dfeccfeb4232434d0e3095ef4d596b13517af8286b9300b9f3837cf4dc3a6749

Analysis

max time kernel
141s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
02-07-2023 12:42

Target

AddKeePassTrigger.ps1
Size

1KB
MD5

73185379ba353ff5ca48be55ace33c0e
SHA1

cd2dfce7e34cb2c63b85379c692e04fe45d4b5ec
SHA256

dfeccfeb4232434d0e3095ef4d596b13517af8286b9300b9f3837cf4dc3a6749
SHA512

5ed5b8b7eff9f3fad5c19c89e81bbda22b77cd6caf5f2d1d95b82fcce2942ebd8962b6cf70b50de6afb9108879735fcea8c43f1eefeb472c2cb73f14b22139f7

Score

5^/10

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{8EB0992F-0060-491F-BDBB-AB46FA578CE7}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{39DA6ED7-4CFA-4D8C-86CA-544AC6D3B8F7}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{00025901-4307-4F62-847F-228DC4ED7976}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{58C66B3D-1908-42D0-8768-F96A40587246}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{AE5655E6-2C69-410D-9EDF-859D6E739FC1}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{76F4093F-9062-4FA6-957F-03BC179ABF5D}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{1C441F99-8717-4A80-B2D3-FC308EB45304}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{E08914B5-8C04-4048-AE68-121EBFE8D0D5}.catalogItem	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4728	powershell.exe
4728	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4728	powershell.exe

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:1020

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e1ofmyt1.2yq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4728-133-0x000002187C3B0000-0x000002187C3D2000-memory.dmp

Filesize
136KB

Download
memory/4728-145-0x000002187C530000-0x000002187C540000-memory.dmp

Filesize
64KB

Download
memory/4728-146-0x000002187C530000-0x000002187C540000-memory.dmp

Filesize
64KB

Download
memory/4728-147-0x000002187C530000-0x000002187C540000-memory.dmp

Filesize
64KB

Download