Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10/01/2025, 14:08
Static task
static1
Behavioral task
behavioral1
Sample
be0fbc1afbc35ae095067c50dbd7cbc61451663c3d9821377bb15febcdfbcf50.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
be0fbc1afbc35ae095067c50dbd7cbc61451663c3d9821377bb15febcdfbcf50.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Resultatopgrelses186/Sidelbende.ps1
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Resultatopgrelses186/Sidelbende.ps1
Resource
win10v2004-20241007-en
General
-
Target
Resultatopgrelses186/Sidelbende.ps1
-
Size
55KB
-
MD5
57c63a0ab9d88e2b534816f9a1f1dc63
-
SHA1
a0baa5d70fa61fbbb4c41f76b67a71c5356dbc06
-
SHA256
501abd115bc94a28b8eda5115ada6c9898f2142ba2d4d751d8e34ed50c59a21c
-
SHA512
97e311a42c02e6aee32d0d07f5a5fe0781e0dcf5aa71ac6420094134c1d6e2831d76e57a15cd26b9e5032813cadd338101542ddeba74bd991a0f35e378a886be
-
SSDEEP
1536:oVjo8ExmifsJ7BLrqJQjBKeJXIusH7QDSXzNzFlSQe:EurfszLRjkoY9H7ySXwQe
Malware Config
Signatures
-
pid Process 1748 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1748 powershell.exe 1748 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1748 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1748 wrote to memory of 2304 1748 powershell.exe 29 PID 1748 wrote to memory of 2304 1748 powershell.exe 29 PID 1748 wrote to memory of 2304 1748 powershell.exe 29
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Resultatopgrelses186\Sidelbende.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1748" "860"2⤵PID:2304
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b12a9ee34b8329795bced06d7754dac5
SHA1c79b6a66e9bf1ab7338851214e7347f6d7524a86
SHA2569079fecee3ea3a80512b121a353b39bd1cc46b92dc5753aeb163f20f0d499666
SHA51294ceca03d700d1af9a31232f5dee2d857786342eda1918b74c1e268238262fe7107db72219dc320f37bb67ebdd51071628aacee49e8d1c2b19c48cf11f8b1e52