229bc74efaec13853ed9774d20581e3e56221d26f17c6ff6221722d9dfa80ba5 | Triage

Analysis

max time kernel
44s
max time network
47s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 07:07

Sharing

Report Analysis Logs

General

Target

virtual_freer_v1.58/back/payments.ps1
Size

14KB
MD5

f48b611c38db63ab15312a6003e30e50
SHA1

4e266e0998b6f93daf8db58cb51353b47786c47d
SHA256

25e9d9406ddd02669c0a010618f05b1feb7c466faac283c4e43e8b5614d8aa63
SHA512

c6106adf78b37cf7609a95f00701f07b4bfa5aa8b535168106fdadbbce7fc1f85f58833571f9f442128f56731f736a70619c55a2f62ba8bf83f00c093ff796c9

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1312 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1312 powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\virtual_freer_v1.58\back\payments.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1312

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1312-54-0x000007FEFC221000-0x000007FEFC223000-memory.dmp

Filesize
8KB

Download
memory/1312-56-0x00000000027D4000-0x00000000027D7000-memory.dmp

Filesize
12KB

Download
memory/1312-55-0x000007FEF3360000-0x000007FEF3EBD000-memory.dmp

Filesize
11.4MB

Download
memory/1312-57-0x00000000027DB000-0x00000000027FA000-memory.dmp

Filesize
124KB

Download