Overview

overview

10

Static

static

d0eacc86ba...1c.vbs

windows7_x64

3

d0eacc86ba...1c.vbs

windows10-2004_x64

10

Analysis

  • max time kernel
    161s
  • max time network
    170s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    19-02-2022 09:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d0eacc86ba243aa25112dfdbe4c11b1bc7e90a50921e2dccaefa65e626484a1c.vbs

  • Size

    160KB

  • MD5

    2f4b0aaefc5a69aad3be2795c45e97d7

  • SHA1

    b40b2a3afad0f04934e3892a23fa320fbbe85ec5

  • SHA256

    d0eacc86ba243aa25112dfdbe4c11b1bc7e90a50921e2dccaefa65e626484a1c

  • SHA512

    4e5113ad23bc3a1242f47d9d03a319bd921e3016a8527637aabbb390045f7559609cd478dad8500745a457636360822de5d9f51f2a11e6a13ed76b44d8ad3b8a

Score
10/10
revengeratnyancatrevengetrojan

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

h0pe1759.ddns.net:6943

Mutex

128f3f5311064da68d3

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0eacc86ba243aa25112dfdbe4c11b1bc7e90a50921e2dccaefa65e626484a1c.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4324
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eXEcUTiONpOLicY rEmOtEsIgNeD -FILE C:\Users\Admin\AppData\Local\Temp\OS64Bits.PS1
      2⤵
      • Drops startup file
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:460
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yp1t51u4\yp1t51u4.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3972
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES99FB.tmp" "c:\Users\Admin\AppData\Local\Temp\yp1t51u4\CSC99C4018E8BC1490ABD86C7ACCD10C7A3.TMP"
          4⤵
            PID:2696
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
          3⤵
            PID:928
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
        1⤵
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:3528

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\OS64Bits.PS1
        MD5

        71d07a62e6a9f93697bee333cf33cb43

        SHA1

        314e0556f14615f249e76c399fbd352a57c8b854

        SHA256

        28551c51fc1cb17cfe2f238acc467e8264a01c8262911250634be617a9e16b91

        SHA512

        e0dcee489be5c9d73adf7bd373dc5d998bd0be8e1d51857081d8764278e73433ba5f0885a2492b9fdcd7bccc4d7c83e9e5c3316f1b19c80dca413913ad82555e

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\RES99FB.tmp
        MD5

        6c8f4940def2f0ce75890d5769ce5282

        SHA1

        9d5cca24ee263c380e68fb83c3132e5d36282c22

        SHA256

        ff7eebfd4c6d9c1331b559142d5bfaabbb26e966b5d22ec004c0445b4e6dc30a

        SHA512

        c138a24767b7bc37476eaa9d8758f054c1affcb36cb5cabdb5c4c95696c5e940206f49a16508df2c3a23d762792c17b88e863c13fbbfa45775f4c07b15cb786f

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\yp1t51u4\yp1t51u4.dll
        MD5

        f78582ecc2923abcad2b704712bde55d

        SHA1

        42fff10afeb076570834da5552a7afceef84267a

        SHA256

        39b28e69df3277090c24d0781ac34c9b0ac195ac9b884227b7b85c2b59e1c252

        SHA512

        b627d49fe6d9a516011e6294fd0b9b88bf6eb5df5026a8932f0bd6c40884a1c4b7adfda1e5bdd07d5eaf7fcabd04664f9bbdc2b9ec24c3a8187e360005497621

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\yp1t51u4\CSC99C4018E8BC1490ABD86C7ACCD10C7A3.TMP
        MD5

        be45837a8c33d0d9969c14d3f653fb5f

        SHA1

        52d286e875719e09a81779217e74d2b309bd9849

        SHA256

        74588a6f0a24ab68a8a17cf6a476023eedf28c6bb14cced7b5c7095b7816f14a

        SHA512

        ca29329db90137238f45a6b0d3eb8f4696bd278af5554169fd99fc59c2f338a1fab2bf659b5358274da5e70c2c9cd636d313d65fcb888f69c930c0308e335482

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\yp1t51u4\yp1t51u4.0.cs
        MD5

        e03b1e7ba7f1a53a7e10c0fd9049f437

        SHA1

        3bb851a42717eeb588eb7deadfcd04c571c15f41

        SHA256

        3ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427

        SHA512

        a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\yp1t51u4\yp1t51u4.cmdline
        MD5

        7a57e8068773dee0d2e3307dbd1aa1d2

        SHA1

        86b7afa429fdac63a08f791b019e5ae7a8e8138c

        SHA256

        a805e81e03b673a7c9cf93dde253a211176a351380655f07f3dc9fb829ec0970

        SHA512

        25439533bb0b69c11c67ea3f8f14e470cf1d70eb842cdd448126659cf1af84680e6b05347141e9c23090413d08cfdcc7da43944948288f469446fbb5d20ea18b

        Download Submit
      • memory/460-135-0x000002042B4A0000-0x000002042B4C2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/460-137-0x000002042DA70000-0x000002042DAE6000-memory.dmp
        Filesize

        472KB

        Download
      • memory/460-131-0x00007FFF38073000-0x00007FFF38075000-memory.dmp
        Filesize

        8KB

        Download
      • memory/460-134-0x000002042B4E6000-0x000002042B4E8000-memory.dmp
        Filesize

        8KB

        Download
      • memory/460-132-0x000002042B4E0000-0x000002042B4E2000-memory.dmp
        Filesize

        8KB

        Download
      • memory/460-133-0x000002042B4E3000-0x000002042B4E5000-memory.dmp
        Filesize

        8KB

        Download
      • memory/928-143-0x0000000000400000-0x000000000040A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/928-144-0x0000000005F70000-0x0000000006514000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/928-145-0x000000007480E000-0x000000007480F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/928-146-0x0000000005AF0000-0x0000000005AF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3528-147-0x00000213A4F60000-0x00000213A4F70000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3528-148-0x00000213A5620000-0x00000213A5630000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3528-149-0x00000213A7CE0000-0x00000213A7CE4000-memory.dmp
        Filesize

        16KB

        Download