Analysis

  • max time kernel
    119s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-11-2024 01:00

General

  • Target

    Bygsukkerets/Wanderlusts.ps1

  • Size

    52KB

  • MD5

    97c0731e8a832706f3f157e89ce3999b

  • SHA1

    8665ec5d2421bf666bd1bdc2b81876f582aa7a5d

  • SHA256

    e7d18aee03c79a8a55e2f0fc47ad0693c0bd5ba584b879c82624b4c80946b432

  • SHA512

    283ab18b29f488197daaeec4e7ddfc2b707e13c15c308c7f2b3b8bb492833e2a0bff70a5fe4ef5b2cce51830492785fc6c13a1eb69c60db39578dd5a39b78731

  • SSDEEP

    1536:ATz1EnqDuXf0VfLfTxv5P30atVCOKxoSbg5/StPv:ATZEnqDEf0VTfTxx30ecoQeS

Score
3/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Bygsukkerets\Wanderlusts.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1076
    • C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1076" "856"
      2⤵
        PID:2704

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259438286.txt

      Filesize

      1KB

      MD5

      39f2bbcd8e6ee7329c5c67e8755b9528

      SHA1

      5fd0b521f5f4a3db2f8c7bbaf9b64f40328ee737

      SHA256

      574bc33cb654be652659fb2855996977b59c3648ae4a12fcb209edcacef92b12

      SHA512

      c90878f468965991a456c899a4295d886ff219055eb6222b2b595cfc4abed68ac5a9e19c06da528947d0df145f468e32697b38d5d41556ae9110f55b257d2ba8

    • memory/1076-9-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp

      Filesize

      9.6MB

    • memory/1076-6-0x0000000002150000-0x0000000002158000-memory.dmp

      Filesize

      32KB

    • memory/1076-7-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp

      Filesize

      9.6MB

    • memory/1076-8-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp

      Filesize

      9.6MB

    • memory/1076-11-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp

      Filesize

      9.6MB

    • memory/1076-4-0x000007FEF60AE000-0x000007FEF60AF000-memory.dmp

      Filesize

      4KB

    • memory/1076-10-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp

      Filesize

      9.6MB

    • memory/1076-12-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp

      Filesize

      9.6MB

    • memory/1076-13-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp

      Filesize

      9.6MB

    • memory/1076-5-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

      Filesize

      2.9MB

    • memory/1076-16-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp

      Filesize

      9.6MB

    • memory/1076-17-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp

      Filesize

      9.6MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.