Overview

overview

10

Static

static

721e44289a...61.ps1

windows7_x64

1

721e44289a...61.ps1

windows10-2004_x64

10

Analysis

  • max time kernel
    170s
  • max time network
    173s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    19-02-2022 09:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    721e44289afb034e90a67fb97eb5efd4d469bc95ba9863f16aed5e5909c76c61.ps1

  • Size

    42KB

  • MD5

    2bd198d265d67c9f4021eca5bb341900

  • SHA1

    e3559a0d69e988877ce69d66b69cb41619521272

  • SHA256

    721e44289afb034e90a67fb97eb5efd4d469bc95ba9863f16aed5e5909c76c61

  • SHA512

    fa00e4b59b41ccbe865d342815001262323db96f99ebd30b1a5728111f9959c2e2775a5f279652649505ad23afe7a5551a705c650b985829cd2690f92f50e8f4

Score
10/10
revengeratclienttrojan

Malware Config

Extracted

Family

revengerat

Botnet

Client

C2

kimjoy.ddns.net:2021

Mutex

RXQLV8XYTDNHNSA

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 47 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\721e44289afb034e90a67fb97eb5efd4d469bc95ba9863f16aed5e5909c76c61.ps1
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3772
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xpa5bkmt\xpa5bkmt.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1976
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AD.tmp" "c:\Users\Admin\AppData\Local\Temp\xpa5bkmt\CSC850012BC50E24FF8B177AC36A6D04234.TMP"
        3⤵
          PID:448
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        2⤵
          PID:4092
      • C:\Windows\system32\MusNotifyIcon.exe
        %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
        1⤵
        • Checks processor information in registry
        PID:4032
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k NetworkService -p
        1⤵
        • Modifies data under HKEY_USERS
        PID:2208
      • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
        C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
        1⤵
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:1692

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RES3AD.tmp
        MD5

        6aa5d156fb38656901f3c1a50a3c91cb

        SHA1

        d56595d2e68e6f585fd987ba61d63f4166e153a9

        SHA256

        2483327ac7adb7979b4a273cadd33b3223e00cb052373cb41e20418f9356b9f1

        SHA512

        d16c8792ad57b3348ff61d05fe762201757fd289de6f5d77b10badc49a65001635444eeec0bfccc66b55b9bd608dec59f1a33f0e330180d18ff7ce3b32b7c711

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\xpa5bkmt\xpa5bkmt.dll
        MD5

        d523f13338db9713b8722335bb007fb3

        SHA1

        d74fb03622279fe2ad0961d157f6eee6e895d2f0

        SHA256

        0015d196b5832a12bf25f5cd848722a20ec485bdd3ee59d6115bded86a848481

        SHA512

        c5ca5cb844bf197c1f9694c5283e5f597b8e629d5edd6f28d14b18e9439ecffcacf338deefd48d41424db0aba10c3f2b5f09ed74fe1c3b4a3e57393bb1a777c6

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\xpa5bkmt\CSC850012BC50E24FF8B177AC36A6D04234.TMP
        MD5

        603ca1b12671c055eb66e17ab235df71

        SHA1

        e48e41c2370909a642c6e3f123fc9d0c2ff4a50b

        SHA256

        8c940f33de26133009069f31f9c2a7d3170761f87236d8172d78a9c869dd0781

        SHA512

        3b2e20140596c770e2a2c09960bde53a03acb0cf8948c0334f7193bcb9abff006c817a2990ed4eea4c9e58ae577abfd265fc90fd3b5410009ab02784c92d5f1d

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\xpa5bkmt\xpa5bkmt.0.cs
        MD5

        e03b1e7ba7f1a53a7e10c0fd9049f437

        SHA1

        3bb851a42717eeb588eb7deadfcd04c571c15f41

        SHA256

        3ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427

        SHA512

        a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\xpa5bkmt\xpa5bkmt.cmdline
        MD5

        17a20ca49916bfb88c1b6b87241c65df

        SHA1

        23f8d0b372c8b69c5f5d141ed2e4e911471225bf

        SHA256

        59445fbab4219517cd5aeeef1f29b15e6d89b1a4bead4cfb59c31373db79624e

        SHA512

        c54965e5f80ee79e1068b7e387ff25cb11d8b808c1ebd45746b6e6a92d26c9a8fc53e1b128c8654b349f0825e43b99c868331a1ddbc673dd43a4a8891ec74273

        Download Submit
      • memory/3772-140-0x000002F30A676000-0x000002F30A678000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3772-141-0x000002F323E90000-0x000002F323F06000-memory.dmp
        Filesize

        472KB

        Download
      • memory/3772-134-0x00007FFB81063000-0x00007FFB81065000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3772-137-0x000002F323990000-0x000002F3239B2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/3772-136-0x000002F30A670000-0x000002F30A672000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3772-135-0x000002F30A673000-0x000002F30A675000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4092-147-0x0000000000400000-0x000000000040A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/4092-149-0x000000007500E000-0x000000007500F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4092-150-0x0000000005FE0000-0x0000000006584000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/4092-151-0x0000000005A10000-0x0000000005A11000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4092-152-0x0000000005B30000-0x0000000005BCC000-memory.dmp
        Filesize

        624KB

        Download