e256710a69172b77abe095ad5dc4b7b900f306da16c8a34f994b51d503037c68

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
30-05-2023 08:07

Target

download.dat (1).ps1
Size

3KB
MD5

9f3b3f3c8e27fd5a3b6da453ea05ab64
SHA1

bb091298a548a7e6415908200bcafaa46f4a2a1d
SHA256

e256710a69172b77abe095ad5dc4b7b900f306da16c8a34f994b51d503037c68
SHA512

4b7c7c48589f54132dcbc047a19dc827a2983e9c5c8aa0e5c8d596af05e0e486b7ca2f96d795c197591ba1c27121983d8811be3177bef2492cc3439d143d6661

Score

1^/10

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1680 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exewhoami.exe

description pid process

Token: SeDebugPrivilege 1680 powershell.exe
Token: SeDebugPrivilege 1668 whoami.exe

pid	process
1680	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	1668	whoami.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 1680 wrote to memory of 1668	1680	powershell.exe	whoami.exe
PID 1680 wrote to memory of 1668	1680	powershell.exe	whoami.exe
PID 1680 wrote to memory of 1668	1680	powershell.exe	whoami.exe

C:\Windows\system32\whoami.exe
"C:\Windows\system32\whoami.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1668

memory/1680-58-0x000000001B3D0000-0x000000001B6B2000-memory.dmp

Filesize
2.9MB

Download
memory/1680-59-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/1680-61-0x0000000002770000-0x00000000027F0000-memory.dmp

Filesize
512KB

Download
memory/1680-62-0x0000000002770000-0x00000000027F0000-memory.dmp

Filesize
512KB

Download
memory/1680-63-0x0000000002770000-0x00000000027F0000-memory.dmp

Filesize
512KB

Download
memory/1680-64-0x0000000002770000-0x00000000027F0000-memory.dmp

Filesize
512KB

Download