23505626c4370e6730243a7a0d238665762757f334486692af862e19c0f42c7e

Analysis

max time kernel
122s
max time network
138s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22-12-2023 12:51

Target

8feadf3a0c1ceb6b2207a4be0746dc74.ps1
Size

485KB
MD5

8feadf3a0c1ceb6b2207a4be0746dc74
SHA1

98226516bbf42ef670248b5d1376fddc2c5f3e50
SHA256

23505626c4370e6730243a7a0d238665762757f334486692af862e19c0f42c7e
SHA512

901498b3545ba411161e23f62f56fc0f9539dbab8b50776c8a983a96f9b34debe5ff9955306004c48028d69a1fd6dfadea3b21f79adad9e5863fa61705320e90
SSDEEP

12288:+Zjw0RJ9u5ILYDxD3fxYehza/tw640igu:q3xu

Score

1^/10

Suspicious behavior: EnumeratesProcesses 11 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3032	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2840	3032	powershell.exe	29
PID 3032 wrote to memory of 2840	3032	powershell.exe	29
PID 3032 wrote to memory of 2840	3032	powershell.exe	29
PID 3032 wrote to memory of 2840	3032	powershell.exe	29
PID 3032 wrote to memory of 2804	3032	powershell.exe	33
PID 3032 wrote to memory of 2804	3032	powershell.exe	33
PID 3032 wrote to memory of 2804	3032	powershell.exe	33
PID 3032 wrote to memory of 2804	3032	powershell.exe	33
PID 3032 wrote to memory of 2724	3032	powershell.exe	32
PID 3032 wrote to memory of 2724	3032	powershell.exe	32
PID 3032 wrote to memory of 2724	3032	powershell.exe	32
PID 3032 wrote to memory of 2724	3032	powershell.exe	32
PID 3032 wrote to memory of 2436	3032	powershell.exe	31
PID 3032 wrote to memory of 2436	3032	powershell.exe	31
PID 3032 wrote to memory of 2436	3032	powershell.exe	31
PID 3032 wrote to memory of 2436	3032	powershell.exe	31
PID 3032 wrote to memory of 2120	3032	powershell.exe	30
PID 3032 wrote to memory of 2120	3032	powershell.exe	30
PID 3032 wrote to memory of 2120	3032	powershell.exe	30
PID 3032 wrote to memory of 2120	3032	powershell.exe	30

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\8feadf3a0c1ceb6b2207a4be0746dc74.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  #cmd
  2⤵
  PID:2840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  #cmd
  2⤵
  PID:2120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  #cmd
  2⤵
  PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  #cmd
  2⤵
  PID:2724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  #cmd
  2⤵
  PID:2804

memory/3032-4-0x000000001B270000-0x000000001B552000-memory.dmp

Filesize
2.9MB

Download
memory/3032-5-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/3032-6-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

Filesize
9.6MB

Download
memory/3032-7-0x0000000002B20000-0x0000000002BA0000-memory.dmp

Filesize
512KB

Download
memory/3032-9-0x0000000002B20000-0x0000000002BA0000-memory.dmp

Filesize
512KB

Download
memory/3032-8-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

Filesize
9.6MB

Download
memory/3032-10-0x0000000002B20000-0x0000000002BA0000-memory.dmp

Filesize
512KB

Download
memory/3032-11-0x0000000002B20000-0x0000000002BA0000-memory.dmp

Filesize
512KB

Download
memory/3032-12-0x0000000002AF0000-0x0000000002B02000-memory.dmp

Filesize
72KB

Download
memory/3032-13-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

Filesize
9.6MB

Download