Overview

overview

10

Static

static

3248338f08...b3.ps1

windows7_x64

1

3248338f08...b3.ps1

windows10-2004_x64

10

Analysis

  • max time kernel
    173s
  • max time network
    182s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    19-02-2022 09:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3248338f08f0a3316dd06a3893ff4a38459eb812d2463265deb73eef4dfcddb3.ps1

  • Size

    45KB

  • MD5

    61daa29f8789c8955145c4fd95d082a2

  • SHA1

    92277533be60b333f4e79b1f6e5d821cfa9f818e

  • SHA256

    3248338f08f0a3316dd06a3893ff4a38459eb812d2463265deb73eef4dfcddb3

  • SHA512

    21dc0806c3337121cb68ed5a4d552fac992371b02fbbb664dd703c6cf586082d02c74db82261405e1af6acab3524c0b48eed12d1270cdfa5c9fc0a3faa2757b3

Score
10/10
revengeratclienttrojan

Malware Config

Extracted

Family

revengerat

Botnet

Client

C2

kimjoy.ddns.net:2021

Mutex

RXQLV8XYTDNHNSA

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 49 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\3248338f08f0a3316dd06a3893ff4a38459eb812d2463265deb73eef4dfcddb3.ps1
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3484
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jv4lwnfs\jv4lwnfs.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3604
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES845B.tmp" "c:\Users\Admin\AppData\Local\Temp\jv4lwnfs\CSC7A2DEC3B425F460EA466ECAE35C934A.TMP"
        3⤵
          PID:3788
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        2⤵
          PID:3116
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
          2⤵
            PID:3084
        • C:\Windows\system32\MusNotifyIcon.exe
          %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
          1⤵
          • Checks processor information in registry
          PID:3588
        • C:\Windows\System32\svchost.exe
          C:\Windows\System32\svchost.exe -k NetworkService -p
          1⤵
          • Drops file in Windows directory
          • Modifies data under HKEY_USERS
          PID:1340
        • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
          C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
          1⤵
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          PID:1020

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RES845B.tmp
          MD5

          f43be45ed30c946b7b23fcffb695afe3

          SHA1

          09beb91c2c735a8d0dfb8377eb8d1ee63b0755c3

          SHA256

          7168e8f1a9d4e5de0584b30ca436bdcddfc04a0a9bddf4423dd90a942ad3cc2e

          SHA512

          5e579c598902abda273c95cfbc646b047ecb47ee55ed471e2bfa2253472dd88157829eec06f4548e67de4bc5e06f15e2fc416d728e168ddc0b7621a9d29314c5

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\jv4lwnfs\jv4lwnfs.dll
          MD5

          db5f8d4cda0c38c2d0631e058a13451d

          SHA1

          2c8997052f5ab06870ea9d31d3d2fe374661a984

          SHA256

          3bcaeb220a1cf288ebbb95e2b260697af385640b208e60a018f8ce75c5cc86fc

          SHA512

          15dd23ee78de13dc1f9d29d24a2af4203e27eee77b9469673089038ff2007af9bcd855b189e43357b82d9d39f24ce468b9127b9a2b19648bacff96bf29648688

          Download Submit
        • \??\c:\Users\Admin\AppData\Local\Temp\jv4lwnfs\CSC7A2DEC3B425F460EA466ECAE35C934A.TMP
          MD5

          6e1a3ffdc44c3d786c21d6d2d227f184

          SHA1

          bdc6ae4c1aabb1c66b36ee08b61197c4be5c4cbc

          SHA256

          6af0c2f3c54cc48d4fed3adb6ce83e4c6d1a33627fb53d7d6685dca0bb598bfb

          SHA512

          ac122afc20bc53e4884ee3506981bc0484abf083667a97dfccae37f3937d0e679fb6e95bad3c5091a5a29e7ff5818bd0daaf4513c19005324ccee2be16b026c1

          Download Submit
        • \??\c:\Users\Admin\AppData\Local\Temp\jv4lwnfs\jv4lwnfs.0.cs
          MD5

          e03b1e7ba7f1a53a7e10c0fd9049f437

          SHA1

          3bb851a42717eeb588eb7deadfcd04c571c15f41

          SHA256

          3ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427

          SHA512

          a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f

          Download Submit
        • \??\c:\Users\Admin\AppData\Local\Temp\jv4lwnfs\jv4lwnfs.cmdline
          MD5

          a90583aad62603a5d5e408360173651d

          SHA1

          22d9ac4bf2aeb535d10ed05cc4c5e9142043f208

          SHA256

          81a6a5e97920d59b013606355faf3a4d9b2622ecdd72c7b4ceacb1cce370280a

          SHA512

          14007e61b2c917447c5e81598fb4e22ad8cbddc29287c717659997dfe060223c8a955eba7cbb8d25f6494ad00fe39a166e7cbba9bd1c9c0749b3d65934b7597a

          Download Submit
        • memory/3084-150-0x000000007479E000-0x000000007479F000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3084-148-0x0000000000400000-0x000000000040A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/3084-151-0x0000000005E60000-0x0000000006404000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/3084-152-0x0000000005A50000-0x0000000005A51000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3084-153-0x0000000005D40000-0x0000000005DDC000-memory.dmp
          Filesize

          624KB

          Download
        • memory/3484-141-0x0000012476FB0000-0x0000012477026000-memory.dmp
          Filesize

          472KB

          Download
        • memory/3484-140-0x0000012476AB6000-0x0000012476AB8000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3484-137-0x0000012476AB3000-0x0000012476AB5000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3484-136-0x0000012476A40000-0x0000012476A62000-memory.dmp
          Filesize

          136KB

          Download
        • memory/3484-135-0x0000012476AB0000-0x0000012476AB2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3484-134-0x00007FFB05963000-0x00007FFB05965000-memory.dmp
          Filesize

          8KB

          Download