71d5fc5bec930fad4dc6e55dadddffc48fdc

  • SHA256

    599c9c4648fa3d92c019dc99419cd6e4129d5be92031269d042fca0f16c6ff80

  • SHA512

    0ba24ae0bb04460da8459df64b1a91e4bba1fad98028766215eb28e5512a108b8240b6e94f20fabfdeececad40af929c7090e24ac529056901a689f7a1b2bd5f

  • SSDEEP

    1536:pi3FuKXDbqUDEMSWwH141TJj1Z4VVUPXxLXIxnm9:OFjzbqUmWr1zZ4QZDIxnm9

Score
3/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Shoofa.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2524" "852"
      2⤵
        PID:2732

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259556682.txt
      Filesize

      1KB

      MD5

      0fcd56091ae4b6ca025dbc3f1aa27042

      SHA1

      3a009c84e6d4611ade48d95ce215c6873c399271

      SHA256

      ae44cf1eebec9d902f717dce4767ffed541fd8de08a92245c5b615844ed1e358

      SHA512

      d969567dcb0f1e404119a15f334c09d1ff6ed395346715e51326c69bbde4cfd8c22a663c931de9c20131d720ebb32204ac996dbd1030c9d8be3d4294ded6190b

      Download Submit

    • memory/2524-4-0x000007FEF57FE000-0x000007FEF57FF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2524-7-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2524-6-0x00000000020D0000-0x00000000020D8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2524-8-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2524-5-0x000000001B660000-0x000000001B942000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2524-9-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2524-10-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2524-11-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2524-12-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2524-15-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2524-16-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

      Filesize

      9.6MB

      Download