Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-12-2023 01:58
Static task
static1
Behavioral task
behavioral1
Sample
4e1f1d9bf4b4f09c83818b2947972800.ps1
Resource
win7-20231215-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
4e1f1d9bf4b4f09c83818b2947972800.ps1
Resource
win10v2004-20231215-en
6 signatures
150 seconds
General
-
Target
4e1f1d9bf4b4f09c83818b2947972800.ps1
-
Size
485KB
-
MD5
4e1f1d9bf4b4f09c83818b2947972800
-
SHA1
cee9f50edc0d0c47e318a5be68750422e53d6ae2
-
SHA256
f65e34cc627483978d2d832b23311e8634bf8689459a921e7fc5b2b3750c502b
-
SHA512
0a772ff38ea7819d2a5544d55d6cc3ffbb3326a0fd3fa4b5db2af2a6880a1e1a8b3b4d812d7d811d4a7ffa141984677a2dd1fdfb1c4105baad233f06cf625e8c
-
SSDEEP
12288:+Zjw0RJ9u5ILYDxD3fxYehza/tw64bigu:q3Uu
Score
1/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
powershell.exepid process 2500 powershell.exe 2500 powershell.exe 2500 powershell.exe 2500 powershell.exe 2500 powershell.exe 2500 powershell.exe 2500 powershell.exe 2500 powershell.exe 2500 powershell.exe 2500 powershell.exe 2500 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2500 powershell.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
powershell.exedescription pid process target process PID 2500 wrote to memory of 2840 2500 powershell.exe MSBuild.exe PID 2500 wrote to memory of 2840 2500 powershell.exe MSBuild.exe PID 2500 wrote to memory of 2840 2500 powershell.exe MSBuild.exe PID 2500 wrote to memory of 2840 2500 powershell.exe MSBuild.exe PID 2500 wrote to memory of 2856 2500 powershell.exe MSBuild.exe PID 2500 wrote to memory of 2856 2500 powershell.exe MSBuild.exe PID 2500 wrote to memory of 2856 2500 powershell.exe MSBuild.exe PID 2500 wrote to memory of 2856 2500 powershell.exe MSBuild.exe PID 2500 wrote to memory of 2816 2500 powershell.exe MSBuild.exe PID 2500 wrote to memory of 2816 2500 powershell.exe MSBuild.exe PID 2500 wrote to memory of 2816 2500 powershell.exe MSBuild.exe PID 2500 wrote to memory of 2816 2500 powershell.exe MSBuild.exe PID 2500 wrote to memory of 2732 2500 powershell.exe MSBuild.exe PID 2500 wrote to memory of 2732 2500 powershell.exe MSBuild.exe PID 2500 wrote to memory of 2732 2500 powershell.exe MSBuild.exe PID 2500 wrote to memory of 2732 2500 powershell.exe MSBuild.exe PID 2500 wrote to memory of 2700 2500 powershell.exe MSBuild.exe PID 2500 wrote to memory of 2700 2500 powershell.exe MSBuild.exe PID 2500 wrote to memory of 2700 2500 powershell.exe MSBuild.exe PID 2500 wrote to memory of 2700 2500 powershell.exe MSBuild.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\4e1f1d9bf4b4f09c83818b2947972800.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe#cmd2⤵PID:2840
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe#cmd2⤵PID:2816
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe#cmd2⤵PID:2700
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe#cmd2⤵PID:2732
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe#cmd2⤵PID:2856