Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
21-12-2020 13:48
Static task
static1
Behavioral task
behavioral1
Sample
ZCgngKMK.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
ZCgngKMK.exe
Resource
win10v20201028
General
-
Target
ZCgngKMK.exe
-
Size
27KB
-
MD5
038265381c07bdfe9e316ee37300deaa
-
SHA1
3acf06557ebe350907ce0ffbe21679e4a1cbb9b3
-
SHA256
db5eb754fff22b0478702d838e7b0e4d7285e8859a4bcf6fe1288ca83ff16a8b
-
SHA512
e83bee3420124a2ff829464b926c86f35736e51fae0baafeb18bbd253df7135bf661a951859dc857807f76f0fa7bd33bc79bc2a9a1f6e8ab687afa8b4f86692f
Malware Config
Extracted
revengerat
Guest
Rigisterio-37154.portmap.host:37154
RV_MUTEX-DCGRFbTXZMONF
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3980-3-0x0000000000400000-0x000000000040C000-memory.dmp revengerat behavioral2/memory/3980-4-0x0000000000407B0E-mapping.dmp revengerat -
Suspicious use of SetThreadContext 2 IoCs
Processes:
ZCgngKMK.exeRegSvcs.exedescription pid process target process PID 1628 set thread context of 3980 1628 ZCgngKMK.exe RegSvcs.exe PID 3980 set thread context of 1620 3980 RegSvcs.exe RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ZCgngKMK.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1628 ZCgngKMK.exe Token: SeDebugPrivilege 3980 RegSvcs.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
ZCgngKMK.exeRegSvcs.exedescription pid process target process PID 1628 wrote to memory of 3980 1628 ZCgngKMK.exe RegSvcs.exe PID 1628 wrote to memory of 3980 1628 ZCgngKMK.exe RegSvcs.exe PID 1628 wrote to memory of 3980 1628 ZCgngKMK.exe RegSvcs.exe PID 1628 wrote to memory of 3980 1628 ZCgngKMK.exe RegSvcs.exe PID 1628 wrote to memory of 3980 1628 ZCgngKMK.exe RegSvcs.exe PID 1628 wrote to memory of 3980 1628 ZCgngKMK.exe RegSvcs.exe PID 1628 wrote to memory of 3980 1628 ZCgngKMK.exe RegSvcs.exe PID 1628 wrote to memory of 3980 1628 ZCgngKMK.exe RegSvcs.exe PID 3980 wrote to memory of 1620 3980 RegSvcs.exe RegSvcs.exe PID 3980 wrote to memory of 1620 3980 RegSvcs.exe RegSvcs.exe PID 3980 wrote to memory of 1620 3980 RegSvcs.exe RegSvcs.exe PID 3980 wrote to memory of 1620 3980 RegSvcs.exe RegSvcs.exe PID 3980 wrote to memory of 1620 3980 RegSvcs.exe RegSvcs.exe PID 3980 wrote to memory of 1620 3980 RegSvcs.exe RegSvcs.exe PID 3980 wrote to memory of 1620 3980 RegSvcs.exe RegSvcs.exe PID 3980 wrote to memory of 1620 3980 RegSvcs.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ZCgngKMK.exe"C:\Users\Admin\AppData\Local\Temp\ZCgngKMK.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\efhaRClgZb.txtMD5
59e8dcec718066df1df3a98129c64430
SHA11cd033948ed1bcf22b1a06f61870f3a6a73f8bba
SHA256a34e428ed556ce06234a310f1cca864fc13abc7f5b07fb534a760d039a43c276
SHA51238f84f13ca89e9190089aa4d8415026e5b6dbed6aae95c43ee9e70d53efaa58dd0e583c04c9e73802418aa5d80f771395299420506a2a464a64dbc4b0b79a464
-
memory/1620-5-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1620-6-0x0000000000406BDE-mapping.dmp
-
memory/1628-2-0x00007FF820810000-0x00007FF8211B0000-memory.dmpFilesize
9.6MB
-
memory/3980-3-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/3980-4-0x0000000000407B0E-mapping.dmp