229bc74efaec13853ed9774d20581e3e56221d26f17c6ff6221722d9dfa80ba5 | Triage

Analysis

max time kernel
165s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-05-2022 07:07

Sharing

Report Analysis Logs

General

Target

virtual_freer_v1.58/back/payments.ps1
Size

14KB
MD5

f48b611c38db63ab15312a6003e30e50
SHA1

4e266e0998b6f93daf8db58cb51353b47786c47d
SHA256

25e9d9406ddd02669c0a010618f05b1feb7c466faac283c4e43e8b5614d8aa63
SHA512

c6106adf78b37cf7609a95f00701f07b4bfa5aa8b535168106fdadbbce7fc1f85f58833571f9f442128f56731f736a70619c55a2f62ba8bf83f00c093ff796c9

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

412 powershell.exe
412 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 412 powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\virtual_freer_v1.58\back\payments.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:412

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/412-130-0x0000022D7D570000-0x0000022D7D592000-memory.dmp

Filesize
136KB

Download
memory/412-131-0x00007FF94E510000-0x00007FF94EFD1000-memory.dmp

Filesize
10.8MB

Download