Overview

overview

8

Static

static

8

CollapseLo...in.ps1

windows7-x64

3

CollapseLo...der.py

windows7-x64

3

CollapseLo...ain.py

windows7-x64

3

CollapseLo...API.py

windows7-x64

3

CollapseLo...eat.py

windows7-x64

3

CollapseLo...ner.py

windows7-x64

3

CollapseLo...ats.py

windows7-x64

3

CollapseLo...ata.py

windows7-x64

3

CollapseLo...eat.py

windows7-x64

3

CollapseLo...ker.py

windows7-x64

3

CollapseLo...ger.py

windows7-x64

3

CollapseLo...ogo.py

windows7-x64

3

CollapseLo...ger.py

windows7-x64

3

CollapseLo...RPC.py

windows7-x64

3

CollapseLo...try.py

windows7-x64

3

CollapseLo...tor.py

windows7-x64

3

CollapseLo...ngs.py

windows7-x64

3

CollapseLo...ter.py

windows7-x64

3

CollapseLo...run.py

windows7-x64

3

CollapseLo...cd.ps1

windows7-x64

3

CollapseLo...cd.ps1

windows7-x64

3

CollapseLo...px.exe

windows7-x64

7

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    06/06/2024, 16:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CollapseLoader-1.2.5/scripts/ci_cd.ps1

  • Size

    383B

  • MD5

    9ba6f54bf77cdf6fed0b9f18d7729a96

  • SHA1

    32cc2dca72dc1849c8c15570f32f8d54cb1be871

  • SHA256

    ad4d2f3cb35ce158f03bc252778fbcccea9cb30c7d44700b9f774093cabb4af5

  • SHA512

    6606e042e0770ff9ba0725679c5c64db68d929b8d6462c559b1af7a84872dc05c503fa0be3ce59fcf1f4593025bf9314aa3dc903d3bce3e4219d3f238dae07d9

Score
3/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\CollapseLoader-1.2.5\scripts\ci_cd.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1616

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1616-4-0x000007FEF58CE000-0x000007FEF58CF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1616-7-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1616-6-0x00000000029A0000-0x00000000029A8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1616-8-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1616-9-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1616-5-0x000000001B500000-0x000000001B7E2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1616-10-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1616-12-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1616-13-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp

    Filesize

    9.6MB

    Download