Overview

overview

10

Static

static

3

eed2e7dff3...28.exe

windows7-x64

8

eed2e7dff3...28.exe

windows10-2004-x64

10

amagere.ps1

windows7-x64

3

amagere.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15/02/2025, 05:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    amagere.ps1

  • Size

    53KB

  • MD5

    3b2ca5f40a0e7f7fbdc32a87bb02e158

  • SHA1

    cd2fcfdb6ea50615a6daf838a7fa5b4962179bf6

  • SHA256

    634e73dce86f61003118cc3d757424916f6a3b25bd39da332000de9e0b7943a4

  • SHA512

    e9b25363980cae6fc860ca32702ad1fae6469a42e79e038fd551a73032bde03c97e57d12cb02140be01bcb763eceaab58a4b9d780a7ab0a8f5dbf10ce7ba061d

  • SSDEEP

    1536:+AtG9ZyhFDBK2V4yHtPkdTiCYrKSwJ+acVSF:+AtjFDBb4yNPJDwEVM

Score
3/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\amagere.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1872
    • C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1872" "856"
      2⤵
        PID:2192

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259441973.txt
      Filesize

      1KB

      MD5

      3e25b05a51ab21145f83bddff26e85c0

      SHA1

      7bbecc8aad9507cc12deacfc5cf8eb882c1cb437

      SHA256

      9c60a4a8a96a13318ca23ae86cb94cd3ce73a05d4415f2d4335717e37060e947

      SHA512

      a588b5da3b77e8a2bb0d7da1f4198b4c64cc80bab9786fb12ed4b94d603e2338b0de140866a87ed17f900e96f183ab83a8b0ada9de1cbe82943976d8ac12eb90

      Download Submit

    • memory/1872-10-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1872-6-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1872-7-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1872-8-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1872-9-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1872-4-0x000007FEF56EE000-0x000007FEF56EF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1872-12-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1872-11-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1872-14-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1872-13-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1872-5-0x000000001B640000-0x000000001B922000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1872-17-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1872-18-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

      Filesize

      9.6MB

      Download