Analysis
-
max time kernel
136s -
max time network
144s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
22-12-2020 12:48
Static task
static1
Behavioral task
behavioral1
Sample
ti8Pmv4G.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
ti8Pmv4G.exe
Resource
win10v20201028
General
-
Target
ti8Pmv4G.exe
-
Size
17KB
-
MD5
8bebd374905cc33e3de17132a7b181c4
-
SHA1
16b5c5b0de016ef030b966533e374cbfcbb07628
-
SHA256
ad4937df3fbf1b24ab75bf35343d6f51e103fb763789d3209e8d05dbe615f67a
-
SHA512
20cbfee084c5cf9a7b8c62a6545a2726c89fc8039f193547d5d98c5d8f596507f7c270844d9ae2888e1c874e66f1c9380b01897644966f2ac8a572b7b5f4ac04
Malware Config
Extracted
revengerat
Guest
tchelero-55169.portmap.host:55169
tchelero-55169.portmap.host:80
192.168.1.100:55169
192.168.1.100:80
RV_MUTEX-LgHRHXJvbCGP
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Office.exe revengerat C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Office.exe revengerat -
Executes dropped EXE 1 IoCs
Processes:
Office.exepid process 1848 Office.exe -
Drops startup file 4 IoCs
Processes:
ti8Pmv4G.exeOffice.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Office.exe ti8Pmv4G.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Office.exe ti8Pmv4G.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Office.exe Office.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Office.exe Office.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Office.exeti8Pmv4G.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 Office.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Office.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 ti8Pmv4G.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ti8Pmv4G.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ti8Pmv4G.exeOffice.exedescription pid process Token: SeDebugPrivilege 2024 ti8Pmv4G.exe Token: SeDebugPrivilege 1848 Office.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
ti8Pmv4G.exedescription pid process target process PID 2024 wrote to memory of 1848 2024 ti8Pmv4G.exe Office.exe PID 2024 wrote to memory of 1848 2024 ti8Pmv4G.exe Office.exe PID 2024 wrote to memory of 1848 2024 ti8Pmv4G.exe Office.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ti8Pmv4G.exe"C:\Users\Admin\AppData\Local\Temp\ti8Pmv4G.exe"1⤵
- Drops startup file
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Office.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Office.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Office.exeMD5
8bebd374905cc33e3de17132a7b181c4
SHA116b5c5b0de016ef030b966533e374cbfcbb07628
SHA256ad4937df3fbf1b24ab75bf35343d6f51e103fb763789d3209e8d05dbe615f67a
SHA51220cbfee084c5cf9a7b8c62a6545a2726c89fc8039f193547d5d98c5d8f596507f7c270844d9ae2888e1c874e66f1c9380b01897644966f2ac8a572b7b5f4ac04
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Office.exeMD5
8bebd374905cc33e3de17132a7b181c4
SHA116b5c5b0de016ef030b966533e374cbfcbb07628
SHA256ad4937df3fbf1b24ab75bf35343d6f51e103fb763789d3209e8d05dbe615f67a
SHA51220cbfee084c5cf9a7b8c62a6545a2726c89fc8039f193547d5d98c5d8f596507f7c270844d9ae2888e1c874e66f1c9380b01897644966f2ac8a572b7b5f4ac04
-
memory/1848-4-0x0000000000000000-mapping.dmp
-
memory/1848-7-0x000007FEF51D0000-0x000007FEF5B6D000-memory.dmpFilesize
9.6MB
-
memory/1848-8-0x000007FEF51D0000-0x000007FEF5B6D000-memory.dmpFilesize
9.6MB
-
memory/2024-2-0x000007FEF51D0000-0x000007FEF5B6D000-memory.dmpFilesize
9.6MB
-
memory/2024-3-0x000007FEF51D0000-0x000007FEF5B6D000-memory.dmpFilesize
9.6MB