Analysis
-
max time kernel
117s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
09-03-2022 01:41
Static task
static1
Behavioral task
behavioral1
Sample
aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe
Resource
win10v2004-en-20220113
General
-
Target
aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe
-
Size
355KB
-
MD5
e73a78c29a9791b574a3ff41bf290cfb
-
SHA1
a974b4b7d2f0b0d4366123c0a591327b6108e6d8
-
SHA256
aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8
-
SHA512
69ba2a63a6bd0e125ac2e13e8c7571c08f0b6d1a0fe1e5670346c4cf16dd74b179f181aad4064f656ce092f8ca105b221dd3d4c423c32eccc649755e4ed1b0a4
Malware Config
Extracted
revengerat
be ly
hohoangpmy.ddns.net:1177
RV_MUTEX-eawrHJfWfhaRCl
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1616-60-0x0000000000400000-0x0000000000408000-memory.dmp revengerat behavioral1/memory/1616-62-0x0000000000400000-0x0000000000408000-memory.dmp revengerat behavioral1/memory/1616-64-0x0000000000400000-0x0000000000408000-memory.dmp revengerat behavioral1/memory/1616-66-0x0000000000400000-0x0000000000408000-memory.dmp revengerat -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 1028 Client.exe -
Drops startup file 2 IoCs
Processes:
vbc.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe vbc.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe vbc.exe -
Loads dropped DLL 1 IoCs
Processes:
vbc.exepid process 1616 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exedescription pid process target process PID 1612 set thread context of 1616 1612 aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 1616 vbc.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exepid process 1612 aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe 1612 aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe 1612 aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe 1612 aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe 1612 aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exepid process 1612 aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe 1612 aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe 1612 aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe 1612 aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe 1612 aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exevbc.exedescription pid process target process PID 1612 wrote to memory of 1616 1612 aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe vbc.exe PID 1612 wrote to memory of 1616 1612 aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe vbc.exe PID 1612 wrote to memory of 1616 1612 aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe vbc.exe PID 1612 wrote to memory of 1616 1612 aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe vbc.exe PID 1612 wrote to memory of 1616 1612 aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe vbc.exe PID 1612 wrote to memory of 1616 1612 aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe vbc.exe PID 1612 wrote to memory of 1616 1612 aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe vbc.exe PID 1612 wrote to memory of 1616 1612 aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe vbc.exe PID 1616 wrote to memory of 1028 1616 vbc.exe Client.exe PID 1616 wrote to memory of 1028 1616 vbc.exe Client.exe PID 1616 wrote to memory of 1028 1616 vbc.exe Client.exe PID 1616 wrote to memory of 1028 1616 vbc.exe Client.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe"C:\Users\Admin\AppData\Local\Temp\aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exeMD5
1f7bccc57d21a4bfeddaafe514cfd74d
SHA14dab09179a12468cb1757cb7ca26e06d616b0a8d
SHA256d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061
SHA5129e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exeMD5
1f7bccc57d21a4bfeddaafe514cfd74d
SHA14dab09179a12468cb1757cb7ca26e06d616b0a8d
SHA256d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061
SHA5129e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exeMD5
1f7bccc57d21a4bfeddaafe514cfd74d
SHA14dab09179a12468cb1757cb7ca26e06d616b0a8d
SHA256d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061
SHA5129e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8
-
memory/1612-55-0x0000000075AC1000-0x0000000075AC3000-memory.dmpFilesize
8KB
-
memory/1616-56-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1616-58-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1616-60-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1616-62-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1616-64-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1616-66-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1616-67-0x0000000073CC0000-0x00000000743AE000-memory.dmpFilesize
6.9MB
-
memory/1616-68-0x0000000005270000-0x0000000005271000-memory.dmpFilesize
4KB