b29df81720ce329eaa0f4304025431f95e2160b2d2c88c86ac37a33d030d54f4

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 02:08

Target

23f2e867ddbbe2e6c9e7959bae0df84e.ps1
Size

485KB
MD5

23f2e867ddbbe2e6c9e7959bae0df84e
SHA1

7a9568574654f6207804900ca0bb75c5413c363b
SHA256

b29df81720ce329eaa0f4304025431f95e2160b2d2c88c86ac37a33d030d54f4
SHA512

3eae942ac2b0e40179422058bd47813a1f9b8406dc961978b31c501d25aac743a6e7a4bb5068bb32293497c0ea37ec46aafeb856af1aa59505ad029b840b83bf
SSDEEP

12288:+Zjw0RJ9u5ILYDxD3fxYehza/tw64oigu:q31u

Score

1^/10

Suspicious behavior: EnumeratesProcesses 11 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1368	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 2816	1368	powershell.exe	29
PID 1368 wrote to memory of 2816	1368	powershell.exe	29
PID 1368 wrote to memory of 2816	1368	powershell.exe	29
PID 1368 wrote to memory of 2816	1368	powershell.exe	29
PID 1368 wrote to memory of 2844	1368	powershell.exe	33
PID 1368 wrote to memory of 2844	1368	powershell.exe	33
PID 1368 wrote to memory of 2844	1368	powershell.exe	33
PID 1368 wrote to memory of 2844	1368	powershell.exe	33
PID 1368 wrote to memory of 2852	1368	powershell.exe	30
PID 1368 wrote to memory of 2852	1368	powershell.exe	30
PID 1368 wrote to memory of 2852	1368	powershell.exe	30
PID 1368 wrote to memory of 2852	1368	powershell.exe	30
PID 1368 wrote to memory of 2992	1368	powershell.exe	32
PID 1368 wrote to memory of 2992	1368	powershell.exe	32
PID 1368 wrote to memory of 2992	1368	powershell.exe	32
PID 1368 wrote to memory of 2992	1368	powershell.exe	32
PID 1368 wrote to memory of 2732	1368	powershell.exe	31
PID 1368 wrote to memory of 2732	1368	powershell.exe	31
PID 1368 wrote to memory of 2732	1368	powershell.exe	31
PID 1368 wrote to memory of 2732	1368	powershell.exe	31

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\23f2e867ddbbe2e6c9e7959bae0df84e.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  #cmd
  2⤵
  PID:2816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  #cmd
  2⤵
  PID:2852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  #cmd
  2⤵
  PID:2732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  #cmd
  2⤵
  PID:2992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  #cmd
  2⤵
  PID:2844

memory/1368-4-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

Filesize
2.9MB

Download
memory/1368-5-0x00000000025A0000-0x00000000025A8000-memory.dmp

Filesize
32KB

Download
memory/1368-7-0x00000000025C0000-0x0000000002640000-memory.dmp

Filesize
512KB

Download
memory/1368-6-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download
memory/1368-9-0x00000000025C0000-0x0000000002640000-memory.dmp

Filesize
512KB

Download
memory/1368-10-0x00000000025C0000-0x0000000002640000-memory.dmp

Filesize
512KB

Download
memory/1368-8-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download
memory/1368-11-0x0000000002950000-0x0000000002962000-memory.dmp

Filesize
72KB

Download
memory/1368-12-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download