Analysis
-
max time kernel
139s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 19:26
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v20201028
General
-
Target
file.exe
-
Size
17KB
-
MD5
af48897e401a79baf8086585c18cf8fe
-
SHA1
44e9a2699d07cbba45493000287ab5dfbe86df77
-
SHA256
acec05fb087440c24b6ac8a15051b8fc7fdfd92bdf458b165e1e19265395b595
-
SHA512
c65d348d3225e86909e33e9ef9717be72ea7f934b673f82748907f927c459c39e739dcb3ebcfc029b3fdd81d7a528cd2a025d01b28ded04a604a6375b13b8ea1
Malware Config
Extracted
revengerat
Guest
tzii.myq-see.com:888
RV_MUTEX-IUnoWrUUgHRHXJv
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\IMD.exe revengerat C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\IMD.exe revengerat -
Executes dropped EXE 1 IoCs
Processes:
IMD.exepid process 916 IMD.exe -
Drops startup file 1 IoCs
Processes:
vbc.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\imd.exe vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
file.exeIMD.exedescription pid process Token: SeDebugPrivilege 1756 file.exe Token: SeDebugPrivilege 916 IMD.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
file.exeIMD.exevbc.exedescription pid process target process PID 1756 wrote to memory of 916 1756 file.exe IMD.exe PID 1756 wrote to memory of 916 1756 file.exe IMD.exe PID 1756 wrote to memory of 916 1756 file.exe IMD.exe PID 916 wrote to memory of 272 916 IMD.exe vbc.exe PID 916 wrote to memory of 272 916 IMD.exe vbc.exe PID 916 wrote to memory of 272 916 IMD.exe vbc.exe PID 272 wrote to memory of 1084 272 vbc.exe cvtres.exe PID 272 wrote to memory of 1084 272 vbc.exe cvtres.exe PID 272 wrote to memory of 1084 272 vbc.exe cvtres.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\IMD.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\IMD.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k7lp0rdk.cmdline"3⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D66.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4D55.tmp"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES4D66.tmpMD5
4c7cd9b373e75dd95527a9fe5a3f7863
SHA1a347be70e545185a2af2accdd9658a971c3d5de1
SHA2569d9867b8daa1b66e63fb76c617d4476b2baafef91fee7f4cc6c47d1b51b63895
SHA512fd4ad11b4a5e6bbf46585cbd05af3c80ee78a342cdcc28974d4c9807c060e3170bfefa4f325571b938c62befc4317917f505b5977e07df047dc918a837083679
-
C:\Users\Admin\AppData\Local\Temp\k7lp0rdk.0.vbMD5
766a80b102cc61cdfdef05f5d41ecf49
SHA18fc5687cf17d514917cb83ecb78a319b64c2017f
SHA25670b93e450b765949ac432258843141724da8f4979079e124aa80f0f9f1e4e14e
SHA512975aead67d67998e892f7e446d3b86b014f89a0aba3aecc77d596f56eef2f45c8b7c1cc161e7a6c911b07074391a8cb74dae50d61d6dd8905866d83730a10003
-
C:\Users\Admin\AppData\Local\Temp\k7lp0rdk.cmdlineMD5
56e2c0fee1f978cada52d1ecffdb3857
SHA155ad8c7fa24666eb3201e05cd9e013681a441f89
SHA256797c63f82402c6eb42dfa122b05eb797fd801c74e0a25c830da5f2f046ec5f61
SHA5127fa6274fa254ac178b5c26d0c0da764ee279218655511940bf2621acbe83b5373573d1215997b554ab1b55cf738f2f3ed69caf7ba616140047623822664fb50d
-
C:\Users\Admin\AppData\Local\Temp\vbc4D55.tmpMD5
f4204a25f9fd3b86c1af2514bee21827
SHA1f8ba207bc7b2cc6b0f5f5d43284019f78ca72e68
SHA25638aa7f22bdb395980c540ec2057562e5678607f8c573c82a68c074d3445b3fc4
SHA512240a811734eecc6c48ebcbf6f39b4afc1d3398e248ba7062f2eba2b2e44a9d28a526aeef40dff833e2eaed286209668d926e50fd1b9f3b4e5bd2704c938733d3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\IMD.exeMD5
af48897e401a79baf8086585c18cf8fe
SHA144e9a2699d07cbba45493000287ab5dfbe86df77
SHA256acec05fb087440c24b6ac8a15051b8fc7fdfd92bdf458b165e1e19265395b595
SHA512c65d348d3225e86909e33e9ef9717be72ea7f934b673f82748907f927c459c39e739dcb3ebcfc029b3fdd81d7a528cd2a025d01b28ded04a604a6375b13b8ea1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\IMD.exeMD5
af48897e401a79baf8086585c18cf8fe
SHA144e9a2699d07cbba45493000287ab5dfbe86df77
SHA256acec05fb087440c24b6ac8a15051b8fc7fdfd92bdf458b165e1e19265395b595
SHA512c65d348d3225e86909e33e9ef9717be72ea7f934b673f82748907f927c459c39e739dcb3ebcfc029b3fdd81d7a528cd2a025d01b28ded04a604a6375b13b8ea1
-
memory/272-7-0x0000000000000000-mapping.dmp
-
memory/916-5-0x000007FEF6070000-0x000007FEF6A0D000-memory.dmpFilesize
9.6MB
-
memory/916-6-0x000007FEF6070000-0x000007FEF6A0D000-memory.dmpFilesize
9.6MB
-
memory/916-2-0x0000000000000000-mapping.dmp
-
memory/1084-10-0x0000000000000000-mapping.dmp
-
memory/1756-0-0x000007FEF6070000-0x000007FEF6A0D000-memory.dmpFilesize
9.6MB
-
memory/1756-1-0x000007FEF6070000-0x000007FEF6A0D000-memory.dmpFilesize
9.6MB