1fafe44a7b9f6885458eb4c07a5eb607e55defd89ce8540422e7b8da3f1f58c4

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-12-2023 20:35

Target

034e0a3d97747d22038e1863c0f2d4b8.ps1
Size

485KB
MD5

034e0a3d97747d22038e1863c0f2d4b8
SHA1

aa7dc1943e46dc5b62d9fdb050e1463f109cdc84
SHA256

1fafe44a7b9f6885458eb4c07a5eb607e55defd89ce8540422e7b8da3f1f58c4
SHA512

1099751fc9c3d268ee726e72a0d3a8efebd8d068a8c85427cfdeca22bf4aeaa686d4a8c27911c455ca347dddb8b45942463124f1f73c1bc880f55e9d4d5a8657
SSDEEP

12288:+Zjw0RJ9u5ILYDxD3fxYehza/tw64+igu:q3Xu

Score

1^/10

Suspicious behavior: EnumeratesProcesses 11 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2184	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2588	2184	powershell.exe	29
PID 2184 wrote to memory of 2588	2184	powershell.exe	29
PID 2184 wrote to memory of 2588	2184	powershell.exe	29
PID 2184 wrote to memory of 2588	2184	powershell.exe	29
PID 2184 wrote to memory of 2180	2184	powershell.exe	30
PID 2184 wrote to memory of 2180	2184	powershell.exe	30
PID 2184 wrote to memory of 2180	2184	powershell.exe	30
PID 2184 wrote to memory of 2180	2184	powershell.exe	30
PID 2184 wrote to memory of 2952	2184	powershell.exe	31
PID 2184 wrote to memory of 2952	2184	powershell.exe	31
PID 2184 wrote to memory of 2952	2184	powershell.exe	31
PID 2184 wrote to memory of 2952	2184	powershell.exe	31
PID 2184 wrote to memory of 2788	2184	powershell.exe	32
PID 2184 wrote to memory of 2788	2184	powershell.exe	32
PID 2184 wrote to memory of 2788	2184	powershell.exe	32
PID 2184 wrote to memory of 2788	2184	powershell.exe	32
PID 2184 wrote to memory of 2820	2184	powershell.exe	33
PID 2184 wrote to memory of 2820	2184	powershell.exe	33
PID 2184 wrote to memory of 2820	2184	powershell.exe	33
PID 2184 wrote to memory of 2820	2184	powershell.exe	33

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\034e0a3d97747d22038e1863c0f2d4b8.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  #cmd
  2⤵
  PID:2588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  #cmd
  2⤵
  PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  #cmd
  2⤵
  PID:2952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  #cmd
  2⤵
  PID:2788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  #cmd
  2⤵
  PID:2820

memory/2184-4-0x000000001B040000-0x000000001B322000-memory.dmp

Filesize
2.9MB

Download
memory/2184-6-0x000007FEF5520000-0x000007FEF5EBD000-memory.dmp

Filesize
9.6MB

Download
memory/2184-7-0x0000000002780000-0x0000000002800000-memory.dmp

Filesize
512KB

Download
memory/2184-5-0x0000000002830000-0x0000000002838000-memory.dmp

Filesize
32KB

Download
memory/2184-8-0x000007FEF5520000-0x000007FEF5EBD000-memory.dmp

Filesize
9.6MB

Download
memory/2184-9-0x0000000002780000-0x0000000002800000-memory.dmp

Filesize
512KB

Download
memory/2184-10-0x0000000002780000-0x0000000002800000-memory.dmp

Filesize
512KB

Download
memory/2184-11-0x0000000002780000-0x0000000002800000-memory.dmp

Filesize
512KB

Download
memory/2184-12-0x000000001B600000-0x000000001B612000-memory.dmp

Filesize
72KB

Download
memory/2184-13-0x000007FEF5520000-0x000007FEF5EBD000-memory.dmp

Filesize
9.6MB

Download