43d84ae71fa0d0895af8b2d5a45841fc73c38c079b1dcf787ef7427e0795e937

Analysis

max time kernel
14s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 10:36

Target

abcd.ps1
Size

166B
MD5

a642cd52d29b5b054520bd4fef292062
SHA1

564380bbf0fb66cf03969d3438a3cd5cd613b9d4
SHA256

43d84ae71fa0d0895af8b2d5a45841fc73c38c079b1dcf787ef7427e0795e937
SHA512

d80d7bb51c80a663d1da7d893e364028f5cc75d54ca6c75e043eed58ce784927750866318eed377881c902901b3b8be3708ac6e1ffd272cdf2d1b8ef3027b2d0

Score

8^/10

execution

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2856 powershell.exe
2864 powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2856 powershell.exe
2864 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2856 powershell.exe
Token: SeDebugPrivilege 2864 powershell.exe

pid	process
2856	powershell.exe
2864	powershell.exe

pid	process
2856	powershell.exe
2864	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 2856 wrote to memory of 2864	2856	powershell.exe	powershell.exe
PID 2856 wrote to memory of 2864	2856	powershell.exe	powershell.exe
PID 2856 wrote to memory of 2864	2856	powershell.exe	powershell.exe

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5b813afe1c56d53fe4438f08cf0d9873

SHA1
92c8635d7c1456f4db21b62ad38d67e50e8329d8

SHA256
dfafa16927ab173aaf1eff599cc1e91f8833c9218d004d488442e5210542835e

SHA512
f0b81e2f29f89febb91d295c106c6cfec4916d4062aec84880702ee550099649f657bdba51d241664408033d1f40cf952e008aec3e867389d9ba6d3c901392f6

Download Submit
memory/2856-4-0x000007FEF651E000-0x000007FEF651F000-memory.dmp

Filesize
4KB

Download
memory/2856-5-0x000000001B400000-0x000000001B6E2000-memory.dmp

Filesize
2.9MB

Download
memory/2856-8-0x000007FEF6260000-0x000007FEF6BFD000-memory.dmp

Filesize
9.6MB

Download
memory/2856-7-0x000007FEF6260000-0x000007FEF6BFD000-memory.dmp

Filesize
9.6MB

Download
memory/2856-6-0x00000000025A0000-0x00000000025A8000-memory.dmp

Filesize
32KB

Download
memory/2856-9-0x000007FEF6260000-0x000007FEF6BFD000-memory.dmp

Filesize
9.6MB

Download
memory/2856-10-0x000007FEF6260000-0x000007FEF6BFD000-memory.dmp

Filesize
9.6MB

Download
memory/2856-11-0x000007FEF6260000-0x000007FEF6BFD000-memory.dmp

Filesize
9.6MB

Download
memory/2856-19-0x000007FEF6260000-0x000007FEF6BFD000-memory.dmp

Filesize
9.6MB

Download
memory/2864-17-0x000007FEF6260000-0x000007FEF6BFD000-memory.dmp

Filesize
9.6MB

Download
memory/2864-18-0x000007FEF6260000-0x000007FEF6BFD000-memory.dmp

Filesize
9.6MB

Download