65977464bdb8e893c4ca76c1cc7a2a410aaf4533ca345a009f37246a0711875b

Analysis

max time kernel
122s
max time network
129s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
14/02/2025, 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Capricorn46/Smaakager.ps1
Size

52KB
MD5

e887e59c0f45446f5708524edd22e09f
SHA1

0530bfca5e7911c425be41d276e697042e102132
SHA256

2887ac9e3835ee2197cde04ee649f98d6372e24b05668c69062026a612c43ea3
SHA512

2f1bb8a9e30666c7a8703e13ebe2e3b26d53e1d0759c02ec18ef6531b2aa0fea84e358aa364dcac01f2b17639ddfd71b92122fded579b41bd0531121dd52faba
SSDEEP

1536:znLKmKmnI7jcQzSM43GM8C460L3vZnNajdOqmP:znLjKm5QzSMuG3L3BnNZ1

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2892	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2892	powershell.exe
2892	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2892	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2816	2892	powershell.exe	31
PID 2892 wrote to memory of 2816	2892	powershell.exe	31
PID 2892 wrote to memory of 2816	2892	powershell.exe	31

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Capricorn46\Smaakager.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\system32\wermgr.exe
  "C:\Windows\system32\wermgr.exe" "-outproc" "2892" "856"
  2⤵
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259441073.txt

Filesize
1KB

MD5
18b93637ec56398c33eebe24e709a00b

SHA1
d64fdd2d57c7a81493775ca177ef20e3313b1556

SHA256
eb148538bc9655286e82b973da774fe15198762b5e0a4bb46ea5c0c77d966b6a

SHA512
602d72daee7416c37ba8f8af75c2bdb0ada4c058134f23e45eac7300d96fb0c0e48ae78aec1726421f236a6184506000479509994592537187b98b6a2b48abc8

Download Submit
memory/2892-10-0x000007FEF6810000-0x000007FEF71AD000-memory.dmp

Filesize
9.6MB

Download
memory/2892-6-0x00000000028F0000-0x00000000028F8000-memory.dmp

Filesize
32KB

Download
memory/2892-5-0x000000001B7F0000-0x000000001BAD2000-memory.dmp

Filesize
2.9MB

Download
memory/2892-8-0x000007FEF6810000-0x000007FEF71AD000-memory.dmp

Filesize
9.6MB

Download
memory/2892-9-0x000007FEF6810000-0x000007FEF71AD000-memory.dmp

Filesize
9.6MB

Download
memory/2892-4-0x000007FEF6ACE000-0x000007FEF6ACF000-memory.dmp

Filesize
4KB

Download
memory/2892-11-0x000007FEF6810000-0x000007FEF71AD000-memory.dmp

Filesize
9.6MB

Download
memory/2892-12-0x000007FEF6810000-0x000007FEF71AD000-memory.dmp

Filesize
9.6MB

Download
memory/2892-14-0x000007FEF6810000-0x000007FEF71AD000-memory.dmp

Filesize
9.6MB

Download
memory/2892-13-0x000007FEF6810000-0x000007FEF71AD000-memory.dmp

Filesize
9.6MB

Download
memory/2892-7-0x000007FEF6810000-0x000007FEF71AD000-memory.dmp

Filesize
9.6MB

Download
memory/2892-17-0x000007FEF6810000-0x000007FEF71AD000-memory.dmp

Filesize
9.6MB

Download
memory/2892-18-0x000007FEF6810000-0x000007FEF71AD000-memory.dmp

Filesize
9.6MB

Download