a29216211bcb3b0aed63eefe2fdf5c84669b2a330058658090588c2289fd11ea

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 13:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Samfundsordenen.ps1
Size

51KB
MD5

fcd1c535a71a401003b30a26b53be29e
SHA1

f315f16ab5b6eda4e0a15b97d0d187d7ef305dc2
SHA256

bde3f9fb679a58d593caaa7fde1945972ec6e6ad65de381ca317384ce1a816fb
SHA512

40495a01077babc4b0c4bdc1f11d14cfdb02a661a6cbc6df2fc674a9b08c933495410084fdcb4a665ce819be869117102e5e28906e872558dcb7a693e023caeb
SSDEEP

1536:3houkmC6YgA+f1OK4UNnCeGyuywZYC6KpruL9GEM:3houkcYgGkCeoPYbKRuIEM

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2324	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2324	powershell.exe
2324	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2324	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2220	2324	powershell.exe	29
PID 2324 wrote to memory of 2220	2324	powershell.exe	29
PID 2324 wrote to memory of 2220	2324	powershell.exe	29

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Samfundsordenen.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\system32\wermgr.exe
  "C:\Windows\system32\wermgr.exe" "-outproc" "2324" "844"
  2⤵
  PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259436092.txt

Filesize
1KB

MD5
7ae82a197d8f459a5e87710ae7a7ac43

SHA1
d2800b8181b2a57d6bb925b210791c99b6deca2c

SHA256
0f13ea8b7c2dd3c0cf9e8b83b91dc8a32c8328c28b9c189f2dce7ece6383bfb4

SHA512
1cd839aa77a4e893c4166b8d3a5e04e2f501908bb904465f1f78f1a3fa6281e718e5096457f5f5f512ac397ee86c872c0829e623724fe57d6934a74626a62113

Download Submit
memory/2324-11-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/2324-6-0x0000000002300000-0x0000000002308000-memory.dmp

Filesize
32KB

Download
memory/2324-7-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/2324-8-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/2324-12-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/2324-4-0x000007FEF611E000-0x000007FEF611F000-memory.dmp

Filesize
4KB

Download
memory/2324-10-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/2324-9-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/2324-13-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/2324-17-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/2324-16-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/2324-5-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download