Analysis
-
max time kernel
129s -
max time network
139s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-12-2020 12:42
Static task
static1
Behavioral task
behavioral1
Sample
ac31a6e33a56b45bdd8cfd2adf58c123.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
ac31a6e33a56b45bdd8cfd2adf58c123.exe
Resource
win10v20201028
General
-
Target
ac31a6e33a56b45bdd8cfd2adf58c123.exe
-
Size
210KB
-
MD5
ac31a6e33a56b45bdd8cfd2adf58c123
-
SHA1
2cb2aebfab91b987f6a820bbf91a15ea9855b937
-
SHA256
8c61ba7b253707486b186d4cb87add887f6e0d47a82818a0c17f38a1283b28a8
-
SHA512
51a96ceba6ef87a5e9e937648f2d85c535ff1a66ccbde6316485f967db672ac638ebddfb2f59e263b0429c43626fc93e7f779f080a18eec1d3311544d5773030
Malware Config
Extracted
revengerat
NyanCatRevenge
194.5.99.181:4452
eac1ab2a222
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Executes dropped EXE 1 IoCs
Processes:
Jjjmzioi.exepid process 2024 Jjjmzioi.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2044 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
AcroRd32.exepid process 2044 AcroRd32.exe 2044 AcroRd32.exe 2044 AcroRd32.exe 2044 AcroRd32.exe 2044 AcroRd32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ac31a6e33a56b45bdd8cfd2adf58c123.exedescription pid process target process PID 1108 wrote to memory of 2024 1108 ac31a6e33a56b45bdd8cfd2adf58c123.exe Jjjmzioi.exe PID 1108 wrote to memory of 2024 1108 ac31a6e33a56b45bdd8cfd2adf58c123.exe Jjjmzioi.exe PID 1108 wrote to memory of 2024 1108 ac31a6e33a56b45bdd8cfd2adf58c123.exe Jjjmzioi.exe PID 1108 wrote to memory of 2024 1108 ac31a6e33a56b45bdd8cfd2adf58c123.exe Jjjmzioi.exe PID 1108 wrote to memory of 2044 1108 ac31a6e33a56b45bdd8cfd2adf58c123.exe AcroRd32.exe PID 1108 wrote to memory of 2044 1108 ac31a6e33a56b45bdd8cfd2adf58c123.exe AcroRd32.exe PID 1108 wrote to memory of 2044 1108 ac31a6e33a56b45bdd8cfd2adf58c123.exe AcroRd32.exe PID 1108 wrote to memory of 2044 1108 ac31a6e33a56b45bdd8cfd2adf58c123.exe AcroRd32.exe PID 1108 wrote to memory of 1468 1108 ac31a6e33a56b45bdd8cfd2adf58c123.exe AcroRd32.exe PID 1108 wrote to memory of 1468 1108 ac31a6e33a56b45bdd8cfd2adf58c123.exe AcroRd32.exe PID 1108 wrote to memory of 1468 1108 ac31a6e33a56b45bdd8cfd2adf58c123.exe AcroRd32.exe PID 1108 wrote to memory of 1468 1108 ac31a6e33a56b45bdd8cfd2adf58c123.exe AcroRd32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac31a6e33a56b45bdd8cfd2adf58c123.exe"C:\Users\Admin\AppData\Local\Temp\ac31a6e33a56b45bdd8cfd2adf58c123.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Jjjmzioi.exe"C:\Users\Admin\AppData\Local\Temp\Jjjmzioi.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Nbgoyjcv.pdf"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Tcfoxfw.pdf"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Jjjmzioi.exeMD5
40edbaf0a7ce2851f0883e49ee1db609
SHA140c95af209d9af0cac0de6de62e796a6b9603d8e
SHA2566457a3a6a96adf2e24c3ce600928e006c50cd90eee46f73146c3507287ba9bc7
SHA512a0c9d3f38d885e6a2ee0ed157887415f16108e9c26c5a3b2bbd54b51fcf3931d0f6a895edf3313146b1813f7351582bba7adb5cfc22df6169cc892fb4bf0b4df
-
C:\Users\Admin\AppData\Local\Temp\Jjjmzioi.exeMD5
40edbaf0a7ce2851f0883e49ee1db609
SHA140c95af209d9af0cac0de6de62e796a6b9603d8e
SHA2566457a3a6a96adf2e24c3ce600928e006c50cd90eee46f73146c3507287ba9bc7
SHA512a0c9d3f38d885e6a2ee0ed157887415f16108e9c26c5a3b2bbd54b51fcf3931d0f6a895edf3313146b1813f7351582bba7adb5cfc22df6169cc892fb4bf0b4df
-
C:\Users\Admin\AppData\Local\Temp\Nbgoyjcv.pdfMD5
7495261386e5a072f068cbdae39d91e5
SHA1b08800cad2f8d90a58feb45c3400e137ab31eb23
SHA2561bb04a78b1f43adcef42947ede15aa292f8bf75629d1cecb64e8cf7d713147ab
SHA512f38cc029ec05f42891ce049f4db1aaf1e5409612fc38afcab6eb9ce2fc9ddf7f1d350b4bdb2d9dd34d4a37257df8e7854caf9f86fd4547b645797a3cee1e347e
-
C:\Users\Admin\AppData\Local\Temp\Tcfoxfw.pdfMD5
ce5c8a69fc77843a6fdd39f2c30524dc
SHA1e4f84b7d4703c381acef1646bf67bd3a2a0d4d08
SHA25689ef629ae460cce80ce153f831d814c6031e20d2d8b8671130414f7b9c41ed3d
SHA512dc76a9fc2b9ccd19dfe24de9b5baffeb1a376789ccf8e942d9013d3e3902f468e6aecc1db38c04f0295afba5ef92317ba30bc0f1ad8e959265897d8d5ab4e4d9
-
memory/1108-2-0x000007FEF4FB0000-0x000007FEF599C000-memory.dmpFilesize
9.9MB
-
memory/1108-3-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/1468-9-0x0000000000000000-mapping.dmp
-
memory/2024-5-0x0000000000000000-mapping.dmp
-
memory/2044-8-0x0000000000000000-mapping.dmp