Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
17-05-2021 07:17
Static task
static1
Behavioral task
behavioral1
Sample
36e41f411caa8c2bcdb0d95ef65363f6a5c3aece45d1b2ff476a7d806b779386.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
36e41f411caa8c2bcdb0d95ef65363f6a5c3aece45d1b2ff476a7d806b779386.exe
Resource
win10v20210408
General
-
Target
36e41f411caa8c2bcdb0d95ef65363f6a5c3aece45d1b2ff476a7d806b779386.exe
-
Size
1022KB
-
MD5
000df32a4515aeedb77f7e2968c4d7b9
-
SHA1
715e7348aba3664c789f6375b728373ec1c185aa
-
SHA256
36e41f411caa8c2bcdb0d95ef65363f6a5c3aece45d1b2ff476a7d806b779386
-
SHA512
74e07b60d942f8907b66e6eb74e1984e05111c87db085bfae5df02dea94bc409de82df54bb1b4cab7313cc052a614331c067f0852c5cbdee581fb21bdd3f578e
Malware Config
Extracted
revengerat
ENE20
rever2019.duckdns.org:4230
RV_MUTEX-GaKuSAtYBxGgZ
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 2 IoCs
Processes:
resource yara_rule behavioral2/memory/988-114-0x0000000000400000-0x0000000000408000-memory.dmp revengerat behavioral2/memory/988-118-0x0000000000405DEE-mapping.dmp revengerat -
Suspicious use of SetThreadContext 1 IoCs
Processes:
36e41f411caa8c2bcdb0d95ef65363f6a5c3aece45d1b2ff476a7d806b779386.exedescription pid process target process PID 596 set thread context of 988 596 36e41f411caa8c2bcdb0d95ef65363f6a5c3aece45d1b2ff476a7d806b779386.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 988 RegAsm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
36e41f411caa8c2bcdb0d95ef65363f6a5c3aece45d1b2ff476a7d806b779386.exedescription pid process target process PID 596 wrote to memory of 988 596 36e41f411caa8c2bcdb0d95ef65363f6a5c3aece45d1b2ff476a7d806b779386.exe RegAsm.exe PID 596 wrote to memory of 988 596 36e41f411caa8c2bcdb0d95ef65363f6a5c3aece45d1b2ff476a7d806b779386.exe RegAsm.exe PID 596 wrote to memory of 988 596 36e41f411caa8c2bcdb0d95ef65363f6a5c3aece45d1b2ff476a7d806b779386.exe RegAsm.exe PID 596 wrote to memory of 988 596 36e41f411caa8c2bcdb0d95ef65363f6a5c3aece45d1b2ff476a7d806b779386.exe RegAsm.exe PID 596 wrote to memory of 988 596 36e41f411caa8c2bcdb0d95ef65363f6a5c3aece45d1b2ff476a7d806b779386.exe RegAsm.exe PID 596 wrote to memory of 2964 596 36e41f411caa8c2bcdb0d95ef65363f6a5c3aece45d1b2ff476a7d806b779386.exe schtasks.exe PID 596 wrote to memory of 2964 596 36e41f411caa8c2bcdb0d95ef65363f6a5c3aece45d1b2ff476a7d806b779386.exe schtasks.exe PID 596 wrote to memory of 2964 596 36e41f411caa8c2bcdb0d95ef65363f6a5c3aece45d1b2ff476a7d806b779386.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\36e41f411caa8c2bcdb0d95ef65363f6a5c3aece45d1b2ff476a7d806b779386.exe"C:\Users\Admin\AppData\Local\Temp\36e41f411caa8c2bcdb0d95ef65363f6a5c3aece45d1b2ff476a7d806b779386.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn /tr "C:\Users\Admin\AppData\Roaming\findstr\BdeSysprep.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/596-119-0x00000000010F0000-0x000000000123A000-memory.dmpFilesize
1.3MB
-
memory/988-114-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/988-118-0x0000000000405DEE-mapping.dmp
-
memory/988-120-0x0000000002B80000-0x0000000002B81000-memory.dmpFilesize
4KB
-
memory/2964-121-0x0000000000000000-mapping.dmp