Analysis
-
max time kernel
91s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
09-03-2022 01:41
Static task
static1
Behavioral task
behavioral1
Sample
aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe
Resource
win10v2004-en-20220113
General
-
Target
aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe
-
Size
355KB
-
MD5
e73a78c29a9791b574a3ff41bf290cfb
-
SHA1
a974b4b7d2f0b0d4366123c0a591327b6108e6d8
-
SHA256
aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8
-
SHA512
69ba2a63a6bd0e125ac2e13e8c7571c08f0b6d1a0fe1e5670346c4cf16dd74b179f181aad4064f656ce092f8ca105b221dd3d4c423c32eccc649755e4ed1b0a4
Malware Config
Extracted
revengerat
be ly
hohoangpmy.ddns.net:1177
RV_MUTEX-eawrHJfWfhaRCl
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3696-130-0x0000000000400000-0x0000000000408000-memory.dmp revengerat -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 528 Client.exe -
Drops startup file 2 IoCs
Processes:
vbc.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe vbc.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exedescription pid process target process PID 3728 set thread context of 3696 3728 aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 3696 vbc.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exepid process 3728 aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe 3728 aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe 3728 aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exepid process 3728 aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe 3728 aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe 3728 aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exevbc.exedescription pid process target process PID 3728 wrote to memory of 3696 3728 aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe vbc.exe PID 3728 wrote to memory of 3696 3728 aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe vbc.exe PID 3728 wrote to memory of 3696 3728 aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe vbc.exe PID 3728 wrote to memory of 3696 3728 aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe vbc.exe PID 3728 wrote to memory of 3696 3728 aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe vbc.exe PID 3728 wrote to memory of 3696 3728 aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe vbc.exe PID 3728 wrote to memory of 3696 3728 aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe vbc.exe PID 3696 wrote to memory of 528 3696 vbc.exe Client.exe PID 3696 wrote to memory of 528 3696 vbc.exe Client.exe PID 3696 wrote to memory of 528 3696 vbc.exe Client.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe"C:\Users\Admin\AppData\Local\Temp\aefe98d28b0d368c94c1102e615811b1d9825373d86e5a0031d0b41f2452bfb8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exeMD5
0a7608db01cae07792cea95e792aa866
SHA171dff876e4d5edb6cea78fee7aa15845d4950e24
SHA256c16336ab32195b08c1678220fbe0256fee865f623e2b32fcfa4d9825fd68977e
SHA512990a6fa1b8adb6727b1dcd8931ad84fdcb556533b78f896a71eae2a7e3ae3222e4b8efaa4b629ced2841211750e0d8a75ddd546a983c2e586918dd8ba4e0dc42
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exeMD5
0a7608db01cae07792cea95e792aa866
SHA171dff876e4d5edb6cea78fee7aa15845d4950e24
SHA256c16336ab32195b08c1678220fbe0256fee865f623e2b32fcfa4d9825fd68977e
SHA512990a6fa1b8adb6727b1dcd8931ad84fdcb556533b78f896a71eae2a7e3ae3222e4b8efaa4b629ced2841211750e0d8a75ddd546a983c2e586918dd8ba4e0dc42
-
memory/3696-130-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/3696-131-0x0000000005F80000-0x0000000006524000-memory.dmpFilesize
5.6MB
-
memory/3696-132-0x0000000005A70000-0x0000000005B0C000-memory.dmpFilesize
624KB
-
memory/3696-133-0x00000000059D0000-0x0000000005A36000-memory.dmpFilesize
408KB
-
memory/3696-134-0x0000000074510000-0x0000000074CC0000-memory.dmpFilesize
7.7MB
-
memory/3696-135-0x00000000059D0000-0x0000000005F74000-memory.dmpFilesize
5.6MB