acadc18004851aa36a37701a59b485f013880cf371a7d9083444b480cf21c3ad

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
04-02-2024 20:38

Target

9019caf9c14645b88f4c246b16bda29a.ps1
Size

485KB
MD5

9019caf9c14645b88f4c246b16bda29a
SHA1

8e85880050a174b2b7c7dcaa61cc4c535d293d23
SHA256

acadc18004851aa36a37701a59b485f013880cf371a7d9083444b480cf21c3ad
SHA512

d178a0c45ce3e3c11e389668a7e97b4e199b35d99d1560c2ff0e30769f3161d47290edde2a2675599453bde660d493fbf393893602eeb02b8db70167d3231040
SSDEEP

12288:+Zjw0RJ9u5ILYDxD3fxYehza/tw64eigu:q3Xu

Score

1^/10

Suspicious behavior: EnumeratesProcesses 11 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1760	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 2732	1760	powershell.exe	29
PID 1760 wrote to memory of 2732	1760	powershell.exe	29
PID 1760 wrote to memory of 2732	1760	powershell.exe	29
PID 1760 wrote to memory of 2732	1760	powershell.exe	29
PID 1760 wrote to memory of 2168	1760	powershell.exe	33
PID 1760 wrote to memory of 2168	1760	powershell.exe	33
PID 1760 wrote to memory of 2168	1760	powershell.exe	33
PID 1760 wrote to memory of 2168	1760	powershell.exe	33
PID 1760 wrote to memory of 2124	1760	powershell.exe	32
PID 1760 wrote to memory of 2124	1760	powershell.exe	32
PID 1760 wrote to memory of 2124	1760	powershell.exe	32
PID 1760 wrote to memory of 2124	1760	powershell.exe	32
PID 1760 wrote to memory of 2572	1760	powershell.exe	31
PID 1760 wrote to memory of 2572	1760	powershell.exe	31
PID 1760 wrote to memory of 2572	1760	powershell.exe	31
PID 1760 wrote to memory of 2572	1760	powershell.exe	31
PID 1760 wrote to memory of 2604	1760	powershell.exe	30
PID 1760 wrote to memory of 2604	1760	powershell.exe	30
PID 1760 wrote to memory of 2604	1760	powershell.exe	30
PID 1760 wrote to memory of 2604	1760	powershell.exe	30

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\9019caf9c14645b88f4c246b16bda29a.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  #cmd
  2⤵
  PID:2732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  #cmd
  2⤵
  PID:2604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  #cmd
  2⤵
  PID:2572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  #cmd
  2⤵
  PID:2124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  #cmd
  2⤵
  PID:2168

memory/1760-4-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/1760-6-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/1760-5-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/1760-7-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/1760-8-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/1760-9-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/1760-11-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/1760-10-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/1760-12-0x00000000029E0000-0x00000000029F2000-memory.dmp

Filesize
72KB

Download
memory/1760-13-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download