a3ab1ca451d4b020eea6ba2d62e987412bd3b09a4993ea803c8105e932274177

Analysis

max time kernel
13s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
09/02/2025, 04:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Norby.ps1
Size

52KB
MD5

237cdf672782754d57c42a5b82371b98
SHA1

6fe41a22c98e07b85ceb25b0870c539fe969197d
SHA256

26c1ca3a25a867de4b6c580a67c25f0b772a8d0d1ee9bb87facf3daa741cac57
SHA512

c97e1a229e3280c591b0bc76ea6850e8c5ee90420eea1d09a9a5f1effd264d06c8ce4aae166d43de00f1fc68422f277809cd899e33fee505d9be116efa8a0ce9
SSDEEP

1536:80FHbCINgp4KZE6oMXF7BaHqljyJuamYN:HHbClpBZagu3N

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2988	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2988	powershell.exe
2988	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2988	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2748	2988	powershell.exe	31
PID 2988 wrote to memory of 2748	2988	powershell.exe	31
PID 2988 wrote to memory of 2748	2988	powershell.exe	31

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Norby.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\system32\wermgr.exe
  "C:\Windows\system32\wermgr.exe" "-outproc" "2988" "912"
  2⤵
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259521934.txt

Filesize
1KB

MD5
cf0da1e1a834361959e6b058399697fd

SHA1
6ed1340f68c0389e3b6e8463ef5e068db55a1955

SHA256
42cf448f56779c68d34e151795d457c0b51304ae370ff7c929ee3fab500b61a2

SHA512
5c0eafc07b7343f674033c10057fbb56c871f6ba1f09fe4e6980041842ac135bf0bafcf72deebdaf5c1d3639c5c127483398f5ce69ea426f21a45725bfd54fc2

Download Submit
memory/2988-10-0x000007FEF6470000-0x000007FEF6E0D000-memory.dmp

Filesize
9.6MB

Download
memory/2988-12-0x000007FEF6470000-0x000007FEF6E0D000-memory.dmp

Filesize
9.6MB

Download
memory/2988-7-0x000007FEF6470000-0x000007FEF6E0D000-memory.dmp

Filesize
9.6MB

Download
memory/2988-8-0x000007FEF6470000-0x000007FEF6E0D000-memory.dmp

Filesize
9.6MB

Download
memory/2988-9-0x000007FEF6470000-0x000007FEF6E0D000-memory.dmp

Filesize
9.6MB

Download
memory/2988-4-0x000007FEF672E000-0x000007FEF672F000-memory.dmp

Filesize
4KB

Download
memory/2988-11-0x000007FEF6470000-0x000007FEF6E0D000-memory.dmp

Filesize
9.6MB

Download
memory/2988-6-0x0000000002610000-0x0000000002618000-memory.dmp

Filesize
32KB

Download
memory/2988-13-0x000007FEF6470000-0x000007FEF6E0D000-memory.dmp

Filesize
9.6MB

Download
memory/2988-14-0x000007FEF6470000-0x000007FEF6E0D000-memory.dmp

Filesize
9.6MB

Download
memory/2988-5-0x000000001B250000-0x000000001B532000-memory.dmp

Filesize
2.9MB

Download
memory/2988-17-0x000007FEF6470000-0x000007FEF6E0D000-memory.dmp

Filesize
9.6MB

Download
memory/2988-18-0x000007FEF6470000-0x000007FEF6E0D000-memory.dmp

Filesize
9.6MB

Download
memory/2988-19-0x000007FEF6470000-0x000007FEF6E0D000-memory.dmp

Filesize
9.6MB

Download