Overview

overview

10

Static

static

1

Refresh.ps1

windows10-1703-x64

10

Refresh.ps1

windows10-2004-x64

10

Refresh.ps1

windows11-21h2-x64

8

Analysis

  • max time kernel
    1145s
  • max time network
    1180s
  • platform
    windows10-1703_x64
  • resource
    win10-20231215-en
  • resource tags

    arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
  • submitted
    25-01-2024 15:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Refresh.ps1

  • Size

    5KB

  • MD5

    704b0f9d81facd22bc981533658d35d2

  • SHA1

    0a588b24db210246abd374e4eaca14feb09b3c01

  • SHA256

    eeb0371e7c3c26ff35d9f20f94ec2cf9925fcd779826cd5b0cae8f4c5a7582b3

  • SHA512

    23fc4bb52fb3bbe92e8398c8bbb9b929fe27ef201f167ac2c88eeda39ede2e0f0746d433938d9dad98794ec9fbaa788c6305ceb8766af2f4ce4b11eaae2e51a6

  • SSDEEP

    48:BeSMaBuYJ1G93GNviWIBXiD7+cpfZMR/RE:BqaIYJ1Y3GNv6BXiD7HpfZMRq

Score
10/10
kinsingloader

Malware Config

Signatures

  • Kinsing

    Kinsing is a loader written in Golang.

    loaderkinsing
  • Blocklisted process makes network request 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Refresh.ps1
    1⤵
    • Blocklisted process makes network request
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:204

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yprjwjxn.ofl.ps1
    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    Download Submit
  • memory/204-4-0x000001D1BFA90000-0x000001D1BFAB2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/204-5-0x00007FFCEC990000-0x00007FFCED37C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/204-8-0x000001D1A5AD0000-0x000001D1A5AE0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/204-9-0x000001D1A5AD0000-0x000001D1A5AE0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/204-10-0x000001D1BFBC0000-0x000001D1BFC36000-memory.dmp
    Filesize

    472KB

    Download
  • memory/204-26-0x000001D1A5AD0000-0x000001D1A5AE0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/204-45-0x000001D1A5AD0000-0x000001D1A5AE0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/204-49-0x00007FFCEC990000-0x00007FFCED37C000-memory.dmp
    Filesize

    9.9MB

    Download