revengerat | 061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc

General

Target

061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
Size

170KB
MD5

6bdd0461ce6cf27ac8ee5615e0da1c70
SHA1

517560e5361084641380f349e005d6e3ce5c3a26
SHA256

061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc
SHA512

bacb364508f71dcbffca34c9481b528e9394fb1d939bc81a810dcacff87d6e9ff8eca8c683dfbc23ee2f76795bb3fda4d5e8089ab3e2d8304f123570fd1f0c84

Score

10^/10

revengerat nyancatrevenge evasion persistence trojan

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

hpdndbnb.duckdns.org:2404

Mutex

90a49aa7c27647e

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe\""	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe

Drops startup file 2 IoCs

Processes:

061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe

Windows security modification 2 TTPs 11 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe = "0"	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe = "0"	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe"	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe"	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

Processes:

061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe

pid	process
3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe

description	pid	process	target process
PID 3148 set thread context of 2368	3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1732 3148 WerFault.exe 061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe

pid	pid_target	process	target process
1732	3148	WerFault.exe	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe

pid	process
4432	powershell.exe
428	powershell.exe
4700	powershell.exe
1016	powershell.exe
4700	powershell.exe
1016	powershell.exe
428	powershell.exe
4432	powershell.exe
3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
Token: SeDebugPrivilege	4700	powershell.exe
Token: SeDebugPrivilege	428	powershell.exe
Token: SeDebugPrivilege	4432	powershell.exe
Token: SeDebugPrivilege	1016	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe

description	pid	process	target process
PID 3148 wrote to memory of 4432	3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe	powershell.exe
PID 3148 wrote to memory of 4432	3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe	powershell.exe
PID 3148 wrote to memory of 4432	3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe	powershell.exe
PID 3148 wrote to memory of 4700	3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe	powershell.exe
PID 3148 wrote to memory of 4700	3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe	powershell.exe
PID 3148 wrote to memory of 4700	3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe	powershell.exe
PID 3148 wrote to memory of 428	3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe	powershell.exe
PID 3148 wrote to memory of 428	3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe	powershell.exe
PID 3148 wrote to memory of 428	3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe	powershell.exe
PID 3148 wrote to memory of 1016	3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe	powershell.exe
PID 3148 wrote to memory of 1016	3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe	powershell.exe
PID 3148 wrote to memory of 1016	3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe	powershell.exe
PID 3148 wrote to memory of 2604	3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
PID 3148 wrote to memory of 2604	3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
PID 3148 wrote to memory of 2604	3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
PID 3148 wrote to memory of 2368	3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
PID 3148 wrote to memory of 2368	3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
PID 3148 wrote to memory of 2368	3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
PID 3148 wrote to memory of 2368	3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
PID 3148 wrote to memory of 2368	3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
PID 3148 wrote to memory of 2368	3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
PID 3148 wrote to memory of 2368	3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
PID 3148 wrote to memory of 2368	3148	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe	061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe

C:\Users\Admin\AppData\Local\Temp\061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
"C:\Users\Admin\AppData\Local\Temp\061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4432
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4700
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:428
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1016
- C:\Users\Admin\AppData\Local\Temp\061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
  "C:\Users\Admin\AppData\Local\Temp\061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe"
  2⤵
  PID:2604
- C:\Users\Admin\AppData\Local\Temp\061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe
  "C:\Users\Admin\AppData\Local\Temp\061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe"
  2⤵
  - Checks processor information in registry
  PID:2368
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 2276
  2⤵
  - Program crash
  PID:1732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3148 -ip 3148
1⤵
PID:3376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
d311b446df07979ab09e5ebea8add0f9

SHA1
d3975dc1ff51fddbf3449d0ce083b09c87e4ece8

SHA256
25baff6f6fb6c62103456d0a4b6fc2e0ee6e2824dc07aae6c1103ae3db3b1065

SHA512
ccf0d004be19396c4c311c4b25a53433ea72772d93132b16fbcd8b24f16d02818b53c6718d94bafc82746febc845904b3fb75d4d78b8b9868d2ca358fb3065d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
9bede0fc3609477169fcd5ca20430a9d

SHA1
fcb2aaa5e991ae768ccbd070397d0dca445f8338

SHA256
95b676e20dd7e7d1cc88ac2620a15969778a5d8049c0ffdd6a7fb329c36425dc

SHA512
9d3d867140d34f936d2f563eff2977496630ae87dd4e8cf2b590c7c9e0a6259f88cba30482e603c6e451f1b7142d3992ef969deedf3ea25bba09718c94521783

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
4a5876ffe0663f1f6dfef816f215a924

SHA1
8d5c7b52e3e0c1c628bb6a5ff44bbaae907e7187

SHA256
2fc54b9ea793331a5158ae4ca1841a1f0ffd691cd5e40e37a374eac0b2a6fdeb

SHA512
ed0a75ed613c08bb5fd7b0e1c911fe31ded4bf5d6b8a7c2c4a47c629473dac302a7183a48ca6aeb87d0274cfdf22ddb444312b8ca06df8eaba0306403f3bfa83

Download Submit
memory/428-158-0x0000000007510000-0x000000000751A000-memory.dmp

Filesize
40KB

Download
memory/428-135-0x0000000000000000-mapping.dmp

Download
memory/428-147-0x0000000002975000-0x0000000002977000-memory.dmp

Filesize
8KB

Download
memory/428-155-0x0000000006750000-0x000000000676E000-memory.dmp

Filesize
120KB

Download
memory/428-151-0x000000006F650000-0x000000006F69C000-memory.dmp

Filesize
304KB

Download
memory/1016-159-0x0000000006F90000-0x0000000007026000-memory.dmp

Filesize
600KB

Download
memory/1016-157-0x0000000006D10000-0x0000000006D2A000-memory.dmp

Filesize
104KB

Download
memory/1016-137-0x0000000000000000-mapping.dmp

Download
memory/1016-154-0x000000006F650000-0x000000006F69C000-memory.dmp

Filesize
304KB

Download
memory/1016-149-0x0000000002195000-0x0000000002197000-memory.dmp

Filesize
8KB

Download
memory/1016-150-0x0000000005FE0000-0x0000000006012000-memory.dmp

Filesize
200KB

Download
memory/2368-144-0x0000000000000000-mapping.dmp

Download
memory/2368-145-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2604-143-0x0000000000000000-mapping.dmp

Download
memory/3148-131-0x0000000004D70000-0x0000000004E0C000-memory.dmp

Filesize
624KB

Download
memory/3148-130-0x00000000003F0000-0x0000000000420000-memory.dmp

Filesize
192KB

Download
memory/3148-132-0x00000000053C0000-0x0000000005964000-memory.dmp

Filesize
5.6MB

Download
memory/4432-156-0x00000000079F0000-0x000000000806A000-memory.dmp

Filesize
6.5MB

Download
memory/4432-161-0x00000000076E0000-0x00000000076FA000-memory.dmp

Filesize
104KB

Download
memory/4432-133-0x0000000000000000-mapping.dmp

Download
memory/4432-148-0x00000000027F5000-0x00000000027F7000-memory.dmp

Filesize
8KB

Download
memory/4432-136-0x0000000002780000-0x00000000027B6000-memory.dmp

Filesize
216KB

Download
memory/4432-142-0x00000000060A0000-0x00000000060BE000-memory.dmp

Filesize
120KB

Download
memory/4432-162-0x00000000076C0000-0x00000000076C8000-memory.dmp

Filesize
32KB

Download
memory/4432-139-0x00000000050E0000-0x0000000005102000-memory.dmp

Filesize
136KB

Download
memory/4432-153-0x000000006F650000-0x000000006F69C000-memory.dmp

Filesize
304KB

Download
memory/4432-160-0x00000000075D0000-0x00000000075DE000-memory.dmp

Filesize
56KB

Download
memory/4700-140-0x0000000005090000-0x00000000050F6000-memory.dmp

Filesize
408KB

Download
memory/4700-141-0x0000000005860000-0x00000000058C6000-memory.dmp

Filesize
408KB

Download
memory/4700-138-0x0000000005180000-0x00000000057A8000-memory.dmp

Filesize
6.2MB

Download
memory/4700-146-0x0000000004B45000-0x0000000004B47000-memory.dmp

Filesize
8KB

Download
memory/4700-134-0x0000000000000000-mapping.dmp

Download
memory/4700-152-0x000000006F650000-0x000000006F69C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads