Overview

overview

10

Static

static

AFL27.iso

windows7-x64

3

AFL27.iso

windows10-2004-x64

3

AS.js

windows7-x64

10

AS.js

windows10-2004-x64

10

peseta/data.txt

windows7-x64

1

peseta/data.txt

windows10-2004-x64

1

peseta/flours.js

windows7-x64

3

peseta/flours.js

windows10-2004-x64

7

peseta/gratiae.ps1

windows7-x64

1

peseta/gratiae.ps1

windows10-2004-x64

1

peseta/opalescent.jpg

windows7-x64

3

peseta/opalescent.jpg

windows10-2004-x64

3

Resubmissions

28-11-2022 19:20

221128-x14m5sad69 10

28-11-2022 13:53

221128-q6zg2sgg66 10

Analysis

  • max time kernel
    600s
  • max time network
    631s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2022 19:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    peseta/gratiae.ps1

  • Size

    367B

  • MD5

    5479e1a9617b0222d0a8f001c63fb23b

  • SHA1

    0c5428239a418c8586d1699adafeb2bddb0f8c95

  • SHA256

    e6f4fe47c6e08c3b995b5e69efee09a853426607d64715bb1cf215640f785d58

  • SHA512

    7bc5e090fbabd4746c1a075ed4d7bbfbdb4e0a235ff8c1be5e8257d5daf4f3e22a3f04d25d21108446a684cc7371eea6882d3c1d855a3c12e868a2e8d01d4ffa

Score
1/10

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\peseta\gratiae.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:836
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\users\public\test1.txt DrawThemeIcon
      2⤵
        PID:1440

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/836-54-0x000007FEFBA41000-0x000007FEFBA43000-memory.dmp

      Filesize

      8KB

      Download

    • memory/836-55-0x000007FEF3CD0000-0x000007FEF46F3000-memory.dmp

      Filesize

      10.1MB

      Download

    • memory/836-57-0x0000000002774000-0x0000000002777000-memory.dmp

      Filesize

      12KB

      Download

    • memory/836-56-0x000007FEF3170000-0x000007FEF3CCD000-memory.dmp

      Filesize

      11.4MB

      Download

    • memory/836-58-0x000000000277B000-0x000000000279A000-memory.dmp

      Filesize

      124KB

      Download

    • memory/836-60-0x0000000002774000-0x0000000002777000-memory.dmp

      Filesize

      12KB

      Download

    • memory/836-61-0x000000000277B000-0x000000000279A000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1440-59-0x0000000000000000-mapping.dmp

      Download