Analysis
-
max time kernel
160s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
19-02-2022 09:01
General
-
Target
13efa382b10defb99bd1415a12ab885da5ba6773bd651f2a983239bf10bcd5c4.vbs
-
Size
151KB
-
MD5
2617fabde3d4865c6838626ff1f08dd4
-
SHA1
1b30dd98a97c25f898b9a90765b9da65e5f59a85
-
SHA256
13efa382b10defb99bd1415a12ab885da5ba6773bd651f2a983239bf10bcd5c4
-
SHA512
10e525b6fd13fc268e4eecad4abe1ee5d81fb0ebba701c522b6ff2485954477ccdb9810ceb06d51183469f3e5f5e0af8935d20156e25d601d14e371d040af8b8
Malware Config
Extracted
revengerat
NyanCatRevenge
h0pe1759.ddns.net:6943
128f3f5311064da68d3
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13efa382b10defb99bd1415a12ab885da5ba6773bd651f2a983239bf10bcd5c4.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EXECUTIONPOLICY REMOTESIGNED -FILE C:\Users\Admin\AppData\Local\Temp\Systray64.PS12⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jmfcx1zq\jmfcx1zq.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8FD.tmp" "c:\Users\Admin\AppData\Local\Temp\jmfcx1zq\CSC400B63F423844688BE3C7CD1518535B6.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESB8FD.tmpMD5
961a13c9af30d336a949d732bf8d3bc8
SHA183ab19ea8e060de823fc022f339d32f3106308f3
SHA2560fe00f2a6ce7d1c57c1bf15321054814f1defbada2333bbf259426306f86aa00
SHA512765b2c5839878c1084c5ffe850a45e34f5bd1e3ee84166790238111a3bbeb79bb2936b66397bf9f4faa36e0838e332eff1f63d79203b8968c2019d4c2ec8cef4
-
C:\Users\Admin\AppData\Local\Temp\Systray64.PS1MD5
3bf84ac22ea91f5dab4a2e743ecee16d
SHA18bcc6a36b44413266bd44915aa2af7198045d0bb
SHA2565482d824e6edc8cd2237aad6b99ad5f7b5bb7676bd3fee92f295707c3db32d10
SHA512b0905a70c14a780674781db670a6f89bd85564f38601eb3e50bffcaa8e23079b68281d51c38f5679b8fa5796a798714990bc2f3fb4aade2f814416ebc6cd2d8f
-
C:\Users\Admin\AppData\Local\Temp\jmfcx1zq\jmfcx1zq.dllMD5
93d8e9a7c2ba62cf2c8d33f21c8b06b9
SHA1aa1af5b45d388afa59074bf916e6112ea0d9c159
SHA256e6587bbf9d6d00c504566ce441ef2882d0a400ffe66f77714c8ad67d48e2f4a1
SHA5123a186fe5e820d8a057f684276b61fd1681d8ca397999043983ee58e878c3c4d201cf719f5b1bc69ead6a6d7538ac2877de426ad4343fa64a7774a61d94314255
-
\??\c:\Users\Admin\AppData\Local\Temp\jmfcx1zq\CSC400B63F423844688BE3C7CD1518535B6.TMPMD5
d521ec50972a1707365b886bdbe1d47a
SHA172400057e141bcde84eaa56d604866a2481212e7
SHA256922d2d2da9362947fab029dcf143e72a7307e63857aea5d87810ed6262a3337a
SHA5126c1de0ee1e9ef8563deeb953b924cdd65d093204f981b78b26797612c53e2c0e46d62d131017019eec319854235d8da80c742e2933ff1a003b92dbb0cc1f685c
-
\??\c:\Users\Admin\AppData\Local\Temp\jmfcx1zq\jmfcx1zq.0.csMD5
e03b1e7ba7f1a53a7e10c0fd9049f437
SHA13bb851a42717eeb588eb7deadfcd04c571c15f41
SHA2563ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427
SHA512a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f
-
\??\c:\Users\Admin\AppData\Local\Temp\jmfcx1zq\jmfcx1zq.cmdlineMD5
bd0dad42dafa84e34569029756282b6a
SHA1b9940c457692c2adfdbc8b6fa46a7cc64a4f8382
SHA256fe1bb3e49b6c56b3745826a5e6ef441dbcdc68843479330f086c8ba6e15c052f
SHA512d95fdb03eec3798866b90e6cdf7543c65339bc3922d141cc6ccedbef6dc11275ff65812e09040a5dce61dd5092a38c539be9e994c65e460d1dbb2beff8d115f9
-
memory/4484-148-0x000001E994AA0000-0x000001E994AA4000-memory.dmpFilesize
16KB
-
memory/4484-147-0x000001E991D90000-0x000001E991DA0000-memory.dmpFilesize
64KB
-
memory/4484-146-0x000001E991D30000-0x000001E991D40000-memory.dmpFilesize
64KB
-
memory/4624-134-0x0000027FCC3A3000-0x0000027FCC3A5000-memory.dmpFilesize
8KB
-
memory/4624-136-0x0000027FCD310000-0x0000027FCD386000-memory.dmpFilesize
472KB
-
memory/4624-135-0x0000027FCC3A6000-0x0000027FCC3A8000-memory.dmpFilesize
8KB
-
memory/4624-130-0x0000027FCC370000-0x0000027FCC392000-memory.dmpFilesize
136KB
-
memory/4624-133-0x0000027FCC3A0000-0x0000027FCC3A2000-memory.dmpFilesize
8KB
-
memory/4624-132-0x00007FFC895A3000-0x00007FFC895A5000-memory.dmpFilesize
8KB
-
memory/4744-142-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/4744-143-0x0000000005260000-0x0000000005804000-memory.dmpFilesize
5.6MB
-
memory/4744-144-0x00000000752FE000-0x00000000752FF000-memory.dmpFilesize
4KB
-
memory/4744-145-0x0000000004D40000-0x0000000004D41000-memory.dmpFilesize
4KB