Overview

overview

10

Static

static

1

b.ps1

windows7-x64

3

b.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25-01-2025 09:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b.ps1

  • Size

    165KB

  • MD5

    482ece68e9b421f4ee1fd93123ec3d54

  • SHA1

    bfff81451cec255b6f31b0b5b0f1c38d0c1ef807

  • SHA256

    a245dc0d34568bb31a62d55ff3d1c5431ac28bb1c831f2ad19507220d253776c

  • SHA512

    8d9c5e6152c0ad6c4f247925c4594a2ea5bd0876a43f5c4a0fefbab615ead636c3d434a3f4c757a3eda2f54a7a7782614e98043553a578669a213c03b7fdfefe

  • SSDEEP

    3072:ZcUKZ20H5qt7ABLmYOlba6c5GdOa7MQrq3v0ayW3sfc4xDAmMz/zlZVdtj0QPvBH:ZcB20H5qt7ABLmYOlba6c5GdOa7MQrqJ

Score
3/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\b.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2528
    • C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2528" "976"
      2⤵
        PID:2676

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259433231.txt
      Filesize

      1KB

      MD5

      268fd58ab65792a01d6820e3d41319f1

      SHA1

      42ecd16de7e9505d7cd1265f737f0739705681b0

      SHA256

      530b87379452ed2609f3d6d99e8705473a68369d55b90a8c373e2af34ccfa4c8

      SHA512

      d1b8e00ab6266fd3f4f28c83064f71cc9ecce11b6fa046ce290ac173dbb1e4cbb1dc3dae46ba447c97727b5abbfeda0a07cc1d5caf58e00565dbfa8bd058ff2d

      Download Submit

    • memory/2528-4-0x000007FEF601E000-0x000007FEF601F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2528-5-0x000000001B640000-0x000000001B922000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2528-6-0x0000000002790000-0x0000000002798000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2528-7-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2528-8-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2528-9-0x0000000002B60000-0x0000000002B78000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2528-11-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2528-10-0x0000000002B80000-0x0000000002B86000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2528-12-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2528-13-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2528-16-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

      Filesize

      9.6MB

      Download