Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/03/2025, 20:55
Static task
static1
Behavioral task
behavioral1
Sample
script.ps1
Resource
win7-20240903-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
script.ps1
Resource
win10v2004-20250314-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
script.ps1
-
Size
3KB
-
MD5
cb85017cf90bd06129da09acf240719c
-
SHA1
0037c13c7d2043a215a3efe4522b6aad1109fffc
-
SHA256
c0aac89c0d9d92a680006d6c59bcf2b76807ec85e687c98c9b9618bd5d5ae4ad
-
SHA512
304b26c649d9da37c00852b6511b3483ca5ed97a37d4ea1f77987da425f7a9e1ea84642cb7c6108e50d96d38994a58e5d982f4cb7b200eb6aa5f435dd2bc13e0
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 64 IoCs
flow pid Process 5 2908 powershell.exe 6 2908 powershell.exe 7 2908 powershell.exe 8 2908 powershell.exe 9 2908 powershell.exe 10 2908 powershell.exe 11 2908 powershell.exe 12 2908 powershell.exe 13 2908 powershell.exe 14 2908 powershell.exe 15 2908 powershell.exe 16 2908 powershell.exe 17 2908 powershell.exe 18 2908 powershell.exe 19 2908 powershell.exe 20 2908 powershell.exe 21 2908 powershell.exe 22 2908 powershell.exe 23 2908 powershell.exe 24 2908 powershell.exe 25 2908 powershell.exe 26 2908 powershell.exe 27 2908 powershell.exe 28 2908 powershell.exe 29 2908 powershell.exe 30 2908 powershell.exe 31 2908 powershell.exe 32 2908 powershell.exe 33 2908 powershell.exe 34 2908 powershell.exe 35 2908 powershell.exe 36 2908 powershell.exe 37 2908 powershell.exe 38 2908 powershell.exe 39 2908 powershell.exe 40 2908 powershell.exe 41 2908 powershell.exe 42 2908 powershell.exe 43 2908 powershell.exe 44 2908 powershell.exe 45 2908 powershell.exe 46 2908 powershell.exe 47 2908 powershell.exe 48 2908 powershell.exe 49 2908 powershell.exe 50 2908 powershell.exe 51 2908 powershell.exe 52 2908 powershell.exe 53 2908 powershell.exe 54 2908 powershell.exe 55 2908 powershell.exe 56 2908 powershell.exe 57 2908 powershell.exe 58 2908 powershell.exe 59 2908 powershell.exe 60 2908 powershell.exe 61 2908 powershell.exe 62 2908 powershell.exe 63 2908 powershell.exe 64 2908 powershell.exe 65 2908 powershell.exe 66 2908 powershell.exe 67 2908 powershell.exe 68 2908 powershell.exe -
pid Process 2908 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2908 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2908 powershell.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\script.ps11⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908