Overview

overview

10

Static

static

3

DOCUMENT58...df.exe

windows7-x64

8

DOCUMENT58...df.exe

windows10-2004-x64

10

Tredjelandes.ps1

windows7-x64

3

Tredjelandes.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    11-12-2024 09:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Tredjelandes.ps1

  • Size

    52KB

  • MD5

    85edb7354ba656bbb556d21c8e68831c

  • SHA1

    e01c029026be5e5d7e17cdd191360d9bbd9d9e27

  • SHA256

    d9b3298dafafc8f85e167c0c739d94cf6671f017e1a0cf7e759ff6158b5921ed

  • SHA512

    b86b8ee9f4f0f0421074de62c439ef5cf63b441f44b95c9a1ca28b357c9fd52c85ba00af70e975f4e5aa4601829026ee2ebec143fb9357815e76635fdf3a28d5

  • SSDEEP

    1536:qOoV6LfQgMGl7Fdwq3BcfTjOYysx3jXpsOWL9z:td5MCFaqxcfTj7vX/kz

Score
3/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Tredjelandes.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2284
    • C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2284" "852"
      2⤵
        PID:2244

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259452426.txt
      Filesize

      1KB

      MD5

      7ff5385d6149f65ab79853eb4ab388e4

      SHA1

      447fdb92edf9f813f933ca7276ce04828431693b

      SHA256

      c0bdd16378465c29bed5b675d667863886cc814dba6fd1ce94f5ecae7973882d

      SHA512

      25a8849e881071efde582a460ff1939ceac8bc12c21970ce3b46b2757c578e852b7495372229138cc1c729fe099c8d0f06b30a2b4517e2e14009cfab25792edf

      Download Submit

    • memory/2284-10-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2284-6-0x00000000026F0000-0x00000000026F8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2284-7-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2284-8-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2284-9-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2284-4-0x000007FEF5AFE000-0x000007FEF5AFF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2284-11-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2284-12-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2284-13-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2284-14-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2284-5-0x000000001B7E0000-0x000000001BAC2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2284-18-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2284-17-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

      Filesize

      9.6MB

      Download