Overview

overview

10

Static

static

3

DOCUMENT#5...df.exe

windows7-x64

8

DOCUMENT#5...df.exe

windows10-2004-x64

10

Tredjelandes.ps1

windows7-x64

3

Tredjelandes.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-12-2024 09:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Tredjelandes.ps1

  • Size

    52KB

  • MD5

    85edb7354ba656bbb556d21c8e68831c

  • SHA1

    e01c029026be5e5d7e17cdd191360d9bbd9d9e27

  • SHA256

    d9b3298dafafc8f85e167c0c739d94cf6671f017e1a0cf7e759ff6158b5921ed

  • SHA512

    b86b8ee9f4f0f0421074de62c439ef5cf63b441f44b95c9a1ca28b357c9fd52c85ba00af70e975f4e5aa4601829026ee2ebec143fb9357815e76635fdf3a28d5

  • SSDEEP

    1536:qOoV6LfQgMGl7Fdwq3BcfTjOYysx3jXpsOWL9z:td5MCFaqxcfTj7vX/kz

Score
3/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Tredjelandes.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:372
    • C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "372" "856"
      2⤵
        PID:2044

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259437821.txt
      Filesize

      1KB

      MD5

      d19c5ab89710642cdb914550448c3932

      SHA1

      d7fbf80b8d7b615214eec7fecdf447f77b710549

      SHA256

      deebbc84cf4ff0ab49d912c550a215e243c789156848350fc26a5cf834f35fd8

      SHA512

      0d0206d2d9fbe89fe2388d638e7b539e779bfd2b7a917e27226c27e79d3d78fa183d07fc00d673945cb5fc44e818a97a3c688e05e982af3cdab988f8f9fdff8a

      Download Submit

    • memory/372-11-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/372-6-0x0000000002310000-0x0000000002318000-memory.dmp

      Filesize

      32KB

      Download

    • memory/372-7-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/372-8-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/372-9-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/372-4-0x000007FEF5B8E000-0x000007FEF5B8F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/372-12-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/372-10-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/372-13-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/372-14-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/372-5-0x000000001B760000-0x000000001BA42000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/372-17-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/372-18-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

      Filesize

      9.6MB

      Download