Overview

overview

10

Static

static

af4bb34b48...06.vbs

windows7_x64

3

af4bb34b48...06.vbs

windows10-2004_x64

10

Analysis

  • max time kernel
    159s
  • max time network
    176s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    19-02-2022 09:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    af4bb34b486434d235ff70d344e3fa4e6d56a83705e1cc288efe219edceded06.vbs

  • Size

    162KB

  • MD5

    c3c90a58ff247a052529de56f29ecf3c

  • SHA1

    aa62c39357984dfa208c1ff7a0b76dc200c37b4d

  • SHA256

    af4bb34b486434d235ff70d344e3fa4e6d56a83705e1cc288efe219edceded06

  • SHA512

    6427d3abddaf44ce8d11fe686cfdf3d0fddfe9c910da406416da646aaf172d4514dbbd1419b8c2ea6fce13c538beee22b8c46adb6a4360c4d3626ba65f9d02f3

Score
10/10
revengeratclienttrojan

Malware Config

Extracted

Family

revengerat

Botnet

Client

C2

kimjoy.ddns.net:6699

Mutex

S1NTYL5X286LOEH

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 49 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af4bb34b486434d235ff70d344e3fa4e6d56a83705e1cc288efe219edceded06.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:220
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eXEcUTiONpOLicY rEmOtEsIgNeD -FILE C:\Users\Admin\AppData\Local\Temp\OS64Bits.PS1
      2⤵
      • Drops startup file
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2884
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5aqmcxd5\5aqmcxd5.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2804
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5879.tmp" "c:\Users\Admin\AppData\Local\Temp\5aqmcxd5\CSC84953BFF5604410E8B8DACAE38284EE4.TMP"
          4⤵
            PID:2968
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
          3⤵
            PID:3388
      • C:\Windows\system32\MusNotifyIcon.exe
        %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
        1⤵
        • Checks processor information in registry
        PID:2464
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k NetworkService -p
        1⤵
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        PID:2492
      • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
        C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
        1⤵
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:1844

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      3
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\5aqmcxd5\5aqmcxd5.dll
        MD5

        c3886f86d2729a72c90d8e76d7aef92b

        SHA1

        80cb3c9053977575a9a0a2c88da9abf71cbc8fd2

        SHA256

        6651ac2f07e9902ad2d587deaf22415e2d9eb724f1d2040ea8f80989e45cf555

        SHA512

        01c7515d1e704f7be3e2c29dc68b3caae64699d3bba0233b9eacc5c6bdf06987d58b49dac27418e437c766c74c27e206e8f73dfb1a3050d4ffde8d28e4342467

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\OS64Bits.PS1
        MD5

        0572153c45a42e89a900e12008b17df6

        SHA1

        dcc2cb82ddce82d1d6b1b7fc3d7143b4b1b3bffc

        SHA256

        560cf733ab631e245bab376b9563d33f61376f99ef7a3a772abca6ef95c75d1b

        SHA512

        096bc3866773dd6feb978c0fed1596d08e3636584feaaad7c7db887410ffa6da4c453c5b82fe001d882e237a951884b1b747642cb43c8325ec1ba70aecff6fce

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\RES5879.tmp
        MD5

        a4f095f321e92cc329f4a17234002460

        SHA1

        118b182e56181faa873cf2a2b4fd83e32080cc2c

        SHA256

        869bfaff9647ad108e83f6c8568544d69b71bd74fb005ab9ba60747c1e33ce48

        SHA512

        6b16be5ba207a3f392dce37eacdb997384fa453d110958bea5fb82f7f01cfb683de6b692602745a2ac68167a6deecc57cffc4b2af474cacd917f009c1d64737a

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\5aqmcxd5\5aqmcxd5.0.cs
        MD5

        e03b1e7ba7f1a53a7e10c0fd9049f437

        SHA1

        3bb851a42717eeb588eb7deadfcd04c571c15f41

        SHA256

        3ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427

        SHA512

        a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\5aqmcxd5\5aqmcxd5.cmdline
        MD5

        f91d7d48b3e0ba55171b8647a19a4e15

        SHA1

        275ea29d060fd0fd441cef2b7c0552aaa8b7a426

        SHA256

        c2ca77e797bfe0b04914dd67484d18532ac756fb79a1891e6613869a402e8fd9

        SHA512

        5906119ffb058fa023292c2ad7dec823a24c38f65d0c5a0885d4ed638d0c9401a946b1e87de60c2a07bb4aa45b5e0233dd99d2ad6880e41d261515b43a16257b

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\5aqmcxd5\CSC84953BFF5604410E8B8DACAE38284EE4.TMP
        MD5

        e87ae795b14bbb287f400d49ef1832f7

        SHA1

        bb0923ddca494a1b30226844e288e8732aeb35e6

        SHA256

        59ab3508ba5dc5f0f0309f71a1d908c01e3383e48309a5fe1ae2e4b52d03e5b5

        SHA512

        1712d569163c7d5d63029973880723597f202a247c67f01fa205c4f316a139790e2dd4f385ca670689c66c20132c65643aa4439af38dab6663d131062d3ed2c5

        Download Submit
      • memory/2884-140-0x0000020B76B13000-0x0000020B76B15000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2884-142-0x0000020B79050000-0x0000020B790C6000-memory.dmp
        Filesize

        472KB

        Download
      • memory/2884-141-0x0000020B76B16000-0x0000020B76B18000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2884-130-0x00007FFA6CA43000-0x00007FFA6CA45000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2884-139-0x0000020B76B10000-0x0000020B76B12000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2884-137-0x0000020B5CD90000-0x0000020B5CDB2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/3388-149-0x0000000000400000-0x000000000040A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/3388-151-0x0000000074D9E000-0x0000000074D9F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3388-152-0x0000000005630000-0x0000000005BD4000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/3388-153-0x0000000005270000-0x000000000530C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/3388-154-0x00000000051C0000-0x00000000051C1000-memory.dmp
        Filesize

        4KB

        Download