3fa876bf68d2874aa0df8fb1d0639337b9ef9b6f3123c9b37aa91d88b5efdabe

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
25/03/2025, 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ortografien.ps1
Size

54KB
MD5

47ce8571ec7f0f7f10a17ddced1d7570
SHA1

b7c5c4a8513bfb7267768edf001c4b99d022eade
SHA256

37965b21b871f3b097534bc9ed8d0690f1e70fa07a1db4cdd182a01f385ccf08
SHA512

3520d34694b44c2edfe6386819fd7dc9d517a393ac0535b10a85e54d545bbd90c1e5b329365c497b3ee8cfc9ae7ccc2f8c49437111940ca7c21250fbecb3ee1a
SSDEEP

1536:lQirHwQohFm3b68ejjsgxTttk+WF+rOG0mFkQiN:lQi2hUuJsKTXFcN

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2340	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2340	powershell.exe
2340	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2340	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2736	2340	powershell.exe	32
PID 2340 wrote to memory of 2736	2340	powershell.exe	32
PID 2340 wrote to memory of 2736	2340	powershell.exe	32

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ortografien.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\system32\wermgr.exe
  "C:\Windows\system32\wermgr.exe" "-outproc" "2340" "840"
  2⤵
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259451370.txt

Filesize
1KB

MD5
f30299118f51fc848a5dc110d1efde62

SHA1
6406b4845acd2502e3c5f54616b9f2f139bf8cfc

SHA256
41dc3fb0e06113967bb4e1fe23e1f4b655bf2ca15a677ab589a24cd5d366e25e

SHA512
c5df50c5b6093e99c74007fac558e16d2398b7ffeb08de142cb75d33dd3e0b28be7f32c33105682a513e0e91d6cd2d7c0996d6220acc60f29ea697d9d587453c

Download Submit
memory/2340-10-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

Filesize
9.6MB

Download
memory/2340-6-0x0000000002280000-0x0000000002288000-memory.dmp

Filesize
32KB

Download
memory/2340-7-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

Filesize
9.6MB

Download
memory/2340-8-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

Filesize
9.6MB

Download
memory/2340-9-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

Filesize
9.6MB

Download
memory/2340-4-0x000007FEF5AFE000-0x000007FEF5AFF000-memory.dmp

Filesize
4KB

Download
memory/2340-11-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

Filesize
9.6MB

Download
memory/2340-13-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

Filesize
9.6MB

Download
memory/2340-12-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

Filesize
9.6MB

Download
memory/2340-16-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

Filesize
9.6MB

Download
memory/2340-5-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2340-17-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

Filesize
9.6MB

Download