aa928f80e184381e6cb9e2a8e159334e3494999165cf97bcd71bdfbb61dce2bf

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17/02/2025, 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Concludence.ps1
Size

51KB
MD5

1678eaebcc616fdd486b73c0d0f9a765
SHA1

8e9d45a247bf04385e368f16ae88ac4c70c5ca4f
SHA256

ee054a99730186790f4a20abe48b59b4254b5bb5888b4cf685f7a74092a9a6e6
SHA512

7bec8100642738d1cf759f3a5226a5e96defc56697235ef50444d35fdaf82bfab8eed5addbff50b358b9ab7caf5ccbe65cea09d7d0be35a6de7f6614d2b78172
SSDEEP

1536:pxAaLXZA+Iki28ydNcQOb01QZKVDxXAJb:px3dAwnXeYdNwJ

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2196	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2196	powershell.exe
2196	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2196	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2936	2196	powershell.exe	32
PID 2196 wrote to memory of 2936	2196	powershell.exe	32
PID 2196 wrote to memory of 2936	2196	powershell.exe	32

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Concludence.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\system32\wermgr.exe
  "C:\Windows\system32\wermgr.exe" "-outproc" "2196" "852"
  2⤵
  PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259447513.txt

Filesize
1KB

MD5
758e64c022a78071bb72e7b3879e2610

SHA1
fc76ae15ab0d8ea332b995204198871d30628623

SHA256
1a070795169c8c9033b580933fec7fbc3eafd03c14b965130fd550fcc5c6ec64

SHA512
debac40174d8118c011d4de977dcc9d04c13ad8d9204e659fc2340154974ab995a383a97b94f3f162deed59b5ac977bc58f8ba601dfde75d9c3813a64b43a650

Download Submit
memory/2196-11-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

Filesize
9.6MB

Download
memory/2196-8-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

Filesize
9.6MB

Download
memory/2196-6-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2196-9-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

Filesize
9.6MB

Download
memory/2196-5-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download
memory/2196-4-0x000007FEF5F7E000-0x000007FEF5F7F000-memory.dmp

Filesize
4KB

Download
memory/2196-10-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

Filesize
9.6MB

Download
memory/2196-12-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

Filesize
9.6MB

Download
memory/2196-13-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

Filesize
9.6MB

Download
memory/2196-14-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

Filesize
9.6MB

Download
memory/2196-7-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

Filesize
9.6MB

Download
memory/2196-17-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

Filesize
9.6MB

Download
memory/2196-18-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

Filesize
9.6MB

Download