Analysis
-
max time kernel
52s -
max time network
48s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-12-2020 12:40
Static task
static1
Behavioral task
behavioral1
Sample
df85f50f72f850fb70d6464e17053c4a.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
df85f50f72f850fb70d6464e17053c4a.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
df85f50f72f850fb70d6464e17053c4a.exe
-
Size
23KB
-
MD5
df85f50f72f850fb70d6464e17053c4a
-
SHA1
13962c04bafe361466cce63abd389f9ce149debb
-
SHA256
fe614080646708a020532d8dac57d96767d07ac9f605e86ba306dbfd8f9d51cf
-
SHA512
da2800fd3b91d99b09f44a22a2b9cd9da523d4b366ae2c0d62eeb0fc33fb9e5a0ecb96b9a6212eec070897f74672d24d312194aa4c04ee6863c3f08388618b6e
Score
10/10
Malware Config
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 3 IoCs
Processes:
resource yara_rule behavioral1/memory/436-9-0x000000000040F67E-mapping.dmp revengerat behavioral1/memory/436-8-0x0000000000400000-0x0000000000416000-memory.dmp revengerat behavioral1/memory/436-10-0x0000000000400000-0x0000000000416000-memory.dmp revengerat -
Suspicious use of SetThreadContext 1 IoCs
Processes:
df85f50f72f850fb70d6464e17053c4a.exedescription pid process target process PID 1068 set thread context of 436 1068 df85f50f72f850fb70d6464e17053c4a.exe df85f50f72f850fb70d6464e17053c4a.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1972 timeout.exe -
Modifies registry class 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
df85f50f72f850fb70d6464e17053c4a.exedf85f50f72f850fb70d6464e17053c4a.exedescription pid process Token: SeDebugPrivilege 1068 df85f50f72f850fb70d6464e17053c4a.exe Token: SeDebugPrivilege 436 df85f50f72f850fb70d6464e17053c4a.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
df85f50f72f850fb70d6464e17053c4a.execmd.exedf85f50f72f850fb70d6464e17053c4a.exedescription pid process target process PID 1068 wrote to memory of 848 1068 df85f50f72f850fb70d6464e17053c4a.exe cmd.exe PID 1068 wrote to memory of 848 1068 df85f50f72f850fb70d6464e17053c4a.exe cmd.exe PID 1068 wrote to memory of 848 1068 df85f50f72f850fb70d6464e17053c4a.exe cmd.exe PID 1068 wrote to memory of 848 1068 df85f50f72f850fb70d6464e17053c4a.exe cmd.exe PID 848 wrote to memory of 1972 848 cmd.exe timeout.exe PID 848 wrote to memory of 1972 848 cmd.exe timeout.exe PID 848 wrote to memory of 1972 848 cmd.exe timeout.exe PID 848 wrote to memory of 1972 848 cmd.exe timeout.exe PID 1068 wrote to memory of 436 1068 df85f50f72f850fb70d6464e17053c4a.exe df85f50f72f850fb70d6464e17053c4a.exe PID 1068 wrote to memory of 436 1068 df85f50f72f850fb70d6464e17053c4a.exe df85f50f72f850fb70d6464e17053c4a.exe PID 1068 wrote to memory of 436 1068 df85f50f72f850fb70d6464e17053c4a.exe df85f50f72f850fb70d6464e17053c4a.exe PID 1068 wrote to memory of 436 1068 df85f50f72f850fb70d6464e17053c4a.exe df85f50f72f850fb70d6464e17053c4a.exe PID 1068 wrote to memory of 436 1068 df85f50f72f850fb70d6464e17053c4a.exe df85f50f72f850fb70d6464e17053c4a.exe PID 1068 wrote to memory of 436 1068 df85f50f72f850fb70d6464e17053c4a.exe df85f50f72f850fb70d6464e17053c4a.exe PID 1068 wrote to memory of 436 1068 df85f50f72f850fb70d6464e17053c4a.exe df85f50f72f850fb70d6464e17053c4a.exe PID 1068 wrote to memory of 436 1068 df85f50f72f850fb70d6464e17053c4a.exe df85f50f72f850fb70d6464e17053c4a.exe PID 1068 wrote to memory of 436 1068 df85f50f72f850fb70d6464e17053c4a.exe df85f50f72f850fb70d6464e17053c4a.exe PID 1068 wrote to memory of 436 1068 df85f50f72f850fb70d6464e17053c4a.exe df85f50f72f850fb70d6464e17053c4a.exe PID 436 wrote to memory of 1172 436 df85f50f72f850fb70d6464e17053c4a.exe rundll32.exe PID 436 wrote to memory of 1172 436 df85f50f72f850fb70d6464e17053c4a.exe rundll32.exe PID 436 wrote to memory of 1172 436 df85f50f72f850fb70d6464e17053c4a.exe rundll32.exe PID 436 wrote to memory of 1172 436 df85f50f72f850fb70d6464e17053c4a.exe rundll32.exe PID 436 wrote to memory of 1172 436 df85f50f72f850fb70d6464e17053c4a.exe rundll32.exe PID 436 wrote to memory of 1172 436 df85f50f72f850fb70d6464e17053c4a.exe rundll32.exe PID 436 wrote to memory of 1172 436 df85f50f72f850fb70d6464e17053c4a.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\df85f50f72f850fb70d6464e17053c4a.exe"C:\Users\Admin\AppData\Local\Temp\df85f50f72f850fb70d6464e17053c4a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 42⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\df85f50f72f850fb70d6464e17053c4a.exe"C:\Users\Admin\AppData\Local\Temp\df85f50f72f850fb70d6464e17053c4a.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\System323⤵
- Modifies registry class
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/436-9-0x000000000040F67E-mapping.dmp
-
memory/436-8-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/436-10-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/436-11-0x0000000074EE0000-0x00000000755CE000-memory.dmpFilesize
6.9MB
-
memory/848-5-0x0000000000000000-mapping.dmp
-
memory/1068-2-0x0000000074EE0000-0x00000000755CE000-memory.dmpFilesize
6.9MB
-
memory/1068-3-0x0000000000B40000-0x0000000000B41000-memory.dmpFilesize
4KB
-
memory/1068-7-0x0000000000730000-0x0000000000754000-memory.dmpFilesize
144KB
-
memory/1172-14-0x0000000000000000-mapping.dmp
-
memory/1972-6-0x0000000000000000-mapping.dmp