Analysis
-
max time kernel
107s -
max time network
179s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
07-06-2021 05:42
General
-
Target
MID REF. QT-MID19=11777.exe
-
Size
991KB
-
MD5
39082bcd7e25ae956fccb7e941d5256d
-
SHA1
8b4f9fd2198af765dcce75c0222919c638e4fa29
-
SHA256
05233a50ac2c427372ab8475a2f4dc5f031f87af0cc916dc824a2c66837afc4e
-
SHA512
dff7aba7f2e5bb65d1aa506a1f6770f4f7761aa17f28bfcdaca407b0aa7ae3b6bf0fd3599fc0dd979418313c4aa26930aec99ed89ba420811cdce9010940f41c
Score
10/10
Malware Config
Extracted
Family
revengerat
Botnet
DEGRACE
C2
77.247.110.178:5040
Mutex
RV_MUTEX-MB4S0YIGA6UFWH10GXQLHP
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\MID REF. QT-MID19=11777.exe"C:\Users\Admin\AppData\Local\Temp\MID REF. QT-MID19=11777.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UFyRUWFip" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCA8F.tmp"2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\MID REF. QT-MID19=11777.exe"C:\Users\Admin\AppData\Local\Temp\MID REF. QT-MID19=11777.exe"2⤵
- Checks processor information in registry
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
120KB
-
Filesize
4KB
-
Filesize
400KB
-
Filesize
100KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
4KB