1f20d50f886138f94232c9b6b848163f5ed7edf4ed473c1507411b06b840debf

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/03/2025, 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Burrawang.ps1
Size

50KB
MD5

6d32d99c206a81fcfc06d7ed6225282d
SHA1

f3740ea1acaa8452aa34a4dda3c1a6865881845c
SHA256

d8602baba5af6700d20d5e2048fd527b3d84e4c5c78abb1b95f9abb20fee2c94
SHA512

f430ed98550e4fdf4bd1905251ab0f81374c88b29d245a6c5fba7c1e9fd58d01b93467efd2e7813e7b37e76affdb985a24bdae715eb07f9215d77fd77253f22b
SSDEEP

1536:HyMLcrTk2qMrlNQFNynfVkkyRDWSW1cZJI4:HZIXYnIkZWSW1K

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2384	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2384	powershell.exe
2384	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2384	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 1300	2384	powershell.exe	31
PID 2384 wrote to memory of 1300	2384	powershell.exe	31
PID 2384 wrote to memory of 1300	2384	powershell.exe	31

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Burrawang.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\system32\wermgr.exe
  "C:\Windows\system32\wermgr.exe" "-outproc" "2384" "856"
  2⤵
  PID:1300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259434362.txt

Filesize
1KB

MD5
0f319d4a5ef2507d6f22594b7933c242

SHA1
01c2b122aad12224dfd29a06fa02796067ef6eb1

SHA256
59bfcfc6c63393951c5233c9e6fb65295a95576a472197ea858f06f977f72c6d

SHA512
d20f1cc6b0b4239e4028423a1b82ea7bff0938b39f7d575cee95c340feaa184beb99fb81ac7b6468299e366409ed2cc1eeebdf6b6979e42c1ddf4b3f8fc728e7

Download Submit
memory/2384-10-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

Filesize
9.6MB

Download
memory/2384-6-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download
memory/2384-7-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

Filesize
9.6MB

Download
memory/2384-8-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

Filesize
9.6MB

Download
memory/2384-9-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

Filesize
9.6MB

Download
memory/2384-4-0x000007FEF561E000-0x000007FEF561F000-memory.dmp

Filesize
4KB

Download
memory/2384-11-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

Filesize
9.6MB

Download
memory/2384-12-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

Filesize
9.6MB

Download
memory/2384-14-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

Filesize
9.6MB

Download
memory/2384-13-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

Filesize
9.6MB

Download
memory/2384-5-0x000000001B7B0000-0x000000001BA92000-memory.dmp

Filesize
2.9MB

Download
memory/2384-18-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

Filesize
9.6MB

Download
memory/2384-17-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

Filesize
9.6MB

Download