ee9eea9bc98b4cd4997db4775dd231172062bf3ebc4a2f8e41c287f6d414ebd3

Analysis

max time kernel
122s
max time network
130s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22-12-2023 16:23

Target

edb14699d2e6bd02ef56e3fbd740f278.ps1
Size

485KB
MD5

edb14699d2e6bd02ef56e3fbd740f278
SHA1

75eef64f372e80a4bf4c68790ac6a4a8cf780096
SHA256

ee9eea9bc98b4cd4997db4775dd231172062bf3ebc4a2f8e41c287f6d414ebd3
SHA512

1724cc7ddafe30d6ee74db356abb75d5a1ea14d226366a6bf650a2ae1cf5d9c023235b88e00fec4e5506c091cf2ca40978b2465de329a78624b76cff81ffff72
SSDEEP

12288:+Zjw0RJ9u5ILYDxD3fxYehza/tw64Figu:q32u

Score

1^/10

Suspicious behavior: EnumeratesProcesses 11 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1308	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 2716	1308	powershell.exe	29
PID 1308 wrote to memory of 2716	1308	powershell.exe	29
PID 1308 wrote to memory of 2716	1308	powershell.exe	29
PID 1308 wrote to memory of 2716	1308	powershell.exe	29
PID 1308 wrote to memory of 2756	1308	powershell.exe	30
PID 1308 wrote to memory of 2756	1308	powershell.exe	30
PID 1308 wrote to memory of 2756	1308	powershell.exe	30
PID 1308 wrote to memory of 2756	1308	powershell.exe	30
PID 1308 wrote to memory of 2760	1308	powershell.exe	31
PID 1308 wrote to memory of 2760	1308	powershell.exe	31
PID 1308 wrote to memory of 2760	1308	powershell.exe	31
PID 1308 wrote to memory of 2760	1308	powershell.exe	31
PID 1308 wrote to memory of 2776	1308	powershell.exe	32
PID 1308 wrote to memory of 2776	1308	powershell.exe	32
PID 1308 wrote to memory of 2776	1308	powershell.exe	32
PID 1308 wrote to memory of 2776	1308	powershell.exe	32
PID 1308 wrote to memory of 2788	1308	powershell.exe	33
PID 1308 wrote to memory of 2788	1308	powershell.exe	33
PID 1308 wrote to memory of 2788	1308	powershell.exe	33
PID 1308 wrote to memory of 2788	1308	powershell.exe	33

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\edb14699d2e6bd02ef56e3fbd740f278.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  #cmd
  2⤵
  PID:2716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  #cmd
  2⤵
  PID:2756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  #cmd
  2⤵
  PID:2760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  #cmd
  2⤵
  PID:2776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  #cmd
  2⤵
  PID:2788

memory/1308-4-0x000000001B330000-0x000000001B612000-memory.dmp

Filesize
2.9MB

Download
memory/1308-5-0x00000000025A0000-0x00000000025A8000-memory.dmp

Filesize
32KB

Download
memory/1308-6-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmp

Filesize
9.6MB

Download
memory/1308-7-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/1308-8-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmp

Filesize
9.6MB

Download
memory/1308-9-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/1308-10-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/1308-11-0x000000001B290000-0x000000001B2A2000-memory.dmp

Filesize
72KB

Download
memory/1308-12-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmp

Filesize
9.6MB

Download