Trojan:Win64/Malgent!MSR - Windows Defender Threat Analysis

This is a sophisticated Trojan from the Malgent family, utilizing Excel 4.0 macros for initial execution. It downloads and drops executables from various malicious URLs and CDNs into user directories (Desktop, AppData, Temp), employing PE encryption for evasion, and aims to establish persistence.

Relevant strings associated with this threat:
 -  = Environ("USERPROFILE") & "\Desktop" & "\quotation.exe" (MACROHSTR_EXT)
 - http://45.78.21.150/boost/boosting.exe (MACROHSTR_EXT)
 - = Replace("ht##tp##:##/##/ (MACROHSTR_EXT)
 -  = (Err.Number = 0) (MACROHSTR_EXT)
 -  = (Environ("temp") & "\" &  (MACROHSTR_EXT)
 - path_file = Environ$("USERPROFILE") + "\AppData\Roaming\" + "\" + path_dom + a + b + c (MACROHSTR_EXT)
 - path_file = Environ$("USERPROFILE") & "\AppData\" + path_dom + ".ttp" (MACROHSTR_EXT)
 - Variable2.savetofile "234.e" & "xe", 2 (MACROHSTR_EXT)
 - ExecuteExcel4Macro Replace(UserForm1. (MACROHSTR_EXT)
 - 2C:\Codes\Version2\pe_encrypt\Release\PECloner.pdb (PEHSTR)
 - TmDbgLog.dll (PEHSTR_EXT)
 - ssMUIDLL.dll (PEHSTR_EXT)
 - arguments="https://d3727mhevtk2n4.cloudfront.net/srv-stg-agent (MACROHSTR_EXT)
 - Call trenes("http://kuzov-remont.com/wp-admin/js/win.exe", (MACROHSTR_EXT)
 - Environ("AppData") & "\Ds.exe") (MACROHSTR_EXT)
 - Environ("Userprofile") & "\Men (MACROHSTR_EXT)
 -  Inicio\Programas\Inicio\Ds.exe") (MACROHSTR_EXT)
 - Global\gfxQJsVUhkMOSadImwZFBbnpe2Gjv7HA (PEHSTR_EXT)
 - explorer.exe (PEHSTR_EXT)
 - svchost.exe (PEHSTR_EXT)
 - del "C:\Documents and Settings\All Usersd (PEHSTR_EXT)
 - .dll (PEHSTR_EXT)
 - DllRegisterServer (PEHSTR_EXT)
 - CymulateScreenShotTrojan.pdb (PEHSTR_EXT)
 - i.ibb.co/q1B4wyW/nature-field-gra-130247647 (PEHSTR_EXT)
 - sdsdsdsds.pdb (PEHSTR_EXT)
 - DLL\test\Release\Dll1.pdb (PEHSTR_EXT)
 - "C:\Windows\iexplore.exe" (PEHSTR_EXT)
 - \Release\mfc.pdbd (PEHSTR_EXT)
 - zh-CN/NUSData/M2052Hongyu.voiceAssistant.unt (PEHSTR_EXT)
 - zh-CN/NUSData/M2052Kangkang.keyboard.unt (PEHSTR_EXT)
 - https://www.cuochiperungiorno.it/ (PEHSTR_EXT)
 - _Setup.exe (PEHSTR_EXT)
 - https://tapestryoftruth.com/ (PEHSTR_EXT)
 - .exe (PEHSTR_EXT)
 - E:\PROJETOS2023\CSHARP\RAT\MXNOBUGMAG\Bin\Release\msedge_elf.pdb (PEHSTR_EXT)
 - E:\PROJETOS2023\CSHARP\RAT\MXNOBUGMAG\Bin\Release\VCRUNTIME140.pdb (PEHSTR_EXT)
 - AppApi.dll (PEHSTR_EXT)
 - D:\a\_work\1\s\artifacts\obj\coreclr\windows.x86.Release\Corehost.Static\singlefilehost.pdb (PEHSTR_EXT)
 - G:\repos\ApiApp\AppApi\obj\Release\net9.0\win-x86\AppApi.pdb (PEHSTR_EXT)
 - info-sec.jp/attach (PEHSTR_EXT)
 - stgsec-info.jp/acon (PEHSTR_EXT)
 - PdfAttachProduction.exe (PEHSTR_EXT)
 - cm74336.tw1.ru/calc.execalc.exesrc (PEHSTR_EXT)
 - =createobject("msxml2.xmlhttp")http_obj.open"post","http://188.130.234.189/wait.php (MACROHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

Immediately isolate the affected system, perform a full endpoint security scan to remove all detected components, and block the identified C2 URLs/IPs at the network perimeter. Investigate for persistence mechanisms and potential data exfiltration.