b46a19568e377c2e413e2b6ac5afce64e2491cf5ef10509af3ef08d1a59d416d

Analysis

Target

b46a19568e377c2e413e2b6ac5afce64e2491cf5ef10509af3ef08d1a59d416d.exe
Size

3.4MB
MD5

7828a5c6e3657985e9225aa6a368bb0d
SHA1

3985616152a24f2d7f2007114a7c4d8894b26719
SHA256

b46a19568e377c2e413e2b6ac5afce64e2491cf5ef10509af3ef08d1a59d416d
SHA512

1a958f81002e54c1aae856d159eecb04cf01a0940c89bfabb672b877b9aa735c6239ff322a79baf042b4f42b7d11629c1ea8cab7e735d1ab95e4840f6229bfd1

Score

1^/10

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1096 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1096 powershell.exe

pid	process
1096	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1096	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

b46a19568e377c2e413e2b6ac5afce64e2491cf5ef10509af3ef08d1a59d416d.exe

description	pid	process	target process
PID 2028 wrote to memory of 1096	2028	b46a19568e377c2e413e2b6ac5afce64e2491cf5ef10509af3ef08d1a59d416d.exe	powershell.exe
PID 2028 wrote to memory of 1096	2028	b46a19568e377c2e413e2b6ac5afce64e2491cf5ef10509af3ef08d1a59d416d.exe	powershell.exe
PID 2028 wrote to memory of 1096	2028	b46a19568e377c2e413e2b6ac5afce64e2491cf5ef10509af3ef08d1a59d416d.exe	powershell.exe
PID 2028 wrote to memory of 1096	2028	b46a19568e377c2e413e2b6ac5afce64e2491cf5ef10509af3ef08d1a59d416d.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\b46a19568e377c2e413e2b6ac5afce64e2491cf5ef10509af3ef08d1a59d416d.exe
"C:\Users\Admin\AppData\Local\Temp\b46a19568e377c2e413e2b6ac5afce64e2491cf5ef10509af3ef08d1a59d416d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2028
- \??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe
  -ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1096

C:\Users\Admin\AppData\Local\Temp\get-points.ps1

Filesize
3.0MB

MD5
bcac3bbb18f093dbc8e5e76d2675695f

SHA1
96453f65b41e428937349e6f48fe67d6dfd6a580

SHA256
b25768626991b9a33e3ada79e3beb92fa5d83e1b50f2820e6fa2d6cf4827b21a

SHA512
78c55502c7d0484b458fadb78bc075b8eda01b794e2037283df11dc58105bd632c0e747e92fd7aac7b79c5ac0ddce9bb2c6e7ce158c743c9f080a52eda0498ab

Download Submit
memory/1096-56-0x0000000000000000-mapping.dmp

Download
memory/1096-57-0x000007FEFC0C1000-0x000007FEFC0C3000-memory.dmp

Filesize
8KB

Download
memory/1096-62-0x0000000002794000-0x0000000002797000-memory.dmp

Filesize
12KB

Download
memory/1096-60-0x000007FEEEA70000-0x000007FEEF5CD000-memory.dmp

Filesize
11.4MB

Download
memory/1096-64-0x000000000279B000-0x00000000027BA000-memory.dmp

Filesize
124KB

Download
memory/2028-54-0x0000000004000000-0x000000000433D000-memory.dmp

Filesize
3.2MB

Download
memory/2028-55-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/2028-58-0x0000000004000000-0x000000000433D000-memory.dmp

Filesize
3.2MB

Download
memory/2028-59-0x0000000004340000-0x00000000047EC000-memory.dmp

Filesize
4.7MB

Download
memory/2028-61-0x0000000000040000-0x000000000226A000-memory.dmp

Filesize
34.2MB

Download