Overview

overview

10

Static

static

1

Psloramyra.ps1

windows7-x64

8

Psloramyra.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    125s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 07:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Psloramyra.ps1

  • Size

    2.1MB

  • MD5

    032ea6f45fdd2fa1bd9b6cb5f425dc54

  • SHA1

    aaac83baf4a939a4c3b9ff5a16dbcb472cab9592

  • SHA256

    5cc8c3c4d011cdbe7306dfb8ba52b14909ed06db2c1a465c31cc59e6f532cb22

  • SHA512

    222ca7941b7df2d2e4d7310a557cc6cdb43c33368d9632610b428b1a117a5c272504dae677216b678e4c65887f779f60078dd6096a1280aa834b1a3fcb97c379

  • SSDEEP

    6144:ccVzJb1d4aU/hQVBJ2A7Is2Csr1l5mH9OdHUb3ngo1:v

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Drops file in System32 directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Psloramyra.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2768
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {AB916ECF-E48D-4245-920E-42993AD649C3} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2860
    • C:\Windows\System32\WScript.exe
      C:\Windows\System32\WScript.exe "C:\Users\Public\roox.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2760
      • C:\Windows\System32\cmd.exe
        cmd /c ""C:\Users\Public\roox.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2312
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\roox.ps1'"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1388

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    d995cd74788c136fd0a8772a906c7ffc

    SHA1

    178a7d5d4e1437dda8af5fa7960154d0f79b63c3

    SHA256

    557732282a3a10ebe3c57f567d1f6987ca2f3768f0dbfb597ec61757ad7b9356

    SHA512

    a29fd646750f13cec1b7b9e524c3a5135347ef04d3404d667a05222410ccd00a7c321da27d8371d3aed30a96644924fad7155a7eda23933f50cf13128e05297f

    Download Submit

  • C:\Users\Public\roox.bat
    Filesize

    195B

    MD5

    0344d401c7266a2bc6d19f5a2bc90040

    SHA1

    d3bf5a4b55b523429f3c7cb58ffa19504bececfc

    SHA256

    a3a38fb5090f5b9c951160d60d2fcd0e4488b3e72b1823fc17ef34a15fe9dab7

    SHA512

    59b448d02dadd2934abf88c40e25fec741724112e1320770b06df9b862643f2eba9cedee9d58244145fbece6d0d366380d6d2d6b56082a97649683ca10f9bc07

    Download Submit

  • C:\Users\Public\roox.ps1
    Filesize

    2.1MB

    MD5

    9ba3e0c0ba321f160209023c4fdcc3d4

    SHA1

    55f876754d36ab08a3e8f0a47d39c48b8a84fb61

    SHA256

    a2fde94bdfe9e8d15478484c3de0314a73618f41591cbffca473708c66899e39

    SHA512

    cd551a87d48421748a9e8c90eeecbd48a185be5b7439e2d35ac994da07bc94ee77f48678b7f617423bb9356dabc20f62ec77be24ddbd60e34d0927fde350e650

    Download Submit

  • C:\Users\Public\roox.vbs
    Filesize

    686B

    MD5

    a0a3c05080df4421295e559291304405

    SHA1

    286e02a003b7e26a381e41d2127ffb0ed371f5b4

    SHA256

    22889b8d447ea679e8b2fb27eca95d0f04056203c9214818758b0a21379ea323

    SHA512

    ee9971cda442f9dd305e0810babd0a5f94589a966b2a4f10421b341d6e7914fed3f2a12821dc56d338f7ec5ba9a38830727d0e17fd18257e45ebabd7612e99b4

    Download Submit

  • \??\PIPE\srvsvc
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit

  • memory/1388-24-0x0000000002410000-0x0000000002418000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1388-23-0x000000001B1A0000-0x000000001B482000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2768-7-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2768-14-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2768-10-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2768-8-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2768-9-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2768-4-0x000007FEF588E000-0x000007FEF588F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2768-6-0x0000000002190000-0x0000000002198000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2768-5-0x000000001B440000-0x000000001B722000-memory.dmp

    Filesize

    2.9MB

    Download