1f20d50f886138f94232c9b6b848163f5ed7edf4ed473c1507411b06b840debf

Analysis

max time kernel
121s
max time network
130s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/03/2025, 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Burrawang.ps1
Size

50KB
MD5

6d32d99c206a81fcfc06d7ed6225282d
SHA1

f3740ea1acaa8452aa34a4dda3c1a6865881845c
SHA256

d8602baba5af6700d20d5e2048fd527b3d84e4c5c78abb1b95f9abb20fee2c94
SHA512

f430ed98550e4fdf4bd1905251ab0f81374c88b29d245a6c5fba7c1e9fd58d01b93467efd2e7813e7b37e76affdb985a24bdae715eb07f9215d77fd77253f22b
SSDEEP

1536:HyMLcrTk2qMrlNQFNynfVkkyRDWSW1cZJI4:HZIXYnIkZWSW1K

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2340	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2340	powershell.exe
2340	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2340	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2660	2340	powershell.exe	32
PID 2340 wrote to memory of 2660	2340	powershell.exe	32
PID 2340 wrote to memory of 2660	2340	powershell.exe	32

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Burrawang.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\system32\wermgr.exe
  "C:\Windows\system32\wermgr.exe" "-outproc" "2340" "852"
  2⤵
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259451036.txt

Filesize
1KB

MD5
b29723e37f12fab25e718454b1b0ed76

SHA1
f61b5561db70a7b6867dbfc63bf7764821b1c8d8

SHA256
49d16d79991923bb5344ac86fa9606d4145a829edf4024a39b424e3b3348ff07

SHA512
727fcfb6a09d52abc8f558342259dc2d465082ea96095cafa92ed91cbcb4edd9900b6e7d58bc1dac2e30884e0a5727176ab66aa8851df4ac12051280b74b9af0

Download Submit
memory/2340-10-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

Filesize
9.6MB

Download
memory/2340-7-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

Filesize
9.6MB

Download
memory/2340-8-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

Filesize
9.6MB

Download
memory/2340-5-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2340-9-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

Filesize
9.6MB

Download
memory/2340-4-0x000007FEF610E000-0x000007FEF610F000-memory.dmp

Filesize
4KB

Download
memory/2340-11-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

Filesize
9.6MB

Download
memory/2340-12-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

Filesize
9.6MB

Download
memory/2340-14-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

Filesize
9.6MB

Download
memory/2340-13-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

Filesize
9.6MB

Download
memory/2340-17-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

Filesize
9.6MB

Download
memory/2340-6-0x0000000001F80000-0x0000000001F88000-memory.dmp

Filesize
32KB

Download