Analysis
-
max time kernel
150s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
19-03-2022 16:44
Static task
static1
Behavioral task
behavioral1
Sample
2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b.exe
Resource
win10v2004-en-20220113
General
-
Target
2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b.exe
-
Size
501KB
-
MD5
c8aa6223ca40f85c1ae6fd9024aab6ea
-
SHA1
895469c785046dce30badb4de957f5f89657ba0b
-
SHA256
2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b
-
SHA512
9800a04b8b408940e0c54a752fc87b41edd79d7764cbb16a0357084ee8b1dc3d3a082b424ee3f68632cbb128bde0e867854e2216ec88de48c247d5c248bed530
Malware Config
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\virus.exe revengerat C:\Users\Admin\AppData\Local\Temp\virus.exe revengerat -
Executes dropped EXE 2 IoCs
Processes:
virus.sfx.exevirus.exepid process 2316 virus.sfx.exe 2664 virus.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b.exeWScript.exevirus.sfx.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation virus.sfx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings 2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b.exeWScript.execmd.exevirus.sfx.exevirus.exefondue.exedescription pid process target process PID 312 wrote to memory of 1424 312 2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b.exe WScript.exe PID 312 wrote to memory of 1424 312 2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b.exe WScript.exe PID 312 wrote to memory of 1424 312 2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b.exe WScript.exe PID 1424 wrote to memory of 1952 1424 WScript.exe cmd.exe PID 1424 wrote to memory of 1952 1424 WScript.exe cmd.exe PID 1424 wrote to memory of 1952 1424 WScript.exe cmd.exe PID 1952 wrote to memory of 2316 1952 cmd.exe virus.sfx.exe PID 1952 wrote to memory of 2316 1952 cmd.exe virus.sfx.exe PID 1952 wrote to memory of 2316 1952 cmd.exe virus.sfx.exe PID 2316 wrote to memory of 2664 2316 virus.sfx.exe virus.exe PID 2316 wrote to memory of 2664 2316 virus.sfx.exe virus.exe PID 2316 wrote to memory of 2664 2316 virus.sfx.exe virus.exe PID 2664 wrote to memory of 3320 2664 virus.exe fondue.exe PID 2664 wrote to memory of 3320 2664 virus.exe fondue.exe PID 2664 wrote to memory of 3320 2664 virus.exe fondue.exe PID 3320 wrote to memory of 4752 3320 fondue.exe FonDUE.EXE PID 3320 wrote to memory of 4752 3320 fondue.exe FonDUE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b.exe"C:\Users\Admin\AppData\Local\Temp\2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:312 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bat.bat3⤵
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Users\Admin\AppData\Local\Temp\virus.sfx.exevirus.sfx.exe -p0JTQsNC70LXQtSDQuNC00ZHQvCDQstC+INCy0LrQu9Cw0LTQutGDICLQo9GB0YLQsNC90L7QstC60LDCuw== -dC:\Users\Admin\AppData\Local\Temp4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\virus.exe"C:\Users\Admin\AppData\Local\Temp\virus.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll6⤵
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\system32\FonDUE.EXE"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll7⤵PID:4752
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bat.batMD5
313763e1158ac32e596f279922d5fa7a
SHA1f53fd94eae3c4b49eaaea6d7276a027d592fa6fd
SHA256cedeed1af7694e6e59ec05f0e07c87e083a110d7109289112b42c365ffab66ae
SHA512850f1aac826e79f51e45edfda06f23fd37b6d9e1fc6851daee7dedd5ac4a5d1839fb3c7022d0cd3de8cd053bbb0db75c93b41081602a7ffe613d9afae38e0f2c
-
C:\Users\Admin\AppData\Local\Temp\vbs.vbsMD5
78cd7fe96fcefee2dc19332106da3ebb
SHA1c36b1f451e75734c99070fceea6fa1fef43c953f
SHA2565147181b11646207d24192fb4d0b893b1ea2220f3b3ce032ff9057297ece794c
SHA51218a304a4ba7b8d8680bf4727cd3f68595f3e00046872215fd68ddb6f9363b3b14637a7abc53b2aa97073b423f8c3814b5e8c8f385ab0c22f9598698305b1e56b
-
C:\Users\Admin\AppData\Local\Temp\virus.exeMD5
bba5973bb251dd5c7867208a5d912341
SHA1b852a70903aa537f82fe18e6a1d18ab414b44f46
SHA256823bdc992a3eae89f6d9a117380344543b2547e78e3d10813563c916432ec92a
SHA51289003db50df412c67aef2dc72a064e1cf93b4f14f618de373db2aee71c0559087140eec6c4a519829638949ac7bef009df5dab201ac45a0b592d92e7e976878d
-
C:\Users\Admin\AppData\Local\Temp\virus.exeMD5
bba5973bb251dd5c7867208a5d912341
SHA1b852a70903aa537f82fe18e6a1d18ab414b44f46
SHA256823bdc992a3eae89f6d9a117380344543b2547e78e3d10813563c916432ec92a
SHA51289003db50df412c67aef2dc72a064e1cf93b4f14f618de373db2aee71c0559087140eec6c4a519829638949ac7bef009df5dab201ac45a0b592d92e7e976878d
-
C:\Users\Admin\AppData\Local\Temp\virus.sfx.exeMD5
0c2a42618a219916757349673caee33d
SHA1108b16ade92cae3f05a05daf399931e3f460030e
SHA2566346ecc38aaba94bc2a94cdf871983747c0641f7b6acab07cc6392a902f4dd2f
SHA51250ba5e54cdab26b418bb3b593af1fb5dc150d0ca740a6fbc7759b9c3b12c1b1e0d6d255d53f6ecc93b3bb8cc51027dcb6064e8cfe9fa99e774bc9dd11678f495
-
C:\Users\Admin\AppData\Local\Temp\virus.sfx.exeMD5
0c2a42618a219916757349673caee33d
SHA1108b16ade92cae3f05a05daf399931e3f460030e
SHA2566346ecc38aaba94bc2a94cdf871983747c0641f7b6acab07cc6392a902f4dd2f
SHA51250ba5e54cdab26b418bb3b593af1fb5dc150d0ca740a6fbc7759b9c3b12c1b1e0d6d255d53f6ecc93b3bb8cc51027dcb6064e8cfe9fa99e774bc9dd11678f495