Analysis
-
max time kernel
4294226s -
max time network
183s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
24-03-2022 19:31
Static task
static1
Behavioral task
behavioral1
Sample
62f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
62f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3.exe
Resource
win10v2004-20220310-en
General
-
Target
62f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3.exe
-
Size
253KB
-
MD5
5a4b3fa6f4a0079519d06323def7b733
-
SHA1
1ba0e00f1364edf9cf360a5a0ddbc99274ca5755
-
SHA256
62f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3
-
SHA512
386d4def63b63d2aa0a5ab2323edee4545702bafd257af144ad74fa790482afd93e085053b8f244ec4f2a6c2cf952adf11f1b425c9da04c475a784003df7d87d
Malware Config
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 7 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\RegSvcs.exe revengerat \Users\Admin\AppData\Roaming\RegSvcs.exe revengerat C:\Users\Admin\AppData\Roaming\RegSvcs.exe revengerat C:\Users\Admin\AppData\Roaming\RegSvcs.exe revengerat \Users\Admin\AppData\Roaming\RegSvcs.exe revengerat C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.exe revengerat C:\Users\Admin\AppData\Roaming\RegSvcs.exe revengerat -
Executes dropped EXE 2 IoCs
Processes:
RegSvcs.exeRegSvcs.exepid process 736 RegSvcs.exe 1512 RegSvcs.exe -
Drops startup file 7 IoCs
Processes:
RegSvcs.exevbc.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.lnk RegSvcs.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.URL RegSvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.exe vbc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.exe RegSvcs.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.exe RegSvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.vbs RegSvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.js RegSvcs.exe -
Loads dropped DLL 3 IoCs
Processes:
62f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3.exeRegSvcs.exepid process 1884 62f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3.exe 1884 62f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3.exe 736 RegSvcs.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegSvcs = "C:\\Users\\Admin\\AppData\\Roaming\\RegSvcs.exe" RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
62f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3.exeRegSvcs.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1884 62f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3.exe Token: SeDebugPrivilege 736 RegSvcs.exe Token: SeDebugPrivilege 1512 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid process 1428 DllHost.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
62f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3.exeRegSvcs.exevbc.exetaskeng.exedescription pid process target process PID 1884 wrote to memory of 736 1884 62f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3.exe RegSvcs.exe PID 1884 wrote to memory of 736 1884 62f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3.exe RegSvcs.exe PID 1884 wrote to memory of 736 1884 62f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3.exe RegSvcs.exe PID 1884 wrote to memory of 736 1884 62f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3.exe RegSvcs.exe PID 736 wrote to memory of 992 736 RegSvcs.exe vbc.exe PID 736 wrote to memory of 992 736 RegSvcs.exe vbc.exe PID 736 wrote to memory of 992 736 RegSvcs.exe vbc.exe PID 736 wrote to memory of 992 736 RegSvcs.exe vbc.exe PID 992 wrote to memory of 1756 992 vbc.exe cvtres.exe PID 992 wrote to memory of 1756 992 vbc.exe cvtres.exe PID 992 wrote to memory of 1756 992 vbc.exe cvtres.exe PID 992 wrote to memory of 1756 992 vbc.exe cvtres.exe PID 736 wrote to memory of 540 736 RegSvcs.exe schtasks.exe PID 736 wrote to memory of 540 736 RegSvcs.exe schtasks.exe PID 736 wrote to memory of 540 736 RegSvcs.exe schtasks.exe PID 736 wrote to memory of 540 736 RegSvcs.exe schtasks.exe PID 1312 wrote to memory of 1512 1312 taskeng.exe RegSvcs.exe PID 1312 wrote to memory of 1512 1312 taskeng.exe RegSvcs.exe PID 1312 wrote to memory of 1512 1312 taskeng.exe RegSvcs.exe PID 1312 wrote to memory of 1512 1312 taskeng.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\62f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3.exe"C:\Users\Admin\AppData\Local\Temp\62f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RegSvcs.exe"C:\Users\Admin\AppData\Roaming\RegSvcs.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6qq_4bv_.cmdline"3⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC2F2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC2E2.tmp"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "RegSvcs" /tr "C:\Users\Admin\AppData\Roaming\RegSvcs.exe"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\taskeng.exetaskeng.exe {9A8367D0-F039-4BE3-87E5-AB8981290ACD} S-1-5-21-2199625441-3471261906-229485034-1000:DRLQIXCW\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RegSvcs.exeC:\Users\Admin\AppData\Roaming\RegSvcs.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\258849.icoMD5
85eeca6a4a2bc8d26651bc38eeda8ccc
SHA1a69cb5c71af52aa11293304a5aad5a075a68e6e3
SHA25664eb82ea1321fefcce0bcec3aab711d5a4c9316e3f0fb0c7bcb416aeb84a179f
SHA512a7e830e3e370af9b283049d5f8e0507385c75b25332cc10e06e61b0b426a4eb972159c897db05fa413d1d400ba6151810d510d4a89fa2c0df60cf77a1b4cd3c5
-
C:\Users\Admin\AppData\Local\Temp\6qq_4bv_.0.vbMD5
8e933c7ad82b1e7f504165b0efa6cafa
SHA11886bbeb188d0fde157e12bbed647bf81845f619
SHA2563fea4d3b7e507d1d37251de3eb20f8cb88bb65d20b9886c6f9f8f9b3a728ff2f
SHA5129078aa4697c2e0432fc3777367a73cda20ea7804585811d41835985c1fd261c003cdb223d18592c73bb1dac303d43e5e09a6ac775dff3b31e68f648b3a1ddd08
-
C:\Users\Admin\AppData\Local\Temp\6qq_4bv_.cmdlineMD5
653263b0090b8f059fd89c276d5ce9eb
SHA1c11a2fcec7d77e90fd1f62e8c80bdc2e7958fbcf
SHA256f8bfef7f84db15bf276ff854e947b57e837cb0a2d75ff46619c0d319d9011d19
SHA512c6a4039719e8eccb94b51467dcce37b60f5ebad727350b982f70647c55fb1c00f5817f62d8c77d4487887d2912696ebc665199fd4ebc4518a8878974e35993c4
-
C:\Users\Admin\AppData\Local\Temp\RESC2F2.tmpMD5
f1c9b8b6f4e5a800aa4e551b12d279b1
SHA1fa4521a62b88704026dd5929ba77f8dd6784e411
SHA25698c453380af11305568d39b966feb82b0fb6267814e36aadd02b17841e7c1b97
SHA5123820a516cb64ff73d262b8935b0892eaf00dbb5c002067ecc59772f4113f921ede0d4f9f389cba07aee78596479b41a14e288a36692c4084b03e9a634542f862
-
C:\Users\Admin\AppData\Local\Temp\vbcC2E2.tmpMD5
1ec7eb9fc04b4875c6d0f0f8a8b07fb0
SHA1bf88f3803548c1d4b7cf13eff8148458d6edf10b
SHA256741e96f4ca691e0a332ada5b72fb8d1e8f4be8b58a98e7b1415c48b1b7eff3e3
SHA512fedd17e57c1f245b65df77427af9ad2fd1f9db8dbe6ceee9844ea83af6e3b92d2fb6445c1ff408926c4409fbcdb6650afccf83da93ed80bccec7087bf999ae90
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.exeMD5
5a4b3fa6f4a0079519d06323def7b733
SHA11ba0e00f1364edf9cf360a5a0ddbc99274ca5755
SHA25662f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3
SHA512386d4def63b63d2aa0a5ab2323edee4545702bafd257af144ad74fa790482afd93e085053b8f244ec4f2a6c2cf952adf11f1b425c9da04c475a784003df7d87d
-
C:\Users\Admin\AppData\Roaming\RegSvcs.exeMD5
5a4b3fa6f4a0079519d06323def7b733
SHA11ba0e00f1364edf9cf360a5a0ddbc99274ca5755
SHA25662f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3
SHA512386d4def63b63d2aa0a5ab2323edee4545702bafd257af144ad74fa790482afd93e085053b8f244ec4f2a6c2cf952adf11f1b425c9da04c475a784003df7d87d
-
C:\Users\Admin\AppData\Roaming\RegSvcs.exeMD5
5a4b3fa6f4a0079519d06323def7b733
SHA11ba0e00f1364edf9cf360a5a0ddbc99274ca5755
SHA25662f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3
SHA512386d4def63b63d2aa0a5ab2323edee4545702bafd257af144ad74fa790482afd93e085053b8f244ec4f2a6c2cf952adf11f1b425c9da04c475a784003df7d87d
-
C:\Users\Admin\AppData\Roaming\RegSvcs.exeMD5
5a4b3fa6f4a0079519d06323def7b733
SHA11ba0e00f1364edf9cf360a5a0ddbc99274ca5755
SHA25662f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3
SHA512386d4def63b63d2aa0a5ab2323edee4545702bafd257af144ad74fa790482afd93e085053b8f244ec4f2a6c2cf952adf11f1b425c9da04c475a784003df7d87d
-
\Users\Admin\AppData\Roaming\RegSvcs.exeMD5
5a4b3fa6f4a0079519d06323def7b733
SHA11ba0e00f1364edf9cf360a5a0ddbc99274ca5755
SHA25662f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3
SHA512386d4def63b63d2aa0a5ab2323edee4545702bafd257af144ad74fa790482afd93e085053b8f244ec4f2a6c2cf952adf11f1b425c9da04c475a784003df7d87d
-
\Users\Admin\AppData\Roaming\RegSvcs.exeMD5
5a4b3fa6f4a0079519d06323def7b733
SHA11ba0e00f1364edf9cf360a5a0ddbc99274ca5755
SHA25662f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3
SHA512386d4def63b63d2aa0a5ab2323edee4545702bafd257af144ad74fa790482afd93e085053b8f244ec4f2a6c2cf952adf11f1b425c9da04c475a784003df7d87d
-
\Users\Admin\AppData\Roaming\RegSvcs.exeMD5
5a4b3fa6f4a0079519d06323def7b733
SHA11ba0e00f1364edf9cf360a5a0ddbc99274ca5755
SHA25662f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3
SHA512386d4def63b63d2aa0a5ab2323edee4545702bafd257af144ad74fa790482afd93e085053b8f244ec4f2a6c2cf952adf11f1b425c9da04c475a784003df7d87d
-
memory/540-71-0x0000000000000000-mapping.dmp
-
memory/736-58-0x0000000000000000-mapping.dmp
-
memory/736-62-0x0000000074120000-0x00000000746CB000-memory.dmpFilesize
5.7MB
-
memory/992-64-0x0000000000000000-mapping.dmp
-
memory/1428-73-0x00000000000F0000-0x00000000000F2000-memory.dmpFilesize
8KB
-
memory/1512-75-0x0000000000000000-mapping.dmp
-
memory/1512-78-0x0000000074120000-0x00000000746CB000-memory.dmpFilesize
5.7MB
-
memory/1756-68-0x0000000000000000-mapping.dmp
-
memory/1884-54-0x00000000763D1000-0x00000000763D3000-memory.dmpFilesize
8KB
-
memory/1884-55-0x00000000746D0000-0x0000000074C7B000-memory.dmpFilesize
5.7MB