Analysis
-
max time kernel
29s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
05-01-2021 11:59
Static task
static1
Behavioral task
behavioral1
Sample
CLIENT_C.EXE
Resource
win7v20201028
Behavioral task
behavioral2
Sample
CLIENT_C.EXE
Resource
win10v20201028
Behavioral task
behavioral3
Sample
NON_DISC.EXE
Resource
win7v20201028
Behavioral task
behavioral4
Sample
NON_DISC.EXE
Resource
win10v20201028
Behavioral task
behavioral5
Sample
TENDER_N.EXE
Resource
win7v20201028
Behavioral task
behavioral6
Sample
TENDER_N.EXE
Resource
win10v20201028
General
-
Target
TENDER_N.EXE
-
Size
742KB
-
MD5
868ca3e861260b5080c62eda3880c425
-
SHA1
8d1dd70950daa651261a429baa0f63332bc690ca
-
SHA256
c125ad338e09169f93f9ba82a8eb533619ae2087dd2a84563da1c6a3ef68e3d1
-
SHA512
5ac65a3230f465a2fccad3101261500a2fe923d6ee67990e235b255a8f85529250a93fdbac5a304c93207605f8186bbd4500fb8febb6ffd0e8a8e44b159b19af
Malware Config
Extracted
revengerat
NyanCatRevenge
hpdndbnb.duckdns.org:2404
10eef43648e54083
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
TENDER_N.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\TENDER_N.EXE\"" TENDER_N.EXE -
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Drops startup file 2 IoCs
Processes:
TENDER_N.EXEdescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TENDER_N.EXE TENDER_N.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TENDER_N.EXE TENDER_N.EXE -
Processes:
TENDER_N.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths TENDER_N.EXE Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions TENDER_N.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" TENDER_N.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" TENDER_N.EXE Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features TENDER_N.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TENDER_N.EXE = "0" TENDER_N.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\TENDER_N.EXE = "0" TENDER_N.EXE Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection TENDER_N.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" TENDER_N.EXE Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet TENDER_N.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" TENDER_N.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
TENDER_N.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TENDER_N.EXE" TENDER_N.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\TENDER_N.EXE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TENDER_N.EXE" TENDER_N.EXE -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
TENDER_N.EXEdescription pid process target process PID 3888 set thread context of 2480 3888 TENDER_N.EXE TENDER_N.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TENDER_N.EXEdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 TENDER_N.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString TENDER_N.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2388 powershell.exe 3736 powershell.exe 3968 powershell.exe 64 powershell.exe 3736 powershell.exe 2388 powershell.exe 3968 powershell.exe 64 powershell.exe 2388 powershell.exe 3736 powershell.exe 3968 powershell.exe 64 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
TENDER_N.EXEpowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3888 TENDER_N.EXE Token: SeDebugPrivilege 3736 powershell.exe Token: SeDebugPrivilege 3968 powershell.exe Token: SeDebugPrivilege 2388 powershell.exe Token: SeDebugPrivilege 64 powershell.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
TENDER_N.EXEdescription pid process target process PID 3888 wrote to memory of 3736 3888 TENDER_N.EXE powershell.exe PID 3888 wrote to memory of 3736 3888 TENDER_N.EXE powershell.exe PID 3888 wrote to memory of 3736 3888 TENDER_N.EXE powershell.exe PID 3888 wrote to memory of 3968 3888 TENDER_N.EXE powershell.exe PID 3888 wrote to memory of 3968 3888 TENDER_N.EXE powershell.exe PID 3888 wrote to memory of 3968 3888 TENDER_N.EXE powershell.exe PID 3888 wrote to memory of 2388 3888 TENDER_N.EXE powershell.exe PID 3888 wrote to memory of 2388 3888 TENDER_N.EXE powershell.exe PID 3888 wrote to memory of 2388 3888 TENDER_N.EXE powershell.exe PID 3888 wrote to memory of 64 3888 TENDER_N.EXE powershell.exe PID 3888 wrote to memory of 64 3888 TENDER_N.EXE powershell.exe PID 3888 wrote to memory of 64 3888 TENDER_N.EXE powershell.exe PID 3888 wrote to memory of 2480 3888 TENDER_N.EXE TENDER_N.EXE PID 3888 wrote to memory of 2480 3888 TENDER_N.EXE TENDER_N.EXE PID 3888 wrote to memory of 2480 3888 TENDER_N.EXE TENDER_N.EXE PID 3888 wrote to memory of 2480 3888 TENDER_N.EXE TENDER_N.EXE PID 3888 wrote to memory of 2480 3888 TENDER_N.EXE TENDER_N.EXE PID 3888 wrote to memory of 2480 3888 TENDER_N.EXE TENDER_N.EXE PID 3888 wrote to memory of 2480 3888 TENDER_N.EXE TENDER_N.EXE PID 3888 wrote to memory of 2480 3888 TENDER_N.EXE TENDER_N.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\TENDER_N.EXE"C:\Users\Admin\AppData\Local\Temp\TENDER_N.EXE"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TENDER_N.EXE" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TENDER_N.EXE" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TENDER_N.EXE" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\TENDER_N.EXE" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\TENDER_N.EXE"C:\Users\Admin\AppData\Local\Temp\TENDER_N.EXE"2⤵
- Checks processor information in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
db01a2c1c7e70b2b038edf8ad5ad9826
SHA1540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
0dae0e774db5abb82a4016d6c6e96448
SHA1705338641dad83b3673dc6718c0c73d7fe784a5a
SHA256d7ce7accfaaa3c1d8e7ca2a63890e8ce2f8f6d17a72f00e96d1ad4e23e16bad8
SHA5125a49cca6f94997468777ce0446005ab0d71c5274d07ce120a2623db95cb7e658766f209999d6421f23e643b73845887f3d5345f092b657536af183185e133178
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
26650a9d29fb8c872011f68406db3c42
SHA1272251f642694ec0c76be781e049300b4bbb0189
SHA256c0e22e98f6952b6235b0cf8dc051d5751e697fd9ef6e5a9f82836567ab6f73ae
SHA512f93494f368ceb32b77c0b410b90f6203a5c363ea9629ab86c01833e9a49106a30245a93476fd9f78a12cd79b31781effbdb6f06227b7838ece681bcdce74f030
-
memory/64-22-0x0000000073A20000-0x000000007410E000-memory.dmpFilesize
6.9MB
-
memory/64-14-0x0000000000000000-mapping.dmp
-
memory/2388-42-0x0000000007FE0000-0x0000000007FE1000-memory.dmpFilesize
4KB
-
memory/2388-18-0x0000000073A20000-0x000000007410E000-memory.dmpFilesize
6.9MB
-
memory/2388-50-0x0000000008650000-0x0000000008651000-memory.dmpFilesize
4KB
-
memory/2388-12-0x0000000000000000-mapping.dmp
-
memory/2388-45-0x00000000083B0000-0x00000000083B1000-memory.dmpFilesize
4KB
-
memory/2480-98-0x000000000040502E-mapping.dmp
-
memory/2480-97-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2480-99-0x0000000073A20000-0x000000007410E000-memory.dmpFilesize
6.9MB
-
memory/3736-13-0x0000000073A20000-0x000000007410E000-memory.dmpFilesize
6.9MB
-
memory/3736-56-0x0000000009420000-0x0000000009453000-memory.dmpFilesize
204KB
-
memory/3736-17-0x00000000076C0000-0x00000000076C1000-memory.dmpFilesize
4KB
-
memory/3736-10-0x0000000000000000-mapping.dmp
-
memory/3736-82-0x00000000095B0000-0x00000000095B1000-memory.dmpFilesize
4KB
-
memory/3736-78-0x00000000071F0000-0x00000000071F1000-memory.dmpFilesize
4KB
-
memory/3736-112-0x00000000098F0000-0x00000000098F1000-memory.dmpFilesize
4KB
-
memory/3736-15-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/3888-3-0x0000000000BB0000-0x0000000000BB1000-memory.dmpFilesize
4KB
-
memory/3888-7-0x0000000005570000-0x0000000005571000-memory.dmpFilesize
4KB
-
memory/3888-8-0x0000000005480000-0x0000000005481000-memory.dmpFilesize
4KB
-
memory/3888-9-0x00000000056F0000-0x000000000570B000-memory.dmpFilesize
108KB
-
memory/3888-2-0x0000000073A20000-0x000000007410E000-memory.dmpFilesize
6.9MB
-
memory/3888-6-0x00000000054D0000-0x00000000054D1000-memory.dmpFilesize
4KB
-
memory/3888-5-0x00000000058D0000-0x00000000058D1000-memory.dmpFilesize
4KB
-
memory/3968-28-0x0000000006ED0000-0x0000000006ED1000-memory.dmpFilesize
4KB
-
memory/3968-94-0x0000000009150000-0x0000000009151000-memory.dmpFilesize
4KB
-
memory/3968-33-0x0000000007810000-0x0000000007811000-memory.dmpFilesize
4KB
-
memory/3968-104-0x0000000009100000-0x0000000009101000-memory.dmpFilesize
4KB
-
memory/3968-31-0x00000000075C0000-0x00000000075C1000-memory.dmpFilesize
4KB
-
memory/3968-26-0x0000000006DE0000-0x0000000006DE1000-memory.dmpFilesize
4KB
-
memory/3968-16-0x0000000073A20000-0x000000007410E000-memory.dmpFilesize
6.9MB
-
memory/3968-11-0x0000000000000000-mapping.dmp