Malware Analysis and Triage Report : AveMaria RAT
From Opera to C2, real quick!
1. Executive Summary
A. Fingerprinting
- MD5:
425cf022932c7ace6542f18af4fbac2a - SHA256:
b24ce8861d8d06d10d73e38c6fcc0c026a5c9529fda74927f85b4cfe022f7e1d - VirusTotal Report:
https://www.virustotal.com/gui/file/b24ce8861d8d06d10d73e38c6fcc0c026a5c9529fda74927f85b4cfe022f7e1d/detection/f-b24ce8861d8d06d10d73e38c6fcc0c026a5c9529fda74927f85b4cfe022f7e1d-1668189288
B. Classification
The AveMariaRat is a Remote Access Trojan that allow the attacker to connect and control the victim’s machine throught the using of a fake process and a reverse connection the its C&C server.
C. Behavioral Summary
The AveMariaRat comes with a common technique that hide the exe malware using a fake Word icon, once launched the exe start some cmd that creates two distinct dll files.
nsExec.dll and System.dll saved in the temp folder C:\Users\<user>\AppData\Local\Temp\nsb436C.tmp (the last folder is a pseudo random name that change every time the malware is lauched). The an C:\Program Files (x86)\internet explorer\ieinstal.exe process is launched and probably injected with a shellcode using the Heaven’s Gate technique, this processc starts a connection with the C&C su1d.]nerdpol[.ovh with IP 4.236.162.205 on port 2222. Last the persistence, with the copy of the original malware in the local folder C:\Users\<user>\AppData\Local\Temp\Fadllers and the Demiparadise.exe name. More details are in the Static and Dynamic Analysis.
2. Static Analysis
Imports
| Function Name | Suspicious |
|---|---|
| SetCurrentDirectoryW | Yes |
| SearchPathW | Yes |
| OpenProcessToken | Yes |
| LookupPrivilegeValueW | Yes |
| AdjustTokenPrivileges | Yes |
| WritePrivateProfileStringW | Yes |
| RegDeleteKeyW | Yes |
| RegDeleteValueW | Yes |
| RegCreateKeyExW | Yes |
| RegSetValueExW | Yes |
| RegEnumKeyW | Yes |
| MoveFileW | Yes |
| SetFileAttributesW | Yes |
| RemoveDirectoryW | Yes |
| GetTempFileNameW | Yes |
| WriteFile | Yes |
| MoveFileExW | Yes |
| FindFirstFileW | Yes |
| FindNextFileW | Yes |
| DeleteFileW | Yes |
| SHGetSpecialFolderLocation | Yes |
| SHGetPathFromIDListW | Yes |
| SHBrowseForFolderW | Yes |
| SHGetFileInfoW | Yes |
| SHFileOperationW | Yes |
| SetFileSecurityW | Yes |
| SetEnvironmentVariableW | Yes |
| CreateProcessW | Yes |
| GetExitCodeProcess | Yes |
| ShellExecuteW | Yes |
| CloseClipboard | Yes |
| SetClipboardData | Yes |
| EmptyClipboard | Yes |
| OpenClipboard | Yes |
| ExitWindowsEx | Yes |
| SystemParametersInfoW | Yes |
| IsWindowEnabled | |
| SetWindowPos | |
| GetWindowLongW | |
| GetMessagePos | |
| CallWindowProcW | |
| IsWindowVisible | |
| DispatchMessageW | |
| PeekMessageW | |
| EnableWindow | |
| SendMessageW | |
| DefWindowProcW | |
| RegisterClassW | |
| CreateWindowExW | |
| DestroyWindow | |
| ShowWindow | |
| IsWindow | |
| SetWindowLongW | |
| FindWindowExW | |
| SendMessageTimeoutW | |
| SetForegroundWindow | |
| WaitForSingleObject | |
| GetDiskFreeSpaceW | |
| LoadCursorW | |
| GetPrivateProfileStringW | |
| RegOpenKeyExW | |
| RegEnumValueW | |
| RegCloseKey | |
| RegQueryValueExW | |
| GetTickCount | |
| GetWindowsDirectoryW | |
| GetSystemDirectoryW | |
| ExpandEnvironmentStringsW | |
| GetSystemMetrics | |
| GlobalLock | |
| GlobalFree | |
| GlobalAlloc | |
| GlobalUnlock | |
| CoTaskMemFree | |
| GetFileAttributesW | |
| GetFullPathNameW | |
| GetFileSize | |
| GetTempPathW | |
| CopyFileW | |
| CompareFileTime | |
| CreateDirectoryW | |
| CreateFileW | |
| GetShortPathNameW | |
| SetFileTime | |
| SetFilePointer | |
| ReadFile | |
| FindClose | |
| Sleep | |
| GetCurrentProcess | |
| ExitProcess | |
| GetCommandLineW | |
| CreateThread | |
| PostQuitMessage | |
| GetModuleFileNameW | |
| GetProcAddress | |
| GetModuleHandleA | |
| FreeLibrary | |
| LoadLibraryExW | |
| GetModuleHandleW | |
| GetLastError | |
| GetVersion | |
| SetErrorMode | |
| lstrlenW | |
| lstrcmpiA | |
| lstrcpyA | |
| lstrcpyW | |
| lstrcatW | |
| lstrcmpiW | |
| CloseHandle | |
| lstrcmpW | |
| lstrcpynW | |
| MulDiv | |
| MultiByteToWideChar | |
| lstrlenA | |
| WideCharToMultiByte | |
| GetSystemMenu | |
| SetClassLongW | |
| EnableMenuItem | |
| GetSysColor | |
| SetCursor | |
| CheckDlgButton | |
| LoadBitmapW | |
| wsprintfW | |
| ScreenToClient | |
| GetWindowRect | |
| SetDlgItemTextW | |
| GetDlgItemTextW | |
| MessageBoxIndirectW | |
| CharPrevW | |
| CharNextA | |
| wsprintfA | |
| GetDC | |
| ReleaseDC | |
| InvalidateRect | |
| BeginPaint | |
| GetClientRect | |
| FillRect | |
| EndDialog | |
| GetClassInfoW | |
| DialogBoxParamW | |
| CharNextW | |
| LoadImageW | |
| SetTimer | |
| SetWindowTextW | |
| GetDlgItem | |
| TrackPopupMenu | |
| AppendMenuW | |
| CreatePopupMenu | |
| DrawTextW | |
| EndPaint | |
| CreateDialogParamW | |
| SelectObject | |
| SetBkMode | |
| CreateFontIndirectW | |
| SetTextColor | |
| DeleteObject | |
| GetDeviceCaps | |
| CreateBrushIndirect | |
| SetBkColor | |
| ImageList_AddMasked | |
| 17 (DPA_DeleteAllPtrs) | |
| ImageList_Destroy | |
| ImageList_Create | |
| OleUninitialize | |
| OleInitialize | |
| CoCreateInstance |
Strings
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.01</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly>
NullsoftInstZ
CLI (Version 3.1.46.914)
ZTC_T]"#++RctpetWx}tP9|1c%1=1x1!i)!!!!!!!=1x1!=1a1!=1x1%=1x1!i)!=1x1!8x?c$(
ZTC_T]"#++Gxcedp}P}}~r9x1!=x1!i !!!!!=1x1!i"!!!=1x1!i%!8a?c (
ZTC_T]"#++BteWx}tA~x
etc9x1c$=1x1 &$!1=1x1!=x1!8x?c"(
ZTC_T]"#++CtpuWx}t9x1c$=1x1c =1x1!i !!!!!=;x1!=1x1!8x?c"(
dbtc"#++Rp}}Fx
u~fAc~rP9x1c 1=x1!=x1!=1x1!=1x1!8(
Niedersachsen1
Braunschweig1
Radires1%0#
Syzetts@Bifaldenes.Ove1-0+
$Bullede Fiberkufferten Differensens 0
220928204625Z
250927204625Z0
Niedersachsen1
Braunschweig1
Radires1%0#
Syzetts@Bifaldenes.Ove1-0+
$Bullede Fiberkufferten Differensens 0
RichEdit
RichEdit20W
.DEFAULT\Control Panel\International
Control Panel\Desktop\ResourceLocale
Software\Microsoft\Windows\CurrentVersion
\Microsoft\Internet Explorer\Quick Launch
verifying installer: %d%%
Installer integrity check has failed. Common causes include
incomplete download and damaged media. Contact the
installer's author to obtain a new copy.
More information at:
http://nsis.sf.net/NSIS_Error
SeShutdownPrivilege
.tmp
~nsu
_?=
TEMP
\Temp
/D=
NCRC
NSIS Error
Error writing temporary file. Make sure your temp folder is valid.
@_Nb
.exe
open
%u.%u%s%s
\*.*
*?|<>/":
%s%S.dll
MS Shell Dlg
MS Shell Dlg
3. Dynamic Analysis
- Drive-by download using OneDrive
hxxps://onedrive[.]live[.]com/download?cid=5B98AB7755412578&resid=5B98AB7755412578%21133&authkey=ABR6EpLf8KEegO4
hxxps://fwnola[.]ch[.]files[.]1drv.com/y4mbQIvo9IGdCZsMfeI1BKgDAfT-HCtJzMD7x7ZuYBp8wDTE5j3SeQyLVMSV1Tb1Q5HRjJkjcMSVBAciV1HOJr28GUJbFFQkcBVr2xFOWZLKRXI4Sxzzm1FL-8mD3SdCHjf-S4GQxJsVFuWmsC37zBdMMn3Mfq8HvNTZDnG8g4KsO9isextGcJUf12F5qc3xPqE2tBTDD8WY44YMazBuL8oQQ/IsDmQaCLn176.pcz?download&psid=1
- C2 IP and port connection
su1d.nerdpol.ovh -> 20.171.84.250
- Additional child processes
PID: 7852, Command line: cmd.exe /c set /a "90^17"
PID: 8256, Command line: cmd.exe /c set /a "84^17"
PID: 8784, Command line: cmd.exe /c set /a "67^17"
PID: 9048, Command line: cmd.exe /c set /a "95^17"
PID: 2404, Command line: cmd.exe /c set /a "84^17"
PID: 5820, Command line: cmd.exe /c set /a "93^17"
PID: 5940, Command line: cmd.exe /c set /a "34^17"
PID: 3552, Command line: cmd.exe /c set /a "35^17"
PID: 3964, Command line: cmd.exe /c set /a "43^17"
PID: 4988, Command line: cmd.exe /c set /a "43^17"
PID: 5516, Command line: cmd.exe /c set /a "82^17"
PID: 7184, Command line: cmd.exe /c set /a "99^17"
PID: 7300, Command line: cmd.exe /c set /a "116^17"
PID: 8600, Command line: cmd.exe /c set /a "112^17"
PID: 6040, Command line: cmd.exe /c set /a "101^17"
PID: 4956, Command line: cmd.exe /c set /a "116^17"
PID: 1268, Command line: cmd.exe /c set /a "87^17"
PID: 6808, Command line: cmd.exe /c set /a "120^17"
PID: 6472, Command line: cmd.exe /c set /a "125^17"
PID: 2036, Command line: cmd.exe /c set /a "116^17"
PID: 540, Command line: cmd.exe /c set /a "80^17"
PID: 964, Command line: cmd.exe /c set /a "57^17"
PID: 4640, Command line: cmd.exe /c set /a "124^17"
PID: 2728, Command line: cmd.exe /c set /a "49^17"
PID: 4140, Command line: cmd.exe /c set /a "99^17"
PID: 3540, Command line: cmd.exe /c set /a "37^17"
PID: 536, Command line: cmd.exe /c set /a "49^17"
PID: 7092, Command line: cmd.exe /c set /a "61^17"
PID: 8232, Command line: cmd.exe /c set /a "49^17"
PID: 3060, Command line: cmd.exe /c set /a "120^17"
PID: 2948, Command line: cmd.exe /c set /a "49^17"
PID: 8576, Command line: cmd.exe /c set /a "33^17"
PID: 4908, Command line: cmd.exe /c set /a "105^17"
PID: 444, Command line: cmd.exe /c set /a "41^17"
PID: 8480, Command line: cmd.exe /c set /a "33^17"
PID: 7980, Command line: cmd.exe /c set /a "33^17"
PID: 2556, Command line: cmd.exe /c set /a "33^17"
PID: 6356, Command line: cmd.exe /c set /a "33^17"
PID: 8476, Command line: cmd.exe /c set /a "33^17"
PID: 9052, Command line: cmd.exe /c set /a "33^17"
PID: 5980, Command line: cmd.exe /c set /a "33^17"
PID: 4392, Command line: cmd.exe /c set /a "61^17"
PID: 7248, Command line: cmd.exe /c set /a "49^17"
PID: 7852, Command line: cmd.exe /c set /a "120^17"
PID: 2184, Command line: cmd.exe /c set /a "49^17"
PID: 7020, Command line: cmd.exe /c set /a "33^17"
PID: 4076, Command line: cmd.exe /c set /a "61^17"
PID: 9108, Command line: cmd.exe /c set /a "49^17"
PID: 7876, Command line: cmd.exe /c set /a "97^17"
PID: 3356, Command line: cmd.exe /c set /a "49^17"
PID: 6972, Command line: cmd.exe /c set /a "33^17"
PID: 4648, Command line: cmd.exe /c set /a "61^17"
PID: 6476, Command line: cmd.exe /c set /a "49^17"
PID: 9128, Command line: cmd.exe /c set /a "120^17"
PID: 8640, Command line: cmd.exe /c set /a "49^17"
PID: 8320, Command line: cmd.exe /c set /a "37^17"
PID: 8132, Command line: cmd.exe /c set /a "61^17"
PID: 1596, Command line: cmd.exe /c set /a "49^17"
PID: 2868, Command line: cmd.exe /c set /a "120^17"
PID: 3932, Command line: cmd.exe /c set /a "49^17"
PID: 6436, Command line: cmd.exe /c set /a "33^17"
PID: 6052, Command line: cmd.exe /c set /a "105^17"
PID: 4768, Command line: cmd.exe /c set /a "41^17"
PID: 6424, Command line: cmd.exe /c set /a "33^17"
PID: 3900, Command line: cmd.exe /c set /a "61^17"
PID: 3188, Command line: cmd.exe /c set /a "49^17"
PID: 884, Command line: cmd.exe /c set /a "120^17"
PID: 7124, Command line: cmd.exe /c set /a "49^17"
PID: 704, Command line: cmd.exe /c set /a "33^17"
PID: 1884, Command line: cmd.exe /c set /a "56^17"
PID: 4412, Command line: cmd.exe /c set /a "120^17"
PID: 436, Command line: cmd.exe /c set /a "63^17"
PID: 6536, Command line: cmd.exe /c set /a "99^17"
PID: 6852, Command line: cmd.exe /c set /a "36^17"
PID: 5008, Command line: cmd.exe /c set /a "40^17"
PID: 1960, Command line: cmd.exe /c set /a "90^17"
PID: 5024, Command line: cmd.exe /c set /a "84^17"
PID: 7148, Command line: cmd.exe /c set /a "67^17"
PID: 500, Command line: cmd.exe /c set /a "95^17"
PID: 6760, Command line: cmd.exe /c set /a "84^17"
PID: 7108, Command line: cmd.exe /c set /a "93^17"
PID: 4552, Command line: cmd.exe /c set /a "34^17"
PID: 7128, Command line: cmd.exe /c set /a "35^17"
PID: 5304, Command line: cmd.exe /c set /a "43^17"
PID: 2832, Command line: cmd.exe /c set /a "43^17"
PID: 6276, Command line: cmd.exe /c set /a "71^17"
PID: 8628, Command line: cmd.exe /c set /a "120^17"
PID: 3200, Command line: cmd.exe /c set /a "99^17"
PID: 2180, Command line: cmd.exe /c set /a "101^17"
PID: 8872, Command line: cmd.exe /c set /a "100^17"
PID: 4656, Command line: cmd.exe /c set /a "112^17"
PID: 8884, Command line: cmd.exe /c set /a "125^17"
PID: 8908, Command line: cmd.exe /c set /a "80^17"
PID: 6812, Command line: cmd.exe /c set /a "125^17"
PID: 8656, Command line: cmd.exe /c set /a "125^17"
PID: 7404, Command line: cmd.exe /c set /a "126^17"
PID: 4644, Command line: cmd.exe /c set /a "114^17"
PID: 5688, Command line: cmd.exe /c set /a "57^17"
PID: 3456, Command line: cmd.exe /c set /a "120^17"
PID: 6540, Command line: cmd.exe /c set /a "49^17"
PID: 8692, Command line: cmd.exe /c set /a "33^17"
PID: 8496, Command line: cmd.exe /c set /a "61^17"
PID: 6300, Command line: cmd.exe /c set /a "120^17"
PID: 9084, Command line: cmd.exe /c set /a "49^17"
PID: 4144, Command line: cmd.exe /c set /a "33^17"
PID: 8792, Command line: cmd.exe /c set /a "105^17"
PID: 2092, Command line: cmd.exe /c set /a "32^17"
PID: 7236, Command line: cmd.exe /c set /a "33^17"
PID: 8992, Command line: cmd.exe /c set /a "33^17"
PID: 6456, Command line: cmd.exe /c set /a "33^17"
PID: 4872, Command line: cmd.exe /c set /a "33^17"
PID: 8368, Command line: cmd.exe /c set /a "33^17"
PID: 5328, Command line: cmd.exe /c set /a "61^17"
PID: 3584, Command line: cmd.exe /c set /a "49^17"
PID: 8812, Command line: cmd.exe /c set /a "120^17"
PID: 8400, Command line: cmd.exe /c set /a "49^17"
PID: 8624, Command line: cmd.exe /c set /a "33^17"
PID: 8888, Command line: cmd.exe /c set /a "105^17"
PID: 9196, Command line: cmd.exe /c set /a "34^17"
PID: 3528, Command line: cmd.exe /c set /a "33^17"
PID: 4896, Command line: cmd.exe /c set /a "33^17"
PID: 3444, Command line: cmd.exe /c set /a "33^17"
PID: 3272, Command line: cmd.exe /c set /a "61^17"
PID: 5124, Command line: cmd.exe /c set /a "49^17"
PID: 2000, Command line: cmd.exe /c set /a "120^17"
PID: 7640, Command line: cmd.exe /c set /a "49^17"
PID: 7056, Command line: cmd.exe /c set /a "33^17"
PID: 520, Command line: cmd.exe /c set /a "105^17"
PID: 1272, Command line: cmd.exe /c set /a "37^17"
PID: 7832, Command line: cmd.exe /c set /a "33^17"
PID: 8384, Command line: cmd.exe /c set /a "56^17"
PID: 564, Command line: cmd.exe /c set /a "97^17"
PID: 5232, Command line: cmd.exe /c set /a "63^17"
PID: 7760, Command line: cmd.exe /c set /a "99^17"
PID: 4036, Command line: cmd.exe /c set /a "32^17"
PID: 8824, Command line: cmd.exe /c set /a "40^17"
PID: 5244, Command line: cmd.exe /c set /a "90^17"
PID: 8224, Command line: cmd.exe /c set /a "84^17"
PID: 2112, Command line: cmd.exe /c set /a "67^17"
PID: 6692, Command line: cmd.exe /c set /a "95^17"
PID: 8996, Command line: cmd.exe /c set /a "84^17"
PID: 740, Command line: cmd.exe /c set /a "93^17"
PID: 8744, Command line: cmd.exe /c set /a "34^17"
PID: 4596, Command line: cmd.exe /c set /a "35^17"
PID: 8272, Command line: cmd.exe /c set /a "43^17"
PID: 8136, Command line: cmd.exe /c set /a "43^17"
PID: 1140, Command line: cmd.exe /c set /a "66^17"
PID: 8800, Command line: cmd.exe /c set /a "116^17"
PID: 1972, Command line: cmd.exe /c set /a "101^17"
PID: 7160, Command line: cmd.exe /c set /a "87^17"
PID: 7500, Command line: cmd.exe /c set /a "120^17"
PID: 3756, Command line: cmd.exe /c set /a "125^17"
PID: 6116, Command line: cmd.exe /c set /a "116^17"
PID: 8596, Command line: cmd.exe /c set /a "65^17"
PID: 9200, Command line: cmd.exe /c set /a "126^17"
PID: 7092, Command line: cmd.exe /c set /a "120^17"
PID: 9008, Command line: cmd.exe /c set /a "127^17"
PID: 3060, Command line: cmd.exe /c set /a "101^17"
PID: 2948, Command line: cmd.exe /c set /a "116^17"
PID: 8720, Command line: cmd.exe /c set /a "99^17"
PID: 8308, Command line: cmd.exe /c set /a "57^17"
PID: 444, Command line: cmd.exe /c set /a "120^17"
PID: 8480, Command line: cmd.exe /c set /a "49^17"
PID: 5740, Command line: cmd.exe /c set /a "99^17"
PID: 8680, Command line: cmd.exe /c set /a "36^17"
PID: 6440, Command line: cmd.exe /c set /a "61^17"
PID: 7488, Command line: cmd.exe /c set /a "49^17"
PID: 5076, Command line: cmd.exe /c set /a "120^17"
PID: 2080, Command line: cmd.exe /c set /a "49^17"
PID: 7280, Command line: cmd.exe /c set /a "32^17"
PID: 7724, Command line: cmd.exe /c set /a "38^17"
PID: 2764, Command line: cmd.exe /c set /a "36^17"
PID: 8676, Command line: cmd.exe /c set /a "33^17"
PID: 8424, Command line: cmd.exe /c set /a "49^17"
PID: 8196, Command line: cmd.exe /c set /a "61^17"
PID: 712, Command line: cmd.exe /c set /a "49^17"
PID: 1740, Command line: cmd.exe /c set /a "120^17"
PID: 3360, Command line: cmd.exe /c set /a "49^17"
PID: 4264, Command line: cmd.exe /c set /a "33^17"
PID: 7004, Command line: cmd.exe /c set /a "61^17"
PID: 2480, Command line: cmd.exe /c set /a "120^17"
PID: 3668, Command line: cmd.exe /c set /a "49^17"
PID: 4444, Command line: cmd.exe /c set /a "33^17"
PID: 5224, Command line: cmd.exe /c set /a "56^17"
PID: 4600, Command line: cmd.exe /c set /a "120^17"
PID: 3340, Command line: cmd.exe /c set /a "63^17"
PID: 3040, Command line: cmd.exe /c set /a "99^17"
PID: 2312, Command line: cmd.exe /c set /a "34^17"
PID: 7624, Command line: cmd.exe /c set /a "40^17"
PID: 8916, Command line: cmd.exe /c set /a "90^17"
PID: 9168, Command line: cmd.exe /c set /a "84^17"
PID: 7412, Command line: cmd.exe /c set /a "67^17"
PID: 5324, Command line: cmd.exe /c set /a "95^17"
PID: 1292, Command line: cmd.exe /c set /a "84^17"
PID: 4400, Command line: cmd.exe /c set /a "93^17"
PID: 6796, Command line: cmd.exe /c set /a "34^17"
PID: 4652, Command line: cmd.exe /c set /a "35^17"
PID: 4940, Command line: cmd.exe /c set /a "43^17"
PID: 628, Command line: cmd.exe /c set /a "43^17"
PID: 6644, Command line: cmd.exe /c set /a "67^17"
PID: 6536, Command line: cmd.exe /c set /a "116^17"
PID: 6124, Command line: cmd.exe /c set /a "112^17"
PID: 5008, Command line: cmd.exe /c set /a "117^17"
PID: 1960, Command line: cmd.exe /c set /a "87^17"
PID: 4460, Command line: cmd.exe /c set /a "120^17"
PID: 2904, Command line: cmd.exe /c set /a "125^17"
PID: 5316, Command line: cmd.exe /c set /a "116^17"
PID: 7720, Command line: cmd.exe /c set /a "57^17"
PID: 7048, Command line: cmd.exe /c set /a "120^17"
PID: 1508, Command line: cmd.exe /c set /a "49^17"
PID: 5284, Command line: cmd.exe /c set /a "99^17"
PID: 716, Command line: cmd.exe /c set /a "36^17"
PID: 6184, Command line: cmd.exe /c set /a "61^17"
PID: 7088, Command line: cmd.exe /c set /a "49^17"
PID: 8684, Command line: cmd.exe /c set /a "120^17"
PID: 8256, Command line: cmd.exe /c set /a "49^17"
PID: 3032, Command line: cmd.exe /c set /a "99^17"
PID: 6128, Command line: cmd.exe /c set /a "32^17"
PID: 7476, Command line: cmd.exe /c set /a "61^17"
PID: 6492, Command line: cmd.exe /c set /a "49^17"
PID: 3928, Command line: cmd.exe /c set /a "120^17"
PID: 5144, Command line: cmd.exe /c set /a "49^17"
PID: 3964, Command line: cmd.exe /c set /a "33^17"
PID: 4988, Command line: cmd.exe /c set /a "105^17"
PID: 5516, Command line: cmd.exe /c set /a "32^17"
PID: 4620, Command line: cmd.exe /c set /a "33^17"
PID: 9072, Command line: cmd.exe /c set /a "33^17"
PID: 6756, Command line: cmd.exe /c set /a "33^17"
PID: 192, Command line: cmd.exe /c set /a "33^17"
PID: 2572, Command line: cmd.exe /c set /a "33^17"
PID: 3952, Command line: cmd.exe /c set /a "61^17"
PID: 5580, Command line: cmd.exe /c set /a "59^17"
PID: 6472, Command line: cmd.exe /c set /a "120^17"
PID: 7292, Command line: cmd.exe /c set /a "49^17"
PID: 7224, Command line: cmd.exe /c set /a "33^17"
PID: 4052, Command line: cmd.exe /c set /a "61^17"
PID: 5824, Command line: cmd.exe /c set /a "49^17"
PID: 2892, Command line: cmd.exe /c set /a "120^17"
PID: 7100, Command line: cmd.exe /c set /a "49^17"
PID: 8964, Command line: cmd.exe /c set /a "33^17"
PID: 6488, Command line: cmd.exe /c set /a "56^17"
PID: 3584, Command line: cmd.exe /c set /a "120^17"
PID: 8812, Command line: cmd.exe /c set /a "63^17"
PID: 8400, Command line: cmd.exe /c set /a "99^17"
PID: 9076, Command line: cmd.exe /c set /a "34^17"
PID: 6308, Command line: cmd.exe /c set /a "40^17"
PID: 6564, Command line: cmd.exe /c set /a "100^17"
PID: 7872, Command line: cmd.exe /c set /a "98^17"
PID: 456, Command line: cmd.exe /c set /a "116^17"
PID: 3444, Command line: cmd.exe /c set /a "99^17"
PID: 3272, Command line: cmd.exe /c set /a "34^17"
PID: 5124, Command line: cmd.exe /c set /a "35^17"
PID: 6944, Command line: cmd.exe /c set /a "43^17"
PID: 5304, Command line: cmd.exe /c set /a "43^17"
PID: 2832, Command line: cmd.exe /c set /a "82^17"
PID: 8892, Command line: cmd.exe /c set /a "112^17"
PID: 1272, Command line: cmd.exe /c set /a "125^17"
PID: 7832, Command line: cmd.exe /c set /a "125^17"
PID: 4876, Command line: cmd.exe /c set /a "70^17"
PID: 8072, Command line: cmd.exe /c set /a "120^17"
PID: 5232, Command line: cmd.exe /c set /a "127^17"
PID: 7684, Command line: cmd.exe /c set /a "117^17"
PID: 4036, Command line: cmd.exe /c set /a "126^17"
PID: 5620, Command line: cmd.exe /c set /a "102^17"
PID: 8592, Command line: cmd.exe /c set /a "65^17"
PID: 2392, Command line: cmd.exe /c set /a "99^17"
PID: 2484, Command line: cmd.exe /c set /a "126^17"
PID: 932, Command line: cmd.exe /c set /a "114^17"
PID: 8996, Command line: cmd.exe /c set /a "80^17"
PID: 4120, Command line: cmd.exe /c set /a "57^17"
PID: 8744, Command line: cmd.exe /c set /a "120^17"
PID: 6528, Command line: cmd.exe /c set /a "49^17"
PID: 5036, Command line: cmd.exe /c set /a "99^17"
PID: 2088, Command line: cmd.exe /c set /a "32^17"
PID: 6080, Command line: cmd.exe /c set /a "49^17"
PID: 9040, Command line: cmd.exe /c set /a "61^17"
PID: 732, Command line: cmd.exe /c set /a "120^17"
PID: 7236, Command line: cmd.exe /c set /a "49^17"
PID: 3900, Command line: cmd.exe /c set /a "33^17"
PID: 2744, Command line: cmd.exe /c set /a "61^17"
PID: 6428, Command line: cmd.exe /c set /a "120^17"
PID: 2780, Command line: cmd.exe /c set /a "49^17"
PID: 2576, Command line: cmd.exe /c set /a "33^17"
PID: 7748, Command line: cmd.exe /c set /a "61^17"
PID: 1560, Command line: cmd.exe /c set /a "49^17"
PID: 4564, Command line: cmd.exe /c set /a "120^17"
PID: 3448, Command line: cmd.exe /c set /a "49^17"
PID: 7060, Command line: cmd.exe /c set /a "33^17"
PID: 8888, Command line: cmd.exe /c set /a "61^17"
PID: 1384, Command line: cmd.exe /c set /a "49^17"
PID: 1284, Command line: cmd.exe /c set /a "120^17"
PID: 8500, Command line: cmd.exe /c set /a "49^17"
PID: 8952, Command line: cmd.exe /c set /a "33^17"
PID: 8928, Command line: cmd.exe /c set /a "56^17"
PID: 3536, Command line: cmd.exe /c set /a "40^17"
4. YARA Rules and IOCs
| TYPE | Value | Details |
|---|---|---|
| URL | su1d[.]nerdpol[.]ovh | |
| IP | 4[.]236[.]162[.]205 | |
| exe | Demiparadise.exe | b24ce8861d8d06d10d73e38c6fcc0c026a5c9529fda74927f85b4cfe022f7e1d |
| dll | nsExec.dll | c4c6fe032f3cd8b31528d7b99661f85ee22cb78746aee98ec568431d4f5043f7 |
| dll | System.dll | bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb |
Mayank Malik
ISC2 CC | CRTP | Incident Response | Synack Red Team Member | Threat and Malware Analyst | Security Researcher
I am a tech-savvy person, Red Team Enthusiast, and like to wander around to learn new stuff. Malware Analysis, Cryptography, Networking, and System Administration are some of my forte. One of the Founding Members of CTF Team, Abs0lut3Pwn4g3. Apart from the mentioned skills, I’m good at communication skills and am a goal-driven person. Yellow belt holder at pwn.college in pursuit of learning and achieving Blue Belt.
