ccdec18403c4454e607c277a8280d4a6cbf5534b5d972451f31d7cc62a15ae84 | Triage

Analysis

max time kernel
148s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 14:38

Sharing

Report Analysis Logs

General

Target

Ghost[2].ps1
Size

7KB
MD5

0eec7d119752a6b54aaf0e112a54435b
SHA1

abc9574febfd25496fa8c96b02b0ca84e8e0c74e
SHA256

a4620b97f9dc5a2a0f8eba1d29e5df9f16f858058b734c6bcfc5fe8fcb96a4cd
SHA512

260f4a83ae116c2f793e47ef12d677501a9fac417e13de30e76b0ff8787072a8a11d9b4afad27c02c95b50228ec8176fb50632902af0d25b475a3444f3f252fa
SSDEEP

192:G21U11eI9vDG2ItnfOXP+JbCvj+hx5XJWOoyb/QTUWAclPP:GOUPOXb/QTUWAclPP

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4968	powershell.exe
4968	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4968	powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Ghost[2].ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4968-132-0x00000282D35B0000-0x00000282D35D2000-memory.dmp

Filesize
136KB

Download
memory/4968-133-0x00007FFF39CB0000-0x00007FFF3A771000-memory.dmp

Filesize
10.8MB

Download
memory/4968-134-0x00007FFF39CB0000-0x00007FFF3A771000-memory.dmp

Filesize
10.8MB

Download