382792848f3f8a490036822be4f4fdc0731a60163999a77243eb9332d53f7b00

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
27-01-2024 15:42

Target

7aa1d4597d658099f9c75c5ee7208f78.ps1
Size

485KB
MD5

7aa1d4597d658099f9c75c5ee7208f78
SHA1

7463e2abb7d99c9b525dc58e820fbf26d85079b7
SHA256

382792848f3f8a490036822be4f4fdc0731a60163999a77243eb9332d53f7b00
SHA512

a445547daf2344e437f345bf1675ba6cb54634e4a7ed4846cc160c6b0e77404c5b31e76748018954340c1f2fe8b9af810bddacc81112880c3c17e20187b19b59
SSDEEP

12288:+Zjw0RJ9u5ILYDxD3fxYehza/tw644igu:q3tu

Score

1^/10

Suspicious behavior: EnumeratesProcesses 11 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1228	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 2344	1228	powershell.exe	29
PID 1228 wrote to memory of 2344	1228	powershell.exe	29
PID 1228 wrote to memory of 2344	1228	powershell.exe	29
PID 1228 wrote to memory of 2344	1228	powershell.exe	29
PID 1228 wrote to memory of 2324	1228	powershell.exe	30
PID 1228 wrote to memory of 2324	1228	powershell.exe	30
PID 1228 wrote to memory of 2324	1228	powershell.exe	30
PID 1228 wrote to memory of 2324	1228	powershell.exe	30
PID 1228 wrote to memory of 2284	1228	powershell.exe	31
PID 1228 wrote to memory of 2284	1228	powershell.exe	31
PID 1228 wrote to memory of 2284	1228	powershell.exe	31
PID 1228 wrote to memory of 2284	1228	powershell.exe	31
PID 1228 wrote to memory of 2764	1228	powershell.exe	32
PID 1228 wrote to memory of 2764	1228	powershell.exe	32
PID 1228 wrote to memory of 2764	1228	powershell.exe	32
PID 1228 wrote to memory of 2764	1228	powershell.exe	32
PID 1228 wrote to memory of 2288	1228	powershell.exe	33
PID 1228 wrote to memory of 2288	1228	powershell.exe	33
PID 1228 wrote to memory of 2288	1228	powershell.exe	33
PID 1228 wrote to memory of 2288	1228	powershell.exe	33

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\7aa1d4597d658099f9c75c5ee7208f78.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  #cmd
  2⤵
  PID:2344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  #cmd
  2⤵
  PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  #cmd
  2⤵
  PID:2284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  #cmd
  2⤵
  PID:2764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  #cmd
  2⤵
  PID:2288

memory/1228-4-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

Filesize
2.9MB

Download
memory/1228-5-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/1228-6-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/1228-7-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/1228-8-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/1228-9-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/1228-10-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/1228-11-0x0000000002640000-0x0000000002652000-memory.dmp

Filesize
72KB

Download
memory/1228-12-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download