Analysis
-
max time kernel
162s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
19-02-2022 09:03
Static task
static1
Behavioral task
behavioral1
Sample
9e70c5b4e6bbfaa1f7d410b0d79aae92c23a88ce32f7b6e651bfcfeece407bf7.ps1
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
9e70c5b4e6bbfaa1f7d410b0d79aae92c23a88ce32f7b6e651bfcfeece407bf7.ps1
Resource
win10v2004-en-20220113
General
-
Target
9e70c5b4e6bbfaa1f7d410b0d79aae92c23a88ce32f7b6e651bfcfeece407bf7.ps1
-
Size
45KB
-
MD5
3466fd80a243ae5b2e2581214b49d0be
-
SHA1
a68eb0b7f56bc5459502f83ffa55e6a783b78797
-
SHA256
9e70c5b4e6bbfaa1f7d410b0d79aae92c23a88ce32f7b6e651bfcfeece407bf7
-
SHA512
ca3bce0228d8ad34e90ed49207bbc3e4f906281167bf20f02e9f7aa0fe8054741578d0d98132e70417913ffc2caff4f5f710f76acd351981c6c5a4dac74ad720
Malware Config
Extracted
revengerat
Client
kimjoy.ddns.net:2021
RXQLV8XYTDNHNSA
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 1440 set thread context of 4760 1440 powershell.exe RegAsm.exe -
Drops file in Windows directory 6 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1440 powershell.exe 1440 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exesvchost.exedescription pid process Token: SeDebugPrivilege 1440 powershell.exe Token: SeShutdownPrivilege 3008 svchost.exe Token: SeCreatePagefilePrivilege 3008 svchost.exe Token: SeShutdownPrivilege 3008 svchost.exe Token: SeCreatePagefilePrivilege 3008 svchost.exe Token: SeShutdownPrivilege 3008 svchost.exe Token: SeCreatePagefilePrivilege 3008 svchost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
powershell.execsc.exedescription pid process target process PID 1440 wrote to memory of 4712 1440 powershell.exe csc.exe PID 1440 wrote to memory of 4712 1440 powershell.exe csc.exe PID 4712 wrote to memory of 1428 4712 csc.exe cvtres.exe PID 4712 wrote to memory of 1428 4712 csc.exe cvtres.exe PID 1440 wrote to memory of 4760 1440 powershell.exe RegAsm.exe PID 1440 wrote to memory of 4760 1440 powershell.exe RegAsm.exe PID 1440 wrote to memory of 4760 1440 powershell.exe RegAsm.exe PID 1440 wrote to memory of 4760 1440 powershell.exe RegAsm.exe PID 1440 wrote to memory of 4760 1440 powershell.exe RegAsm.exe PID 1440 wrote to memory of 4760 1440 powershell.exe RegAsm.exe PID 1440 wrote to memory of 4760 1440 powershell.exe RegAsm.exe PID 1440 wrote to memory of 4760 1440 powershell.exe RegAsm.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\9e70c5b4e6bbfaa1f7d410b0d79aae92c23a88ce32f7b6e651bfcfeece407bf7.ps11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ltpai4re\ltpai4re.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD16.tmp" "c:\Users\Admin\AppData\Local\Temp\ltpai4re\CSC96B9FE27F70B40589AA32076DCFC3AD1.TMP"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESAD16.tmpMD5
ff207b03110a0b13faf389fc4b7146db
SHA13273d76c9c2d6a6e5b05eb19c0f2b8e657fd43d5
SHA256256e062b17ce10590ed6d0e64229dd9021bad39a29d6f416d78cf55c58748933
SHA512688650273cc8a1ee1d5c4da97e900cf847ae17740d100561cf944ae0eb7ffea86a5da7c9f1bc36125de9690eae504bd3fa2e5b9d8071a8d28c01c0181f7086b6
-
C:\Users\Admin\AppData\Local\Temp\ltpai4re\ltpai4re.dllMD5
b727741ee5eac8ce904b0d1708caada5
SHA16509c8f854436bc5008d74e5bbf4620b00b55f95
SHA25681724ef091f221398e2f2623b6538e3541e171f09f2897b88f2db56f76caa8a0
SHA512c68e22238ba911dc3d57788c79d33ad9697e45ef05a995815aa4a0169502aa8d836bcef4f94b82da40d9259d9cd67cdd96539aaf397b6cb4697ae0726e94f268
-
\??\c:\Users\Admin\AppData\Local\Temp\ltpai4re\CSC96B9FE27F70B40589AA32076DCFC3AD1.TMPMD5
83aba12c27f4e29287dedf5fff3dc803
SHA10cea272307a39115306be3edb89b693d7900694b
SHA256e1e4eabb840f6ac30497bda8f19b47266e1c6772f434177a76c0ad0c415329f2
SHA51233fa08fad24bec7c1180bc0533346f2d47b3bbba99e89a38de9db70e107192b6bfd0d43ca3cc20bdc4406756b3027d8021fbbb97706ebead6b825602e402bffc
-
\??\c:\Users\Admin\AppData\Local\Temp\ltpai4re\ltpai4re.0.csMD5
e03b1e7ba7f1a53a7e10c0fd9049f437
SHA13bb851a42717eeb588eb7deadfcd04c571c15f41
SHA2563ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427
SHA512a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f
-
\??\c:\Users\Admin\AppData\Local\Temp\ltpai4re\ltpai4re.cmdlineMD5
d4b5344e6b974743ca9b9d982104bd1b
SHA1687a3321325cd6d27afe35debc32caf2a87eb2ed
SHA25641880aa1ac70d0c2bd9a4cd5da6e6da55d77805baf61acbbb041dc6412f7c2cc
SHA51249cd0814cafa812519244d8d6f27be91f6da1fdfeb057c6e4b3d0b9d37a0555ea8f555d8a5568b70c37e657295f2e5cbeccb99099c816a3490fb295cb2a5c446
-
memory/1440-134-0x000002979D406000-0x000002979D408000-memory.dmpFilesize
8KB
-
memory/1440-130-0x000002979D4B0000-0x000002979D4D2000-memory.dmpFilesize
136KB
-
memory/1440-133-0x000002979D403000-0x000002979D405000-memory.dmpFilesize
8KB
-
memory/1440-132-0x000002979D400000-0x000002979D402000-memory.dmpFilesize
8KB
-
memory/1440-131-0x00007FFE67103000-0x00007FFE67105000-memory.dmpFilesize
8KB
-
memory/1440-135-0x000002979D9D0000-0x000002979DA46000-memory.dmpFilesize
472KB
-
memory/3008-146-0x00000153CA920000-0x00000153CA930000-memory.dmpFilesize
64KB
-
memory/3008-148-0x00000153CD030000-0x00000153CD034000-memory.dmpFilesize
16KB
-
memory/3008-147-0x00000153CA980000-0x00000153CA990000-memory.dmpFilesize
64KB
-
memory/4760-142-0x0000000005360000-0x0000000005904000-memory.dmpFilesize
5.6MB
-
memory/4760-145-0x0000000004CA0000-0x0000000004CA1000-memory.dmpFilesize
4KB
-
memory/4760-144-0x0000000004EB0000-0x0000000004F4C000-memory.dmpFilesize
624KB
-
memory/4760-143-0x0000000074C5E000-0x0000000074C5F000-memory.dmpFilesize
4KB
-
memory/4760-141-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB