2834d72111e621f895420cd798a08fd8da8371c1062eb0b9bbc7446d7212804e

Resubmissions

13-01-2021 08:15

12-01-2021 06:28

Target

nlOiE.jpg.ps1
Size

745KB
MD5

a20b49ae1d1200c84a0344f5ad3353dd
SHA1

3c4e0a61b36c90603d540d83471ab07efe330055
SHA256

2834d72111e621f895420cd798a08fd8da8371c1062eb0b9bbc7446d7212804e
SHA512

1e80bf08e024d86792c680cf12fc53c6e7fe52d1c1a02c990ce46cda410c4dab6840912b4894cd97f3cf74dfa401bd56eba43187f14fe1735c133fc6bea9f5da

Score

1^/10

Suspicious behavior: EnumeratesProcesses 11 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	596	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 596 wrote to memory of 1628	596	powershell.exe	30
PID 596 wrote to memory of 1628	596	powershell.exe	30
PID 596 wrote to memory of 1628	596	powershell.exe	30
PID 596 wrote to memory of 1628	596	powershell.exe	30
PID 596 wrote to memory of 336	596	powershell.exe	31
PID 596 wrote to memory of 336	596	powershell.exe	31
PID 596 wrote to memory of 336	596	powershell.exe	31
PID 596 wrote to memory of 336	596	powershell.exe	31
PID 596 wrote to memory of 840	596	powershell.exe	33
PID 596 wrote to memory of 840	596	powershell.exe	33
PID 596 wrote to memory of 840	596	powershell.exe	33
PID 596 wrote to memory of 840	596	powershell.exe	33
PID 596 wrote to memory of 1204	596	powershell.exe	32
PID 596 wrote to memory of 1204	596	powershell.exe	32
PID 596 wrote to memory of 1204	596	powershell.exe	32
PID 596 wrote to memory of 1204	596	powershell.exe	32
PID 596 wrote to memory of 1624	596	powershell.exe	34
PID 596 wrote to memory of 1624	596	powershell.exe	34
PID 596 wrote to memory of 1624	596	powershell.exe	34
PID 596 wrote to memory of 1624	596	powershell.exe	34

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\nlOiE.jpg.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:1204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:1624

memory/596-2-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/596-3-0x0000000002010000-0x0000000002011000-memory.dmp

Filesize
4KB

Download
memory/596-4-0x000000001AB50000-0x000000001AB51000-memory.dmp

Filesize
4KB

Download
memory/596-5-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/596-6-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/596-7-0x000000001C1E0000-0x000000001C1E1000-memory.dmp

Filesize
4KB

Download
memory/596-8-0x00000000023B0000-0x00000000023B7000-memory.dmp

Filesize
28KB

Download
memory/596-9-0x00000000023F0000-0x00000000023F8000-memory.dmp

Filesize
32KB

Download