Analysis
-
max time kernel
152s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
19-02-2022 09:02
Static task
static1
Behavioral task
behavioral1
Sample
e38f7a1882ac64fab611b3be73fda7eece5fb9a6ea131b36985aa60a0988e937.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
e38f7a1882ac64fab611b3be73fda7eece5fb9a6ea131b36985aa60a0988e937.exe
Resource
win10v2004-en-20220113
General
-
Target
e38f7a1882ac64fab611b3be73fda7eece5fb9a6ea131b36985aa60a0988e937.exe
-
Size
15KB
-
MD5
b8448486361127d19646cd0a420ba047
-
SHA1
5e50e5c076e3b0843afaf038a3dec777a6e84759
-
SHA256
e38f7a1882ac64fab611b3be73fda7eece5fb9a6ea131b36985aa60a0988e937
-
SHA512
caff3217b5563176f787bef7bb8864e67189b0ad0eda4f10f2d0e0ee18b966816f62f95f8b1c9ddd238bfa2f94b545c577c5e8b52f58d729eb7ca107f9b50494
Malware Config
Extracted
revengerat
Client
bodmas01.zapto.org:7975
SXDWCX2QPFGVQS2
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Drops file in Windows directory 6 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
svchost.exedescription pid process Token: SeShutdownPrivilege 3788 svchost.exe Token: SeCreatePagefilePrivilege 3788 svchost.exe Token: SeShutdownPrivilege 3788 svchost.exe Token: SeCreatePagefilePrivilege 3788 svchost.exe Token: SeShutdownPrivilege 3788 svchost.exe Token: SeCreatePagefilePrivilege 3788 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e38f7a1882ac64fab611b3be73fda7eece5fb9a6ea131b36985aa60a0988e937.exe"C:\Users\Admin\AppData\Local\Temp\e38f7a1882ac64fab611b3be73fda7eece5fb9a6ea131b36985aa60a0988e937.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3052-130-0x00007FFCDDA13000-0x00007FFCDDA15000-memory.dmpFilesize
8KB
-
memory/3052-131-0x0000000000440000-0x000000000044A000-memory.dmpFilesize
40KB
-
memory/3052-132-0x000000001BC40000-0x000000001BC42000-memory.dmpFilesize
8KB
-
memory/3788-133-0x0000020DE8020000-0x0000020DE8030000-memory.dmpFilesize
64KB
-
memory/3788-134-0x0000020DE8080000-0x0000020DE8090000-memory.dmpFilesize
64KB
-
memory/3788-135-0x0000020DEA740000-0x0000020DEA744000-memory.dmpFilesize
16KB