Overview

overview

1

Static

static

1

file.ps1

windows7-x64

1

file.ps1

windows10-2004-x64

1

Analysis

  • max time kernel
    122s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    14-03-2024 01:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.ps1

  • Size

    288B

  • MD5

    67862b2eb5d5ef93f8db0154244a7cc2

  • SHA1

    c0a5d8b513592534cba93b185277e2b8c1c69c0e

  • SHA256

    d0071b03e277903f9f9ab9f9c69801218da4cfc3f2fe9071cbad6b853bffff4b

  • SHA512

    7fe658ddc2d94b2e2f1868ecd337248fe42ff8c8eb08f7a0e6ea94f4560cff9f7503214a1bd11876b9235bc7308439d64b74ab6d760e307a719fea8349417e8b

Score
1/10

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2992
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -file "C:\Program Files\WindowsApps\Trello.Trello_2.14.5.0_x86__s3garmmmnyfa0\StartingScriptWrapper.ps1" "Powershell.exe -ExecutionPolicy RemoteSigned -file 'C:\Program Files\WindowsApps\Trello.Trello_2.14.5.0_x86__s3garmmmnyfa0\Refresh2.ps1'"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2680

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    65eda427895ed2955ea7357de9833295

    SHA1

    b8bed430f01f369fbc78fd3a9df517bebc7ebb14

    SHA256

    634669ad9d8ec85d48bf34dae90d1eb52fde93c599a81d8abd89da807e60d683

    SHA512

    9fecc609c5f003a2c73bd4a862173a9e16e6e27bb832c78e8fcf1b4c6b0bb935441d319039d49a2e51780a44c6dcc06a1305e611580ee5fe43421611633e11c2

    Download Submit

  • memory/2680-20-0x000007FEF6260000-0x000007FEF6BFD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2680-19-0x0000000002910000-0x0000000002990000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2680-18-0x0000000002910000-0x0000000002990000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2680-17-0x000007FEF6260000-0x000007FEF6BFD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2992-7-0x00000000024E0000-0x0000000002560000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2992-10-0x00000000024E0000-0x0000000002560000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2992-11-0x00000000024E0000-0x0000000002560000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2992-9-0x00000000024E0000-0x0000000002560000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2992-8-0x000007FEF6260000-0x000007FEF6BFD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2992-4-0x000000001B470000-0x000000001B752000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2992-6-0x000007FEF6260000-0x000007FEF6BFD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2992-5-0x0000000002220000-0x0000000002228000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2992-21-0x000007FEF6260000-0x000007FEF6BFD000-memory.dmp

    Filesize

    9.6MB

    Download