317d2f6c25e5f1691bda01bbe0c356d13f5a2c290b46649d7f1d2fa816f70869

Analysis

max time kernel
31s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11-04-2023 21:25

Target

script.ps1
Size

1KB
MD5

55243402f3e0a087a31d6d81b7502212
SHA1

e624608f654a5b93031988926b626f115dcacc53
SHA256

317d2f6c25e5f1691bda01bbe0c356d13f5a2c290b46649d7f1d2fa816f70869
SHA512

4182443bd323384edb0ae319bf6a0b8b74d74af5bbdd250e7acef412cd4dbb58b1064164ead352fdd2a27ed1fe87748396cd12a9982e2f28e91c6dd061d033e7

Score

8^/10

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	2032	powershell.exe
5	2032	powershell.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2032	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	powershell.exe

memory/2032-58-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

Filesize
2.9MB

Download
memory/2032-59-0x00000000022E0000-0x00000000022E8000-memory.dmp

Filesize
32KB

Download
memory/2032-60-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/2032-61-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/2032-62-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/2032-63-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download