Overview

overview

10

Static

static

1

Refresh.ps1

windows10-1703-x64

10

Refresh.ps1

windows10-2004-x64

10

Refresh.ps1

windows11-21h2-x64

8

Analysis

  • max time kernel
    1169s
  • max time network
    1190s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2024 15:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Refresh.ps1

  • Size

    5KB

  • MD5

    704b0f9d81facd22bc981533658d35d2

  • SHA1

    0a588b24db210246abd374e4eaca14feb09b3c01

  • SHA256

    eeb0371e7c3c26ff35d9f20f94ec2cf9925fcd779826cd5b0cae8f4c5a7582b3

  • SHA512

    23fc4bb52fb3bbe92e8398c8bbb9b929fe27ef201f167ac2c88eeda39ede2e0f0746d433938d9dad98794ec9fbaa788c6305ceb8766af2f4ce4b11eaae2e51a6

  • SSDEEP

    48:BeSMaBuYJ1G93GNviWIBXiD7+cpfZMR/RE:BqaIYJ1Y3GNv6BXiD7HpfZMRq

Score
10/10
kinsingloader

Malware Config

Signatures

  • Kinsing

    Kinsing is a loader written in Golang.

    loaderkinsing
  • Blocklisted process makes network request 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Refresh.ps1
    1⤵
    • Blocklisted process makes network request
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:5800

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g4svsn43.l4n.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit
  • memory/5800-5-0x00000253BC790000-0x00000253BC7B2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/5800-10-0x00007FFD02140000-0x00007FFD02C01000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/5800-11-0x00000253D4E70000-0x00000253D4E80000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5800-12-0x00000253D4E70000-0x00000253D4E80000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5800-13-0x00000253D4E70000-0x00000253D4E80000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5800-14-0x00000253D4E70000-0x00000253D4E80000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5800-17-0x00007FFD02140000-0x00007FFD02C01000-memory.dmp
    Filesize

    10.8MB

    Download