Analysis
-
max time kernel
153s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
02-02-2022 13:47
General
-
Target
Part Number Details.pdf.exe
-
Size
400KB
-
MD5
63a87210453b1e81a8edc2a0ea6608ae
-
SHA1
261668aff6c8b06a3549a6986dc095c69df013e1
-
SHA256
2e2cbdfac9cc07aa40c8dc0c8794f08631877dc2d0fd55762fb5e0aa598ad076
-
SHA512
9adc718742d4fbc923c5d17bd926c60c0292bc20e8b3417ed9699e1d52b9d8500b2df65d557081dfd7d7f47e75dab2730e1cf628667cad0f7198016a7699a003
Malware Config
Extracted
revengerat
NyanCatRevenge
mikekentroland48.ddns.net:6169
2b13c52691c84109
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Part Number Details.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Part Number Details.pdf.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Part Number Details.pdf.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WXNGVZhFshhea.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WXNGVZhFshhea" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF679.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Part Number Details.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Part Number Details.pdf.exe"2⤵
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8307efb6bdc721e97a8291babde16c12
SHA16b86fc2f5f0c11ab8d17b4361c164333bc0d1841
SHA256675489764f2ad3370a5e95052ff3a04f99f0f7354e358d988cb5cc8c638c7030
SHA51251e38f6e122b6245f628d403c8804ce4c53e7cccdb565c7048ac86e3d3ae800f2252f9adaaf37a3051b2a1a17c2f71fc8c7c57b705dd1f25463b659866ea5831
-
Filesize
5.6MB
-
Filesize
40KB
-
Filesize
6.2MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
216KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
120KB
-
Filesize
8KB
-
Filesize
424KB
-
Filesize
40KB
-
Filesize
408KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
624KB