Overview

overview

10

Static

static

Inquiry fo... 2.exe

windows7_x64

10

Inquiry fo... 2.exe

windows10_x64

10

Analysis

  • max time kernel
    115s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    07/06/2021, 05:42 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Inquiry for PR#4200027219 2.exe

  • Size

    999KB

  • MD5

    97ef10ac31850230463b782f6739b5b5

  • SHA1

    4d371844e5961b734c69da1d51d288b295a40961

  • SHA256

    86ff5481ed934d43bc54c3a0d9989958c0de24aec0fb74404dac36a594193ed2

  • SHA512

    d465dcd228c6920e31030fa06b8168815081a9012f6c3fc45de853537058b13de716cebb1af6964dab0ecdfb33969ea3e247da9081c5b7e13f24e1d0c15c5a60

Score
10/10
revengeratdegracetrojan

Malware Config

Extracted

Family

revengerat

Botnet

DEGRACE

C2

77.247.110.178:5040

Mutex

RV_MUTEX-MB4S0YIGA6UFWH10GXQLHP

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Inquiry for PR#4200027219 2.exe
    "C:\Users\Admin\AppData\Local\Temp\Inquiry for PR#4200027219 2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1608
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\viHuopmlnVpk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4569.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1376
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
        PID:1700
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        2⤵
        • Checks processor information in registry
        PID:364

    Network

      No results found
    • 77.247.110.178:5040
      MSBuild.exe
      1.3kB
       843 B
       15
      18
    No results found

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/364-68-0x0000000000400000-0x000000000040C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/364-70-0x0000000000400000-0x000000000040C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/364-72-0x0000000004C80000-0x0000000004C81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1608-60-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1608-62-0x00000000045C0000-0x00000000045C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1608-63-0x0000000000380000-0x000000000039E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1608-64-0x0000000002370000-0x00000000023D2000-memory.dmp

      Filesize

      392KB

      Download

    • memory/1608-65-0x0000000000560000-0x0000000000578000-memory.dmp

      Filesize

      96KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.