Analysis
-
max time kernel
133s -
max time network
142s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01-02-2022 04:13
Static task
static1
Behavioral task
behavioral1
Sample
bbd3ecd9e9671d94e8897980c4eb9391ae9cb444615ed9a93b8221ae8fa66790.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
bbd3ecd9e9671d94e8897980c4eb9391ae9cb444615ed9a93b8221ae8fa66790.exe
Resource
win10v2004-en-20220113
General
-
Target
bbd3ecd9e9671d94e8897980c4eb9391ae9cb444615ed9a93b8221ae8fa66790.exe
-
Size
102KB
-
MD5
f6eec1317ece3ffb7c4916e224d9734d
-
SHA1
a3447ba9b83f30284c6d3effb45c31ad9d5f258f
-
SHA256
bbd3ecd9e9671d94e8897980c4eb9391ae9cb444615ed9a93b8221ae8fa66790
-
SHA512
36f13789fb55fc017c7cdbfe2eb3d8993fba913986f772a9ca096686256a10f4011a4af6b6187c2b45873d1e5fc00a993b1e5f9571a9609d967ad7be57e778d2
Malware Config
Extracted
revengerat
system
47.100.84.12:55656
RV_MUTEX-QZblRvZwfRtNH
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\system.exe revengerat C:\Users\Admin\AppData\Roaming\system.exe revengerat -
Executes dropped EXE 1 IoCs
Processes:
system.exepid process 1624 system.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
system.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Roaming\\system.exe" system.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
bbd3ecd9e9671d94e8897980c4eb9391ae9cb444615ed9a93b8221ae8fa66790.exesystem.exedescription pid process Token: SeDebugPrivilege 744 bbd3ecd9e9671d94e8897980c4eb9391ae9cb444615ed9a93b8221ae8fa66790.exe Token: SeDebugPrivilege 1624 system.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
bbd3ecd9e9671d94e8897980c4eb9391ae9cb444615ed9a93b8221ae8fa66790.exedescription pid process target process PID 744 wrote to memory of 1624 744 bbd3ecd9e9671d94e8897980c4eb9391ae9cb444615ed9a93b8221ae8fa66790.exe system.exe PID 744 wrote to memory of 1624 744 bbd3ecd9e9671d94e8897980c4eb9391ae9cb444615ed9a93b8221ae8fa66790.exe system.exe PID 744 wrote to memory of 1624 744 bbd3ecd9e9671d94e8897980c4eb9391ae9cb444615ed9a93b8221ae8fa66790.exe system.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bbd3ecd9e9671d94e8897980c4eb9391ae9cb444615ed9a93b8221ae8fa66790.exe"C:\Users\Admin\AppData\Local\Temp\bbd3ecd9e9671d94e8897980c4eb9391ae9cb444615ed9a93b8221ae8fa66790.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\system.exe"C:\Users\Admin\AppData\Roaming\system.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\system.exeMD5
f6eec1317ece3ffb7c4916e224d9734d
SHA1a3447ba9b83f30284c6d3effb45c31ad9d5f258f
SHA256bbd3ecd9e9671d94e8897980c4eb9391ae9cb444615ed9a93b8221ae8fa66790
SHA51236f13789fb55fc017c7cdbfe2eb3d8993fba913986f772a9ca096686256a10f4011a4af6b6187c2b45873d1e5fc00a993b1e5f9571a9609d967ad7be57e778d2
-
C:\Users\Admin\AppData\Roaming\system.exeMD5
f6eec1317ece3ffb7c4916e224d9734d
SHA1a3447ba9b83f30284c6d3effb45c31ad9d5f258f
SHA256bbd3ecd9e9671d94e8897980c4eb9391ae9cb444615ed9a93b8221ae8fa66790
SHA51236f13789fb55fc017c7cdbfe2eb3d8993fba913986f772a9ca096686256a10f4011a4af6b6187c2b45873d1e5fc00a993b1e5f9571a9609d967ad7be57e778d2
-
memory/744-55-0x0000000001DF0000-0x0000000001DF2000-memory.dmpFilesize
8KB
-
memory/744-54-0x000007FEF23C0000-0x000007FEF3456000-memory.dmpFilesize
16.6MB
-
memory/1624-58-0x000007FEF2230000-0x000007FEF32C6000-memory.dmpFilesize
16.6MB
-
memory/1624-59-0x0000000001E90000-0x0000000001E92000-memory.dmpFilesize
8KB