Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
05-01-2021 07:30
Static task
static1
Behavioral task
behavioral1
Sample
Quotation #01521.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Quotation #01521.exe
Resource
win10v20201028
General
-
Target
Quotation #01521.exe
-
Size
816KB
-
MD5
73619a5f7eab7a80e0fbbd5c8493c9b4
-
SHA1
84db67126574c21ef3233518452876ad123b4aa1
-
SHA256
7a538b979c2a126fb287ed7bbb18ac55687273dfbac2c09de85f073c9bf5e3df
-
SHA512
b92f4239da62411edcbf2378e67e28a307752f1b55d5977527e83069630a5d9894bb4f7138473da42f183b6fc5cdcb334aff76805acbae6908b35ed8716940c4
Malware Config
Extracted
revengerat
2021
chongmei33.myddns.rocks:57438
37.120.208.40:57438
RV_MUTEX-ITXZMONFueOciqX
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 3 IoCs
Processes:
resource yara_rule behavioral1/memory/660-21-0x000000000041B10E-mapping.dmp revengerat behavioral1/memory/660-24-0x0000000000150000-0x000000000016E000-memory.dmp revengerat behavioral1/memory/660-23-0x0000000000150000-0x000000000016E000-memory.dmp revengerat -
Executes dropped EXE 2 IoCs
Processes:
word.exeword.exepid process 108 word.exe 660 word.exe -
Loads dropped DLL 1 IoCs
Processes:
Quotation #01521.exepid process 1080 Quotation #01521.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\word = "C:\\Users\\Admin\\word.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
word.exedescription pid process target process PID 108 set thread context of 660 108 word.exe word.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
word.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 word.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString word.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
Quotation #01521.exeword.exepid process 1080 Quotation #01521.exe 1080 Quotation #01521.exe 1080 Quotation #01521.exe 1080 Quotation #01521.exe 1080 Quotation #01521.exe 108 word.exe 108 word.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Quotation #01521.exeword.exeword.exedescription pid process Token: SeDebugPrivilege 1080 Quotation #01521.exe Token: SeDebugPrivilege 108 word.exe Token: SeDebugPrivilege 660 word.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Quotation #01521.execmd.exeword.exedescription pid process target process PID 1080 wrote to memory of 1892 1080 Quotation #01521.exe cmd.exe PID 1080 wrote to memory of 1892 1080 Quotation #01521.exe cmd.exe PID 1080 wrote to memory of 1892 1080 Quotation #01521.exe cmd.exe PID 1080 wrote to memory of 1892 1080 Quotation #01521.exe cmd.exe PID 1892 wrote to memory of 1728 1892 cmd.exe reg.exe PID 1892 wrote to memory of 1728 1892 cmd.exe reg.exe PID 1892 wrote to memory of 1728 1892 cmd.exe reg.exe PID 1892 wrote to memory of 1728 1892 cmd.exe reg.exe PID 1080 wrote to memory of 108 1080 Quotation #01521.exe word.exe PID 1080 wrote to memory of 108 1080 Quotation #01521.exe word.exe PID 1080 wrote to memory of 108 1080 Quotation #01521.exe word.exe PID 1080 wrote to memory of 108 1080 Quotation #01521.exe word.exe PID 108 wrote to memory of 660 108 word.exe word.exe PID 108 wrote to memory of 660 108 word.exe word.exe PID 108 wrote to memory of 660 108 word.exe word.exe PID 108 wrote to memory of 660 108 word.exe word.exe PID 108 wrote to memory of 660 108 word.exe word.exe PID 108 wrote to memory of 660 108 word.exe word.exe PID 108 wrote to memory of 660 108 word.exe word.exe PID 108 wrote to memory of 660 108 word.exe word.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation #01521.exe"C:\Users\Admin\AppData\Local\Temp\Quotation #01521.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "word" /t REG_SZ /d "C:\Users\Admin\word.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "word" /t REG_SZ /d "C:\Users\Admin\word.exe"3⤵
- Adds Run key to start application
-
C:\Users\Admin\word.exe"C:\Users\Admin\word.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\word.exe"C:\Users\Admin\word.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\word.exeMD5
73619a5f7eab7a80e0fbbd5c8493c9b4
SHA184db67126574c21ef3233518452876ad123b4aa1
SHA2567a538b979c2a126fb287ed7bbb18ac55687273dfbac2c09de85f073c9bf5e3df
SHA512b92f4239da62411edcbf2378e67e28a307752f1b55d5977527e83069630a5d9894bb4f7138473da42f183b6fc5cdcb334aff76805acbae6908b35ed8716940c4
-
C:\Users\Admin\word.exeMD5
73619a5f7eab7a80e0fbbd5c8493c9b4
SHA184db67126574c21ef3233518452876ad123b4aa1
SHA2567a538b979c2a126fb287ed7bbb18ac55687273dfbac2c09de85f073c9bf5e3df
SHA512b92f4239da62411edcbf2378e67e28a307752f1b55d5977527e83069630a5d9894bb4f7138473da42f183b6fc5cdcb334aff76805acbae6908b35ed8716940c4
-
C:\Users\Admin\word.exeMD5
73619a5f7eab7a80e0fbbd5c8493c9b4
SHA184db67126574c21ef3233518452876ad123b4aa1
SHA2567a538b979c2a126fb287ed7bbb18ac55687273dfbac2c09de85f073c9bf5e3df
SHA512b92f4239da62411edcbf2378e67e28a307752f1b55d5977527e83069630a5d9894bb4f7138473da42f183b6fc5cdcb334aff76805acbae6908b35ed8716940c4
-
\Users\Admin\word.exeMD5
73619a5f7eab7a80e0fbbd5c8493c9b4
SHA184db67126574c21ef3233518452876ad123b4aa1
SHA2567a538b979c2a126fb287ed7bbb18ac55687273dfbac2c09de85f073c9bf5e3df
SHA512b92f4239da62411edcbf2378e67e28a307752f1b55d5977527e83069630a5d9894bb4f7138473da42f183b6fc5cdcb334aff76805acbae6908b35ed8716940c4
-
memory/108-13-0x0000000074CF0000-0x00000000753DE000-memory.dmpFilesize
6.9MB
-
memory/108-14-0x0000000000010000-0x0000000000011000-memory.dmpFilesize
4KB
-
memory/108-19-0x0000000000520000-0x0000000000521000-memory.dmpFilesize
4KB
-
memory/108-10-0x0000000000000000-mapping.dmp
-
memory/108-18-0x00000000004B0000-0x00000000004BB000-memory.dmpFilesize
44KB
-
memory/660-21-0x000000000041B10E-mapping.dmp
-
memory/660-24-0x0000000000150000-0x000000000016E000-memory.dmpFilesize
120KB
-
memory/660-23-0x0000000000150000-0x000000000016E000-memory.dmpFilesize
120KB
-
memory/660-25-0x0000000074CF0000-0x00000000753DE000-memory.dmpFilesize
6.9MB
-
memory/660-26-0x0000000000150000-0x0000000000152000-memory.dmpFilesize
8KB
-
memory/1080-2-0x0000000074CF0000-0x00000000753DE000-memory.dmpFilesize
6.9MB
-
memory/1080-5-0x0000000000280000-0x000000000029E000-memory.dmpFilesize
120KB
-
memory/1080-6-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/1080-3-0x0000000000C00000-0x0000000000C01000-memory.dmpFilesize
4KB
-
memory/1728-8-0x0000000000000000-mapping.dmp
-
memory/1892-7-0x0000000000000000-mapping.dmp