8376b121ce71d7ffc73995ff4de043d94bd4c92de316ef19f57f10ec7ab2cd5f

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-02-2024 14:38

Target

8723c90f2b4b98928e0f19d75d8a5c00.exe
Size

7KB
MD5

8723c90f2b4b98928e0f19d75d8a5c00
SHA1

6005c897e6262d58c9c30566452913eaa7ed4ef1
SHA256

8376b121ce71d7ffc73995ff4de043d94bd4c92de316ef19f57f10ec7ab2cd5f
SHA512

c377b5e224eabf1f565f9e75ca1b26a04d5587b6426e648b8220e50011a6947bbacc3b03317130c31a7f028bf38267b946aac11cc306f6413c0b09cbec686983
SSDEEP

96:fo2G2uxLh2S2FsGdci4J581WMt1XJPCxZzNt:w2aOshiH1Sb

Score

10^/10

Language

ps1

Source

URLs

ps1.dropper

https://community.chocolatey.org/install.ps1

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2096	powershell.exe
6	2096	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2096	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2096	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 2096	1820	8723c90f2b4b98928e0f19d75d8a5c00.exe	29
PID 1820 wrote to memory of 2096	1820	8723c90f2b4b98928e0f19d75d8a5c00.exe	29
PID 1820 wrote to memory of 2096	1820	8723c90f2b4b98928e0f19d75d8a5c00.exe	29

C:\Users\Admin\AppData\Local\Temp\8723c90f2b4b98928e0f19d75d8a5c00.exe
"C:\Users\Admin\AppData\Local\Temp\8723c90f2b4b98928e0f19d75d8a5c00.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -executionpolicy bypass -WindowStyle hidden -file "PostExp.ps1"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2096

C:\Users\Admin\AppData\Local\Temp\Make-EXE0\PostExp.ps1

Filesize
387B

MD5
d4873e955df580b2b3d5cfe1a8868325

SHA1
31837246986571f111705e73798f41f335a5141d

SHA256
f5d8e1c7ffbfd9eac973731488aad4286d0e1aa778bb32166a45743e501e2d69

SHA512
a9cf0e08cf30c913e0097fa1f299f5bbfbf0aab0c0392f866905987576700345a8ae20759e523904513d1701f541ba6d4a2ce85cb6e5394ae3589b3ceacbbc46

Download Submit
memory/1820-0-0x00000000008D0000-0x00000000008D8000-memory.dmp

Filesize
32KB

Download
memory/1820-7-0x000007FEF5860000-0x000007FEF624C000-memory.dmp

Filesize
9.9MB

Download
memory/2096-18-0x0000000002D50000-0x0000000002DD0000-memory.dmp

Filesize
512KB

Download
memory/2096-15-0x0000000002D50000-0x0000000002DD0000-memory.dmp

Filesize
512KB

Download
memory/2096-16-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/2096-13-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2096-17-0x0000000002D50000-0x0000000002DD0000-memory.dmp

Filesize
512KB

Download
memory/2096-12-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2096-14-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/2096-20-0x0000000002D50000-0x0000000002DD0000-memory.dmp

Filesize
512KB

Download
memory/2096-21-0x0000000002D50000-0x0000000002DD0000-memory.dmp

Filesize
512KB

Download
memory/2096-22-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download