Overview

overview

10

Static

static

1

b.ps1

windows7-x64

3

b.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    63s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    25-01-2025 09:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b.ps1

  • Size

    165KB

  • MD5

    482ece68e9b421f4ee1fd93123ec3d54

  • SHA1

    bfff81451cec255b6f31b0b5b0f1c38d0c1ef807

  • SHA256

    a245dc0d34568bb31a62d55ff3d1c5431ac28bb1c831f2ad19507220d253776c

  • SHA512

    8d9c5e6152c0ad6c4f247925c4594a2ea5bd0876a43f5c4a0fefbab615ead636c3d434a3f4c757a3eda2f54a7a7782614e98043553a578669a213c03b7fdfefe

  • SSDEEP

    3072:ZcUKZ20H5qt7ABLmYOlba6c5GdOa7MQrq3v0ayW3sfc4xDAmMz/zlZVdtj0QPvBH:ZcB20H5qt7ABLmYOlba6c5GdOa7MQrqJ

Score
3/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\b.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1172
    • C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1172" "872"
      2⤵
        PID:2980

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259490119.txt
      Filesize

      1KB

      MD5

      b7cf714a2eab648fc8e4b9bcb8174807

      SHA1

      d83940b0e306ae1a14cfbb9a91a21dd092ae5c46

      SHA256

      1c3e31f9f964b667e6f35ffc2ad6aaedfd4398d5e82a822608002137cebad7c3

      SHA512

      fcb3f5216c9187913282aaeda035bf0f50c0259daf6fd19e346a7a841b071813677fd375bd5ba7e8b5b8802b2a420947a7f706698ac907ff85f53287ed247dcb

      Download Submit

    • memory/1172-4-0x000007FEF512E000-0x000007FEF512F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1172-7-0x000007FEF4E70000-0x000007FEF580D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1172-6-0x0000000001E60000-0x0000000001E68000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1172-5-0x000000001B690000-0x000000001B972000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1172-8-0x000007FEF4E70000-0x000007FEF580D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1172-9-0x000007FEF4E70000-0x000007FEF580D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1172-10-0x000007FEF4E70000-0x000007FEF580D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1172-11-0x0000000002970000-0x0000000002988000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1172-12-0x000007FEF4E70000-0x000007FEF580D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1172-13-0x00000000029A0000-0x00000000029A6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1172-16-0x000007FEF4E70000-0x000007FEF580D000-memory.dmp

      Filesize

      9.6MB

      Download