Overview

overview

10

Static

static

MID REF. Q...77.exe

windows7_x64

10

MID REF. Q...77.exe

windows10_x64

10

Analysis

  • max time kernel
    107s
  • max time network
    179s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    07/06/2021, 05:42 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MID REF. QT-MID19=11777.exe

  • Size

    991KB

  • MD5

    39082bcd7e25ae956fccb7e941d5256d

  • SHA1

    8b4f9fd2198af765dcce75c0222919c638e4fa29

  • SHA256

    05233a50ac2c427372ab8475a2f4dc5f031f87af0cc916dc824a2c66837afc4e

  • SHA512

    dff7aba7f2e5bb65d1aa506a1f6770f4f7761aa17f28bfcdaca407b0aa7ae3b6bf0fd3599fc0dd979418313c4aa26930aec99ed89ba420811cdce9010940f41c

Score
10/10
revengeratdegracetrojan

Malware Config

Extracted

Family

revengerat

Botnet

DEGRACE

C2

77.247.110.178:5040

Mutex

RV_MUTEX-MB4S0YIGA6UFWH10GXQLHP

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MID REF. QT-MID19=11777.exe
    "C:\Users\Admin\AppData\Local\Temp\MID REF. QT-MID19=11777.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:320
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UFyRUWFip" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCA8F.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1740
    • C:\Users\Admin\AppData\Local\Temp\MID REF. QT-MID19=11777.exe
      "C:\Users\Admin\AppData\Local\Temp\MID REF. QT-MID19=11777.exe"
      2⤵
      • Checks processor information in registry
      PID:484

Network

    No results found
  • 77.247.110.178:5040
    MID REF. QT-MID19=11777.exe
    1.2kB
     745 B
     14
    16
No results found

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/320-59-0x0000000001290000-0x0000000001291000-memory.dmp

    Filesize

    4KB

    Download

  • memory/320-61-0x00000000005E0000-0x00000000005FE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/320-62-0x0000000004F00000-0x0000000004F01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/320-63-0x00000000011F0000-0x0000000001254000-memory.dmp

    Filesize

    400KB

    Download

  • memory/320-64-0x0000000000A20000-0x0000000000A39000-memory.dmp

    Filesize

    100KB

    Download

  • memory/484-67-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/484-69-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/484-71-0x0000000004D10000-0x0000000004D11000-memory.dmp

    Filesize

    4KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.