c685134bdad34c105ab8f11437824d1a038370cc9d80cd3f5768d83900aba942

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24/03/2025, 11:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ppp.ps1
Size

386KB
MD5

e45cabf205741f1cede66ad81f8b06fa
SHA1

060dcd47f3b48db25d68a633f7897338834d3612
SHA256

c685134bdad34c105ab8f11437824d1a038370cc9d80cd3f5768d83900aba942
SHA512

88ab41b280853bc784c1177e05ae2d31369df408c879f9dca4b6ada5d6d18693f5d3299564426e2fa726d99dcfab86cb6599684d2291d6b5e88fa500a5804aa7
SSDEEP

6144:jiQBMJk9Te7tQtEu+jSmJtAO13nRZ79rOSA5C25ljGuVn0O2+ibO8A9e:ejJ8ktQtYGmJt2WUO1

Score

7^/10

discovery execution

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2824	x.exe

Loads dropped DLL 5 IoCs

pid	Process
4968	WerFault.exe
4968	WerFault.exe
4968	WerFault.exe
4968	WerFault.exe
4968	WerFault.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2664	powershell.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4968	2824	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2664	powershell.exe
2664	powershell.exe
2664	powershell.exe
2824	x.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2824	x.exe
Token: SeDebugPrivilege	2824	x.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2824	2664	powershell.exe	32
PID 2664 wrote to memory of 2824	2664	powershell.exe	32
PID 2664 wrote to memory of 2824	2664	powershell.exe	32
PID 2664 wrote to memory of 2824	2664	powershell.exe	32
PID 2824 wrote to memory of 4968	2824	x.exe	33
PID 2824 wrote to memory of 4968	2824	x.exe	33
PID 2824 wrote to memory of 4968	2824	x.exe	33
PID 2824 wrote to memory of 4968	2824	x.exe	33

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ppp.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Users\Admin\AppData\Local\Temp\x.exe
  "C:\Users\Admin\AppData\Local\Temp\x.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 1052
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:4968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\x.exe

Filesize
290KB

MD5
244360e3e1f45bf12f428ea3846d2b8a

SHA1
188e9b7018e2dac9beb3b2bfdbeae98dfb9e9978

SHA256
3d5619f53fac5d324a867e69fd61c51a54ad1d3d28a998f3b85f78598703dcac

SHA512
65157507e439c91b8b67c895f962d8e780cfaf8638bd4827cac72abc06b7cbd613373193782c55f58b377d85bc545f2bcd11e4b0c22e677f162bb34d772203ab

Download Submit
memory/2664-4-0x000007FEF692E000-0x000007FEF692F000-memory.dmp

Filesize
4KB

Download
memory/2664-5-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2664-7-0x000007FEF6670000-0x000007FEF700D000-memory.dmp

Filesize
9.6MB

Download
memory/2664-6-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/2664-8-0x000007FEF6670000-0x000007FEF700D000-memory.dmp

Filesize
9.6MB

Download
memory/2664-10-0x000007FEF6670000-0x000007FEF700D000-memory.dmp

Filesize
9.6MB

Download
memory/2664-14-0x000007FEF6670000-0x000007FEF700D000-memory.dmp

Filesize
9.6MB

Download
memory/2664-17-0x000007FEF6670000-0x000007FEF700D000-memory.dmp

Filesize
9.6MB

Download
memory/2664-19-0x000007FEF6670000-0x000007FEF700D000-memory.dmp

Filesize
9.6MB

Download
memory/2824-18-0x000000007495E000-0x000000007495F000-memory.dmp

Filesize
4KB

Download
memory/2824-20-0x0000000000DC0000-0x0000000000E0E000-memory.dmp

Filesize
312KB

Download
memory/2824-21-0x0000000074950000-0x000000007503E000-memory.dmp

Filesize
6.9MB

Download
memory/2824-22-0x00000000004A0000-0x00000000004A6000-memory.dmp

Filesize
24KB

Download
memory/2824-23-0x00000000054D0000-0x00000000055E6000-memory.dmp

Filesize
1.1MB

Download
memory/2824-24-0x00000000054D0000-0x00000000055DF000-memory.dmp

Filesize
1.1MB

Download
memory/2824-25-0x00000000054D0000-0x00000000055DF000-memory.dmp

Filesize
1.1MB

Download
memory/2824-36-0x00000000054D0000-0x00000000055DF000-memory.dmp

Filesize
1.1MB

Download
memory/2824-45-0x00000000054D0000-0x00000000055DF000-memory.dmp

Filesize
1.1MB

Download
memory/2824-63-0x00000000054D0000-0x00000000055DF000-memory.dmp

Filesize
1.1MB

Download
memory/2824-79-0x00000000054D0000-0x00000000055DF000-memory.dmp

Filesize
1.1MB

Download
memory/2824-87-0x00000000054D0000-0x00000000055DF000-memory.dmp

Filesize
1.1MB

Download
memory/2824-85-0x00000000054D0000-0x00000000055DF000-memory.dmp

Filesize
1.1MB

Download
memory/2824-83-0x00000000054D0000-0x00000000055DF000-memory.dmp

Filesize
1.1MB

Download
memory/2824-81-0x00000000054D0000-0x00000000055DF000-memory.dmp

Filesize
1.1MB

Download
memory/2824-77-0x00000000054D0000-0x00000000055DF000-memory.dmp

Filesize
1.1MB

Download
memory/2824-75-0x00000000054D0000-0x00000000055DF000-memory.dmp

Filesize
1.1MB

Download
memory/2824-73-0x00000000054D0000-0x00000000055DF000-memory.dmp

Filesize
1.1MB

Download
memory/2824-71-0x00000000054D0000-0x00000000055DF000-memory.dmp

Filesize
1.1MB

Download
memory/2824-69-0x00000000054D0000-0x00000000055DF000-memory.dmp

Filesize
1.1MB

Download
memory/2824-67-0x00000000054D0000-0x00000000055DF000-memory.dmp

Filesize
1.1MB

Download
memory/2824-65-0x00000000054D0000-0x00000000055DF000-memory.dmp

Filesize
1.1MB

Download
memory/2824-61-0x00000000054D0000-0x00000000055DF000-memory.dmp

Filesize
1.1MB

Download
memory/2824-59-0x00000000054D0000-0x00000000055DF000-memory.dmp

Filesize
1.1MB

Download
memory/2824-57-0x00000000054D0000-0x00000000055DF000-memory.dmp

Filesize
1.1MB

Download
memory/2824-55-0x00000000054D0000-0x00000000055DF000-memory.dmp

Filesize
1.1MB

Download
memory/2824-53-0x00000000054D0000-0x00000000055DF000-memory.dmp

Filesize
1.1MB

Download
memory/2824-51-0x00000000054D0000-0x00000000055DF000-memory.dmp

Filesize
1.1MB

Download
memory/2824-49-0x00000000054D0000-0x00000000055DF000-memory.dmp

Filesize
1.1MB

Download
memory/2824-47-0x00000000054D0000-0x00000000055DF000-memory.dmp

Filesize
1.1MB

Download
memory/2824-43-0x00000000054D0000-0x00000000055DF000-memory.dmp

Filesize
1.1MB

Download
memory/2824-41-0x00000000054D0000-0x00000000055DF000-memory.dmp

Filesize
1.1MB

Download
memory/2824-39-0x00000000054D0000-0x00000000055DF000-memory.dmp

Filesize
1.1MB

Download
memory/2824-37-0x00000000054D0000-0x00000000055DF000-memory.dmp

Filesize
1.1MB

Download
memory/2824-33-0x00000000054D0000-0x00000000055DF000-memory.dmp

Filesize
1.1MB

Download
memory/2824-31-0x00000000054D0000-0x00000000055DF000-memory.dmp

Filesize
1.1MB

Download
memory/2824-29-0x00000000054D0000-0x00000000055DF000-memory.dmp

Filesize
1.1MB

Download
memory/2824-27-0x00000000054D0000-0x00000000055DF000-memory.dmp

Filesize
1.1MB

Download
memory/2824-1360-0x0000000074950000-0x000000007503E000-memory.dmp

Filesize
6.9MB

Download
memory/2824-1361-0x00000000055E0000-0x000000000564E000-memory.dmp

Filesize
440KB

Download
memory/2824-1362-0x0000000005880000-0x00000000058EA000-memory.dmp

Filesize
424KB

Download
memory/2824-1363-0x0000000000D20000-0x0000000000D6C000-memory.dmp

Filesize
304KB

Download
memory/2824-1364-0x000000007495E000-0x000000007495F000-memory.dmp

Filesize
4KB

Download
memory/2824-1365-0x0000000074950000-0x000000007503E000-memory.dmp

Filesize
6.9MB

Download
memory/2824-1366-0x0000000074950000-0x000000007503E000-memory.dmp

Filesize
6.9MB

Download
memory/2824-1367-0x0000000004850000-0x00000000048A4000-memory.dmp

Filesize
336KB

Download
memory/2824-1373-0x0000000074950000-0x000000007503E000-memory.dmp

Filesize
6.9MB

Download