Analysis
-
max time kernel
134s -
max time network
142s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01-02-2022 04:14
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
sample.exe
Resource
win10v2004-en-20220113
General
-
Target
sample.exe
-
Size
102KB
-
MD5
f6eec1317ece3ffb7c4916e224d9734d
-
SHA1
a3447ba9b83f30284c6d3effb45c31ad9d5f258f
-
SHA256
bbd3ecd9e9671d94e8897980c4eb9391ae9cb444615ed9a93b8221ae8fa66790
-
SHA512
36f13789fb55fc017c7cdbfe2eb3d8993fba913986f772a9ca096686256a10f4011a4af6b6187c2b45873d1e5fc00a993b1e5f9571a9609d967ad7be57e778d2
Malware Config
Extracted
revengerat
system
47.100.84.12:55656
RV_MUTEX-QZblRvZwfRtNH
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\system.exe revengerat C:\Users\Admin\AppData\Roaming\system.exe revengerat -
Executes dropped EXE 1 IoCs
Processes:
system.exepid process 1480 system.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
system.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Roaming\\system.exe" system.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
sample.exesystem.exedescription pid process Token: SeDebugPrivilege 1564 sample.exe Token: SeDebugPrivilege 1480 system.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
sample.exedescription pid process target process PID 1564 wrote to memory of 1480 1564 sample.exe system.exe PID 1564 wrote to memory of 1480 1564 sample.exe system.exe PID 1564 wrote to memory of 1480 1564 sample.exe system.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\system.exe"C:\Users\Admin\AppData\Roaming\system.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\system.exeMD5
f6eec1317ece3ffb7c4916e224d9734d
SHA1a3447ba9b83f30284c6d3effb45c31ad9d5f258f
SHA256bbd3ecd9e9671d94e8897980c4eb9391ae9cb444615ed9a93b8221ae8fa66790
SHA51236f13789fb55fc017c7cdbfe2eb3d8993fba913986f772a9ca096686256a10f4011a4af6b6187c2b45873d1e5fc00a993b1e5f9571a9609d967ad7be57e778d2
-
C:\Users\Admin\AppData\Roaming\system.exeMD5
f6eec1317ece3ffb7c4916e224d9734d
SHA1a3447ba9b83f30284c6d3effb45c31ad9d5f258f
SHA256bbd3ecd9e9671d94e8897980c4eb9391ae9cb444615ed9a93b8221ae8fa66790
SHA51236f13789fb55fc017c7cdbfe2eb3d8993fba913986f772a9ca096686256a10f4011a4af6b6187c2b45873d1e5fc00a993b1e5f9571a9609d967ad7be57e778d2
-
memory/1480-58-0x000007FEF15B0000-0x000007FEF2646000-memory.dmpFilesize
16.6MB
-
memory/1480-59-0x0000000000A60000-0x0000000000B62000-memory.dmpFilesize
1.0MB
-
memory/1564-55-0x00000000021E0000-0x00000000021E2000-memory.dmpFilesize
8KB
-
memory/1564-54-0x000007FEF15B0000-0x000007FEF2646000-memory.dmpFilesize
16.6MB