87cf7164b78119e27b02fddc73bd339e81eb71c3d0a5c81722c065ff64bbcc11

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/02/2025, 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$WINDIR/porterhouse/Wrynesses.ps1
Size

53KB
MD5

f5b2b137807856875a8775b2ca0a78d9
SHA1

b0df4707f99a9f8d6424838fec2ab61cb777e421
SHA256

be590cff8cc5b344be42be1818daddaf6eb346ee427e7f6ce07ba3abd8238959
SHA512

34f9aae5557211f37342bf60b85b30031be09e5f03a58fc446730944bc801ebf7cc3763f6f601b92357459b82eb9252a6d37899a34456b6fcc42c4ecfb9d243e
SSDEEP

1536:BZrYncLjaS7oOAyQwZ1oaA0TeLCWKTWX90dgMXwS:JLmS7hQGBr0cgE

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2164	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2164	powershell.exe
2164	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2164	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2636	2164	powershell.exe	32
PID 2164 wrote to memory of 2636	2164	powershell.exe	32
PID 2164 wrote to memory of 2636	2164	powershell.exe	32

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\$WINDIR\porterhouse\Wrynesses.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\system32\wermgr.exe
  "C:\Windows\system32\wermgr.exe" "-outproc" "2164" "860"
  2⤵
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259452668.txt

Filesize
1KB

MD5
d507d6632682fb7774368190576069e4

SHA1
412caa30dd65a2cac5ca27d80fd5c524e65df13c

SHA256
cf2449f83b959a62706828fb377cc79d2f378c0bd208e9e721d5211959bcee23

SHA512
57a5dae993fa5b87f58d4613be189a647e9e14db951c2a4a6112f423634ea81129b2fbb219e63fe547c499163f79979f57884cf450e5aea56d724d6514ae5d10

Download Submit
memory/2164-10-0x000007FEF5FE0000-0x000007FEF697D000-memory.dmp

Filesize
9.6MB

Download
memory/2164-7-0x000007FEF5FE0000-0x000007FEF697D000-memory.dmp

Filesize
9.6MB

Download
memory/2164-6-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2164-8-0x000007FEF5FE0000-0x000007FEF697D000-memory.dmp

Filesize
9.6MB

Download
memory/2164-9-0x000007FEF5FE0000-0x000007FEF697D000-memory.dmp

Filesize
9.6MB

Download
memory/2164-4-0x000007FEF629E000-0x000007FEF629F000-memory.dmp

Filesize
4KB

Download
memory/2164-11-0x000007FEF5FE0000-0x000007FEF697D000-memory.dmp

Filesize
9.6MB

Download
memory/2164-13-0x000007FEF5FE0000-0x000007FEF697D000-memory.dmp

Filesize
9.6MB

Download
memory/2164-12-0x000007FEF5FE0000-0x000007FEF697D000-memory.dmp

Filesize
9.6MB

Download
memory/2164-5-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2164-17-0x000007FEF5FE0000-0x000007FEF697D000-memory.dmp

Filesize
9.6MB

Download
memory/2164-16-0x000007FEF5FE0000-0x000007FEF697D000-memory.dmp

Filesize
9.6MB

Download