Overview

overview

10

Static

static

13efa382b1...c4.vbs

windows7_x64

3

13efa382b1...c4.vbs

windows10-2004_x64

10

Analysis

  • max time kernel
    160s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    19-02-2022 09:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    13efa382b10defb99bd1415a12ab885da5ba6773bd651f2a983239bf10bcd5c4.vbs

  • Size

    151KB

  • MD5

    2617fabde3d4865c6838626ff1f08dd4

  • SHA1

    1b30dd98a97c25f898b9a90765b9da65e5f59a85

  • SHA256

    13efa382b10defb99bd1415a12ab885da5ba6773bd651f2a983239bf10bcd5c4

  • SHA512

    10e525b6fd13fc268e4eecad4abe1ee5d81fb0ebba701c522b6ff2485954477ccdb9810ceb06d51183469f3e5f5e0af8935d20156e25d601d14e371d040af8b8

Score
10/10
revengeratnyancatrevengetrojan

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

h0pe1759.ddns.net:6943

Mutex

128f3f5311064da68d3

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13efa382b10defb99bd1415a12ab885da5ba6773bd651f2a983239bf10bcd5c4.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1540
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EXECUTIONPOLICY REMOTESIGNED -FILE C:\Users\Admin\AppData\Local\Temp\Systray64.PS1
      2⤵
      • Drops startup file
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4624
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jmfcx1zq\jmfcx1zq.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3616
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8FD.tmp" "c:\Users\Admin\AppData\Local\Temp\jmfcx1zq\CSC400B63F423844688BE3C7CD1518535B6.TMP"
          4⤵
            PID:4492
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
          3⤵
            PID:1400
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
            3⤵
              PID:4744
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
          1⤵
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          PID:4484

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RESB8FD.tmp
          MD5

          961a13c9af30d336a949d732bf8d3bc8

          SHA1

          83ab19ea8e060de823fc022f339d32f3106308f3

          SHA256

          0fe00f2a6ce7d1c57c1bf15321054814f1defbada2333bbf259426306f86aa00

          SHA512

          765b2c5839878c1084c5ffe850a45e34f5bd1e3ee84166790238111a3bbeb79bb2936b66397bf9f4faa36e0838e332eff1f63d79203b8968c2019d4c2ec8cef4

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Systray64.PS1
          MD5

          3bf84ac22ea91f5dab4a2e743ecee16d

          SHA1

          8bcc6a36b44413266bd44915aa2af7198045d0bb

          SHA256

          5482d824e6edc8cd2237aad6b99ad5f7b5bb7676bd3fee92f295707c3db32d10

          SHA512

          b0905a70c14a780674781db670a6f89bd85564f38601eb3e50bffcaa8e23079b68281d51c38f5679b8fa5796a798714990bc2f3fb4aade2f814416ebc6cd2d8f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\jmfcx1zq\jmfcx1zq.dll
          MD5

          93d8e9a7c2ba62cf2c8d33f21c8b06b9

          SHA1

          aa1af5b45d388afa59074bf916e6112ea0d9c159

          SHA256

          e6587bbf9d6d00c504566ce441ef2882d0a400ffe66f77714c8ad67d48e2f4a1

          SHA512

          3a186fe5e820d8a057f684276b61fd1681d8ca397999043983ee58e878c3c4d201cf719f5b1bc69ead6a6d7538ac2877de426ad4343fa64a7774a61d94314255

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\jmfcx1zq\CSC400B63F423844688BE3C7CD1518535B6.TMP
          MD5

          d521ec50972a1707365b886bdbe1d47a

          SHA1

          72400057e141bcde84eaa56d604866a2481212e7

          SHA256

          922d2d2da9362947fab029dcf143e72a7307e63857aea5d87810ed6262a3337a

          SHA512

          6c1de0ee1e9ef8563deeb953b924cdd65d093204f981b78b26797612c53e2c0e46d62d131017019eec319854235d8da80c742e2933ff1a003b92dbb0cc1f685c

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\jmfcx1zq\jmfcx1zq.0.cs
          MD5

          e03b1e7ba7f1a53a7e10c0fd9049f437

          SHA1

          3bb851a42717eeb588eb7deadfcd04c571c15f41

          SHA256

          3ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427

          SHA512

          a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\jmfcx1zq\jmfcx1zq.cmdline
          MD5

          bd0dad42dafa84e34569029756282b6a

          SHA1

          b9940c457692c2adfdbc8b6fa46a7cc64a4f8382

          SHA256

          fe1bb3e49b6c56b3745826a5e6ef441dbcdc68843479330f086c8ba6e15c052f

          SHA512

          d95fdb03eec3798866b90e6cdf7543c65339bc3922d141cc6ccedbef6dc11275ff65812e09040a5dce61dd5092a38c539be9e994c65e460d1dbb2beff8d115f9

          Download Submit

        • memory/4484-148-0x000001E994AA0000-0x000001E994AA4000-memory.dmp

          Filesize

          16KB

          Download

        • memory/4484-147-0x000001E991D90000-0x000001E991DA0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4484-146-0x000001E991D30000-0x000001E991D40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4624-134-0x0000027FCC3A3000-0x0000027FCC3A5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4624-136-0x0000027FCD310000-0x0000027FCD386000-memory.dmp

          Filesize

          472KB

          Download

        • memory/4624-135-0x0000027FCC3A6000-0x0000027FCC3A8000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4624-130-0x0000027FCC370000-0x0000027FCC392000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4624-133-0x0000027FCC3A0000-0x0000027FCC3A2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4624-132-0x00007FFC895A3000-0x00007FFC895A5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4744-142-0x0000000000400000-0x000000000040A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4744-143-0x0000000005260000-0x0000000005804000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4744-144-0x00000000752FE000-0x00000000752FF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4744-145-0x0000000004D40000-0x0000000004D41000-memory.dmp

          Filesize

          4KB

          Download