63cf348c2e3dc95324a96b8c07162556b539ff8d6dceef1d1b6f0379c42fface

Analysis

max time kernel
122s
max time network
130s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22-12-2023 17:11

Target

fc2f33217e1a3595b6e287abf6f14262.ps1
Size

485KB
MD5

fc2f33217e1a3595b6e287abf6f14262
SHA1

607f7c499d49dce1d70f84cf7e45368065baf29f
SHA256

63cf348c2e3dc95324a96b8c07162556b539ff8d6dceef1d1b6f0379c42fface
SHA512

4ac861d100e47d5a9d11ce6fa6065ec08f4d115be7d02b0f0a230fe85661b1a845ca545b19576d4fad9756bbe26282e7518f71c1a78fe77f5a5efe3769c592d8
SSDEEP

12288:+Zjw0RJ9u5ILYDxD3fxYehza/tw64migu:q3bu

Score

1^/10

Suspicious behavior: EnumeratesProcesses 6 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2228	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2620	2228	powershell.exe	29
PID 2228 wrote to memory of 2620	2228	powershell.exe	29
PID 2228 wrote to memory of 2620	2228	powershell.exe	29
PID 2228 wrote to memory of 2620	2228	powershell.exe	29
PID 2228 wrote to memory of 2624	2228	powershell.exe	30
PID 2228 wrote to memory of 2624	2228	powershell.exe	30
PID 2228 wrote to memory of 2624	2228	powershell.exe	30
PID 2228 wrote to memory of 2624	2228	powershell.exe	30
PID 2228 wrote to memory of 2940	2228	powershell.exe	31
PID 2228 wrote to memory of 2940	2228	powershell.exe	31
PID 2228 wrote to memory of 2940	2228	powershell.exe	31
PID 2228 wrote to memory of 2940	2228	powershell.exe	31
PID 2228 wrote to memory of 2764	2228	powershell.exe	32
PID 2228 wrote to memory of 2764	2228	powershell.exe	32
PID 2228 wrote to memory of 2764	2228	powershell.exe	32
PID 2228 wrote to memory of 2764	2228	powershell.exe	32
PID 2228 wrote to memory of 2768	2228	powershell.exe	33
PID 2228 wrote to memory of 2768	2228	powershell.exe	33
PID 2228 wrote to memory of 2768	2228	powershell.exe	33
PID 2228 wrote to memory of 2768	2228	powershell.exe	33

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\fc2f33217e1a3595b6e287abf6f14262.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  #cmd
  2⤵
  PID:2620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  #cmd
  2⤵
  PID:2624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  #cmd
  2⤵
  PID:2940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  #cmd
  2⤵
  PID:2764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  #cmd
  2⤵
  PID:2768

memory/2228-4-0x000007FEF5FB0000-0x000007FEF694D000-memory.dmp

Filesize
9.6MB

Download
memory/2228-5-0x000000001B390000-0x000000001B672000-memory.dmp

Filesize
2.9MB

Download
memory/2228-7-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/2228-8-0x00000000021C0000-0x0000000002240000-memory.dmp

Filesize
512KB

Download
memory/2228-9-0x00000000021C0000-0x0000000002240000-memory.dmp

Filesize
512KB

Download
memory/2228-6-0x00000000021C0000-0x0000000002240000-memory.dmp

Filesize
512KB

Download
memory/2228-10-0x000007FEF5FB0000-0x000007FEF694D000-memory.dmp

Filesize
9.6MB

Download
memory/2228-11-0x00000000021C0000-0x0000000002240000-memory.dmp

Filesize
512KB

Download
memory/2228-12-0x00000000029C0000-0x00000000029D2000-memory.dmp

Filesize
72KB

Download
memory/2228-13-0x000007FEF5FB0000-0x000007FEF694D000-memory.dmp

Filesize
9.6MB

Download