32e6d8538c6b1d47942918cef259a80e70f06feb0145d6e41d44ec5917435391

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/01/2025, 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab733235a722c734fb8f19160825cef1.ps1
Size

681KB
MD5

ab733235a722c734fb8f19160825cef1
SHA1

162b73031c52d7356337479488d60c333f404fdd
SHA256

32e6d8538c6b1d47942918cef259a80e70f06feb0145d6e41d44ec5917435391
SHA512

64a26e92c00a7a61acf71fdf819874ef6ce976117ddcaa0bea5ea3d57e2c631ff5569fdea081c6a39c73aa3ae40b0c08a049d7233c2a7e94232543cb1c4e67f6
SSDEEP

12288:yfytehPmbJEW2WkiUHJcWzMkVjkMAkZZ7wyzDFBagP:5yWKV5jkUZUyzSgP

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2540	powershell.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2796	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2540	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2796	2540	powershell.exe	31
PID 2540 wrote to memory of 2796	2540	powershell.exe	31
PID 2540 wrote to memory of 2796	2540	powershell.exe	31

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ab733235a722c734fb8f19160825cef1.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\system32\ipconfig.exe
  "C:\Windows\system32\ipconfig.exe" /flushdns
  2⤵
  - Gathers network information
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2540-4-0x000007FEF5EFE000-0x000007FEF5EFF000-memory.dmp

Filesize
4KB

Download
memory/2540-5-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2540-6-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/2540-7-0x000007FEF5C40000-0x000007FEF65DD000-memory.dmp

Filesize
9.6MB

Download
memory/2540-8-0x000007FEF5C40000-0x000007FEF65DD000-memory.dmp

Filesize
9.6MB

Download
memory/2540-9-0x000007FEF5C40000-0x000007FEF65DD000-memory.dmp

Filesize
9.6MB

Download
memory/2540-10-0x0000000002B00000-0x0000000002B1A000-memory.dmp

Filesize
104KB

Download
memory/2540-11-0x000007FEF5C40000-0x000007FEF65DD000-memory.dmp

Filesize
9.6MB

Download