Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
07-01-2022 07:43
Static task
static1
Behavioral task
behavioral1
Sample
SKM-21022100.js
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
SKM-21022100.js
Resource
win10-en-20211208
General
-
Target
SKM-21022100.js
-
Size
213KB
-
MD5
0618efa95ebe9c933466fdf795961c43
-
SHA1
6e93f7b03f1149f821b57176a4b838c7365572ac
-
SHA256
7f5baba61bce87f124d7c559767fb067e00743141554fcc76b87d1e39ee4e074
-
SHA512
e59cf7c7323ebbbb0542ff8a62fb988dfac9f590987dce3b4efce79e0609a654a92622b7dc605f6894801db105183540dfae6f3e876026398d938505fb262d42
Malware Config
Extracted
revengerat
NyanCatRevenge
macjoe597.duia.ro:3175
1e858dc786914c61
Extracted
bitrat
1.38
severdops.ddns.net:3071
-
communication_password
29ef52e7563626a96cea7f4b4085c124
-
tor_process
tor
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 5 1588 wscript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
macjoe597.exedt.exepid process 568 macjoe597.exe 2000 dt.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Processes:
resource yara_rule behavioral1/memory/808-90-0x0000000000400000-0x00000000007E5000-memory.dmp upx behavioral1/memory/808-91-0x0000000000400000-0x00000000007E5000-memory.dmp upx behavioral1/memory/808-92-0x0000000000400000-0x00000000007E5000-memory.dmp upx behavioral1/memory/808-93-0x0000000000400000-0x00000000007E5000-memory.dmp upx behavioral1/memory/808-95-0x0000000000400000-0x00000000007E5000-memory.dmp upx behavioral1/memory/808-97-0x0000000000400000-0x00000000007E5000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
dt.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion dt.exe -
Deletes itself 1 IoCs
Processes:
wscript.exepid process 1588 wscript.exe -
Processes:
dt.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths dt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions dt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Public\Documents\TATTOOISTSEAB\svchost.exe = "0" dt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\dt.exe = "0" dt.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
dt.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\WAISTERSFDC = "C:\\Users\\Public\\Documents\\TATTOOISTSEAB\\svchost.exe" dt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\WAISTERSFDC = "C:\\Users\\Public\\Documents\\TATTOOISTSEAB\\svchost.exe" dt.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
dt.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum dt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 dt.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
ServiceModelReg.exepid process 808 ServiceModelReg.exe 808 ServiceModelReg.exe 808 ServiceModelReg.exe 808 ServiceModelReg.exe 808 ServiceModelReg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
dt.exedescription pid process target process PID 2000 set thread context of 808 2000 dt.exe ServiceModelReg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
dt.exepowershell.exepowershell.exepowershell.exepid process 2000 dt.exe 2000 dt.exe 2000 dt.exe 2000 dt.exe 612 powershell.exe 1728 powershell.exe 532 powershell.exe 2000 dt.exe 2000 dt.exe 2000 dt.exe 2000 dt.exe 2000 dt.exe 2000 dt.exe 2000 dt.exe 2000 dt.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
dt.exepowershell.exepowershell.exepowershell.exeServiceModelReg.exedescription pid process Token: SeDebugPrivilege 2000 dt.exe Token: SeDebugPrivilege 612 powershell.exe Token: SeDebugPrivilege 1728 powershell.exe Token: SeDebugPrivilege 532 powershell.exe Token: SeDebugPrivilege 808 ServiceModelReg.exe Token: SeShutdownPrivilege 808 ServiceModelReg.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ServiceModelReg.exepid process 808 ServiceModelReg.exe 808 ServiceModelReg.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
wscript.exewscript.exedt.exedescription pid process target process PID 1588 wrote to memory of 564 1588 wscript.exe wscript.exe PID 1588 wrote to memory of 564 1588 wscript.exe wscript.exe PID 1588 wrote to memory of 564 1588 wscript.exe wscript.exe PID 564 wrote to memory of 568 564 wscript.exe macjoe597.exe PID 564 wrote to memory of 568 564 wscript.exe macjoe597.exe PID 564 wrote to memory of 568 564 wscript.exe macjoe597.exe PID 564 wrote to memory of 568 564 wscript.exe macjoe597.exe PID 1588 wrote to memory of 2000 1588 wscript.exe dt.exe PID 1588 wrote to memory of 2000 1588 wscript.exe dt.exe PID 1588 wrote to memory of 2000 1588 wscript.exe dt.exe PID 1588 wrote to memory of 2000 1588 wscript.exe dt.exe PID 2000 wrote to memory of 612 2000 dt.exe powershell.exe PID 2000 wrote to memory of 612 2000 dt.exe powershell.exe PID 2000 wrote to memory of 612 2000 dt.exe powershell.exe PID 2000 wrote to memory of 612 2000 dt.exe powershell.exe PID 2000 wrote to memory of 532 2000 dt.exe powershell.exe PID 2000 wrote to memory of 532 2000 dt.exe powershell.exe PID 2000 wrote to memory of 532 2000 dt.exe powershell.exe PID 2000 wrote to memory of 532 2000 dt.exe powershell.exe PID 2000 wrote to memory of 1728 2000 dt.exe powershell.exe PID 2000 wrote to memory of 1728 2000 dt.exe powershell.exe PID 2000 wrote to memory of 1728 2000 dt.exe powershell.exe PID 2000 wrote to memory of 1728 2000 dt.exe powershell.exe PID 2000 wrote to memory of 960 2000 dt.exe regtlibv12.exe PID 2000 wrote to memory of 960 2000 dt.exe regtlibv12.exe PID 2000 wrote to memory of 960 2000 dt.exe regtlibv12.exe PID 2000 wrote to memory of 960 2000 dt.exe regtlibv12.exe PID 2000 wrote to memory of 808 2000 dt.exe ServiceModelReg.exe PID 2000 wrote to memory of 808 2000 dt.exe ServiceModelReg.exe PID 2000 wrote to memory of 808 2000 dt.exe ServiceModelReg.exe PID 2000 wrote to memory of 808 2000 dt.exe ServiceModelReg.exe PID 2000 wrote to memory of 808 2000 dt.exe ServiceModelReg.exe PID 2000 wrote to memory of 808 2000 dt.exe ServiceModelReg.exe PID 2000 wrote to memory of 808 2000 dt.exe ServiceModelReg.exe PID 2000 wrote to memory of 808 2000 dt.exe ServiceModelReg.exe PID 2000 wrote to memory of 808 2000 dt.exe ServiceModelReg.exe PID 2000 wrote to memory of 808 2000 dt.exe ServiceModelReg.exe PID 2000 wrote to memory of 808 2000 dt.exe ServiceModelReg.exe PID 2000 wrote to memory of 808 2000 dt.exe ServiceModelReg.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\SKM-21022100.js1⤵
- Blocklisted process makes network request
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\AGAzSHOPvp.js"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\macjoe597.exe"C:\Users\Admin\AppData\Roaming\macjoe597.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\dt.exe"C:\Users\Admin\AppData\Local\Temp\dt.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Windows security modification
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\TATTOOISTSEAB\svchost.exe" -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\TATTOOISTSEAB\svchost.exe" -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\dt.exe" -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dt.exeMD5
9401cf9f73dfb187bf4cef05d8cfe72b
SHA14af6544d8c94bb673f826a0ba4d24698150b1089
SHA256bb8298b28cd913814c41d7b6a878b8e2a2da7eb34083c901a5408413fed93b45
SHA5128438c79aa1ac9779bdab11a3f46f174aad97a7bc2fd1f571d42ef8817dc8477b68468be7445c789d125c1b8749338e047e20301d0a11b9e52dacf947abb65dd4
-
C:\Users\Admin\AppData\Local\Temp\dt.exeMD5
9401cf9f73dfb187bf4cef05d8cfe72b
SHA14af6544d8c94bb673f826a0ba4d24698150b1089
SHA256bb8298b28cd913814c41d7b6a878b8e2a2da7eb34083c901a5408413fed93b45
SHA5128438c79aa1ac9779bdab11a3f46f174aad97a7bc2fd1f571d42ef8817dc8477b68468be7445c789d125c1b8749338e047e20301d0a11b9e52dacf947abb65dd4
-
C:\Users\Admin\AppData\Roaming\AGAzSHOPvp.jsMD5
a4488cacb74d99f2405ca976cd453f93
SHA105ccc361149ff5d3d1cf21c77aa43e9d10bc78bf
SHA25658ed5a2f5df34e6652863ea2a44a4bf2e1f05cd1e771b74893fddeaa51d6fe19
SHA512df9728cc9aa5a129b416936e94d3e599df8d64e34375677c8f2100bdac772c1728b886b22c83b5f453dd993880db104ecabe9d2ae0c4b426f8ddfe6a05c1c8de
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
41a4df4af2ff97e734341712c17eb74d
SHA19bb29ee31ce650864dec138002ebb167d0ae7dde
SHA2569ea6c610b91615f16bc092e16e69188cf93341a66774edc2d4715651f353c1a2
SHA512dbdeb18ad43d017434ae8f34840e2ae22a461badcd77864d509368fcc961e5648b0f596a8e1b3db6e27654ebca7f1a9e2ce97e70f8e9513edcb879e719360e65
-
C:\Users\Admin\AppData\Roaming\macjoe597.exeMD5
6f2422ca1b1665f0c181784b3738e100
SHA10ec0385993acd6fd49a13e670bc62904e7067e02
SHA256977a9dfd479194994fd11df6274412bcb10f511a510890e9d267893886833b85
SHA512e9068bda0707179afd39a0419578da8ec2414cd5175b1e41a6595c08b0379f9c6cf88ae7a1b82f3df91f247f877c94f71d34a5740f2b48b3290ce56794674d34
-
C:\Users\Admin\AppData\Roaming\macjoe597.exeMD5
6f2422ca1b1665f0c181784b3738e100
SHA10ec0385993acd6fd49a13e670bc62904e7067e02
SHA256977a9dfd479194994fd11df6274412bcb10f511a510890e9d267893886833b85
SHA512e9068bda0707179afd39a0419578da8ec2414cd5175b1e41a6595c08b0379f9c6cf88ae7a1b82f3df91f247f877c94f71d34a5740f2b48b3290ce56794674d34
-
memory/532-81-0x0000000002390000-0x0000000002FDA000-memory.dmpFilesize
12.3MB
-
memory/532-74-0x0000000000000000-mapping.dmp
-
memory/532-88-0x0000000002390000-0x0000000002FDA000-memory.dmpFilesize
12.3MB
-
memory/532-83-0x0000000002390000-0x0000000002FDA000-memory.dmpFilesize
12.3MB
-
memory/564-57-0x000007FEFB531000-0x000007FEFB533000-memory.dmpFilesize
8KB
-
memory/564-55-0x0000000000000000-mapping.dmp
-
memory/568-58-0x0000000000000000-mapping.dmp
-
memory/568-62-0x0000000000B00000-0x0000000000B01000-memory.dmpFilesize
4KB
-
memory/568-61-0x0000000075191000-0x0000000075193000-memory.dmpFilesize
8KB
-
memory/612-73-0x0000000000000000-mapping.dmp
-
memory/612-80-0x0000000001BF0000-0x0000000001BF1000-memory.dmpFilesize
4KB
-
memory/612-87-0x0000000001BF2000-0x0000000001BF4000-memory.dmpFilesize
8KB
-
memory/612-85-0x0000000001BF1000-0x0000000001BF2000-memory.dmpFilesize
4KB
-
memory/808-92-0x0000000000400000-0x00000000007E5000-memory.dmpFilesize
3.9MB
-
memory/808-93-0x0000000000400000-0x00000000007E5000-memory.dmpFilesize
3.9MB
-
memory/808-89-0x0000000000400000-0x00000000007E5000-memory.dmpFilesize
3.9MB
-
memory/808-94-0x00000000007E2730-mapping.dmp
-
memory/808-91-0x0000000000400000-0x00000000007E5000-memory.dmpFilesize
3.9MB
-
memory/808-95-0x0000000000400000-0x00000000007E5000-memory.dmpFilesize
3.9MB
-
memory/808-97-0x0000000000400000-0x00000000007E5000-memory.dmpFilesize
3.9MB
-
memory/808-90-0x0000000000400000-0x00000000007E5000-memory.dmpFilesize
3.9MB
-
memory/1728-75-0x0000000000000000-mapping.dmp
-
memory/1728-82-0x00000000024F0000-0x00000000024F1000-memory.dmpFilesize
4KB
-
memory/1728-84-0x00000000024F1000-0x00000000024F2000-memory.dmpFilesize
4KB
-
memory/1728-86-0x00000000024F2000-0x00000000024F4000-memory.dmpFilesize
8KB
-
memory/2000-68-0x0000000000A00000-0x0000000000A01000-memory.dmpFilesize
4KB
-
memory/2000-63-0x0000000000000000-mapping.dmp
-
memory/2000-66-0x0000000001020000-0x000000000125C000-memory.dmpFilesize
2.2MB
-
memory/2000-67-0x0000000000580000-0x0000000000588000-memory.dmpFilesize
32KB
-
memory/2000-71-0x0000000006000000-0x000000000620C000-memory.dmpFilesize
2.0MB
-
memory/2000-69-0x0000000000610000-0x0000000000618000-memory.dmpFilesize
32KB
-
memory/2000-70-0x0000000000620000-0x0000000000628000-memory.dmpFilesize
32KB
-
memory/2000-72-0x0000000000A40000-0x0000000000AD4000-memory.dmpFilesize
592KB