4cd8cc1a84521644561b76338aabcf7c1d7681564b0415b0a548b6a8e9700a73

Analysis

max time kernel
29s
max time network
31s
platform
windows7_x64
resource
win7-20221111-es
resource tags

arch:x64arch:x86image:win7-20221111-eslocale:es-esos:windows7-x64systemwindows
submitted
04/01/2023, 23:04

Target

install.bat
Size

4KB
MD5

1e2f0cee168e9efbf71954a91c155356
SHA1

1da5b5d28d83b51ee58895b48488a22d1dc49897
SHA256

4cd8cc1a84521644561b76338aabcf7c1d7681564b0415b0a548b6a8e9700a73
SHA512

593cbc366c79e7f2b0dda7260363305e9cd112f665a7375998b34f9a8792f9fb2313e36b17b587010f7d29b24221da756dee1a84f65628e69037a40952d52c64
SSDEEP

96:qGQ9HHSDNcCMOQMYAMlVu7YOnMkycpy1Xq0RHqs0V:qGQ9nRY3YHXuMOMkycpy1XBqs0V

Score

1^/10

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1088	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1088	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 508	1124	cmd.exe	29
PID 1124 wrote to memory of 508	1124	cmd.exe	29
PID 1124 wrote to memory of 508	1124	cmd.exe	29
PID 1124 wrote to memory of 1088	1124	cmd.exe	30
PID 1124 wrote to memory of 1088	1124	cmd.exe	30
PID 1124 wrote to memory of 1088	1124	cmd.exe	30

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\install.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Windows\system32\findstr.exe
  findstr /v "^;;;===,,," "C:\Users\Admin\AppData\Local\Temp\install.bat"
  2⤵
  PID:508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell.exe -ExecutionPolicy Bypass -Command "& 'C:\Users\Admin\AppData\Local\Temp\ps.ps1'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1088

C:\Users\Admin\AppData\Local\Temp\ps.ps1

Filesize
4KB

MD5
4d70184c5dadd0bb980a13aedab4988b

SHA1
a8e17c70cba0911ca56b8f75f568082eb2849f9b

SHA256
259ec34b25f4aa29f33322702b3d3a678b7f1109f03ba3b04e973d0c3092a49a

SHA512
4475a858928fecbce18dbeb5463222020ab0848109e29afad9e0c72beb41941a9b60f1d8fdda073cd945846e0530ee9006c927bcd7af1e9d96828f18887f315f

Download Submit
memory/1088-56-0x000007FEFBF11000-0x000007FEFBF13000-memory.dmp

Filesize
8KB

Download
memory/1088-57-0x000007FEF3B10000-0x000007FEF4533000-memory.dmp

Filesize
10.1MB

Download
memory/1088-59-0x00000000028F4000-0x00000000028F7000-memory.dmp

Filesize
12KB

Download
memory/1088-58-0x000007FEF2FB0000-0x000007FEF3B0D000-memory.dmp

Filesize
11.4MB

Download
memory/1088-60-0x000000001B770000-0x000000001BA6F000-memory.dmp

Filesize
3.0MB

Download
memory/1088-62-0x00000000028FB000-0x000000000291A000-memory.dmp

Filesize
124KB

Download
memory/1088-63-0x00000000028F4000-0x00000000028F7000-memory.dmp

Filesize
12KB

Download
memory/1088-64-0x00000000028FB000-0x000000000291A000-memory.dmp

Filesize
124KB

Download