304947e91f66751b25d0899c7b9feffe43a5620b13fd5de4a8c5642d638ce45f

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Krieker213.ps1
Size

56KB
MD5

71ec49d3afc6876b0238400570d4028d
SHA1

e661e5ca92fa77b576dd75c8d981936b2db5be88
SHA256

178d63022c2e5d42cd6f8dd983b8a4a19568e1370efad6c9c51f4b8807964885
SHA512

dae10533f8b54e5dcd1e929a2af3270f201e22566961d27ef4c52ad359b821a4b95bab5469047fe61271111876208833450010d8cf1ce9bd73edcd829d6f21e2
SSDEEP

768:fZNT7eOOP2RNuL0/83OfQ5lzQh93NC6BEa6ytpjpi927g3AVT2OC1dHBBu8sXvA3:xNT7eOOP2R81yXPBEmjpuWSTB1qmiM

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1972	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1972	powershell.exe
1972	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1972	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2444	1972	powershell.exe	29
PID 1972 wrote to memory of 2444	1972	powershell.exe	29
PID 1972 wrote to memory of 2444	1972	powershell.exe	29

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Krieker213.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\system32\wermgr.exe
  "C:\Windows\system32\wermgr.exe" "-outproc" "1972" "860"
  2⤵
  PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259432448.txt

Filesize
1KB

MD5
d92984e003892238be9f52b52bfa43d2

SHA1
3fb47e9179c5f3c68689b5561431b954902cf81e

SHA256
d9d15e8d5faac4969beb7e5fac94f759fe40aa024fb2055e80f4bc2102b884ef

SHA512
1338977de97b6c2f44ed27bf0ca8a2fabd01593e1bca035d84c9e0c19cbf56f76c9efd2c4a2c471d46d8ba00803bd00a701552e75357f26d1800103a4342239f

Download Submit
memory/1972-4-0x000007FEF611E000-0x000007FEF611F000-memory.dmp

Filesize
4KB

Download
memory/1972-5-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/1972-6-0x0000000001F20000-0x0000000001F28000-memory.dmp

Filesize
32KB

Download
memory/1972-7-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/1972-8-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/1972-9-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/1972-10-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/1972-11-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/1972-14-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/1972-15-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download