Analysis
-
max time kernel
4294213s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
26-03-2022 11:36
Static task
static1
Behavioral task
behavioral1
Sample
f3499767b9a757f79b6c92df777b9de33ff65b0f8c2f49eda60c6306d4c632dc.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
f3499767b9a757f79b6c92df777b9de33ff65b0f8c2f49eda60c6306d4c632dc.exe
Resource
win10v2004-en-20220113
General
-
Target
f3499767b9a757f79b6c92df777b9de33ff65b0f8c2f49eda60c6306d4c632dc.exe
-
Size
282KB
-
MD5
dece6e230754c2dd68b1f6d3c99daec0
-
SHA1
480a3c2e6cba0b6d8ac1ca43e18406d600ae3065
-
SHA256
f3499767b9a757f79b6c92df777b9de33ff65b0f8c2f49eda60c6306d4c632dc
-
SHA512
ffc69eb3396c0187371c28938727bf4900f5890589d7d727298ef2911f663e37ccddefcaf6ec6ac0a22f55ccc0416730e875222bca8a54194e759cadbb93f405
Malware Config
Extracted
revengerat
NyanCatRevenge
xcosgate.ddns.net:2281
9bdaf219ee774b13b
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
f3499767b9a757f79b6c92df777b9de33ff65b0f8c2f49eda60c6306d4c632dc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe\"" f3499767b9a757f79b6c92df777b9de33ff65b0f8c2f49eda60c6306d4c632dc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f3499767b9a757f79b6c92df777b9de33ff65b0f8c2f49eda60c6306d4c632dc.exedescription pid process target process PID 892 set thread context of 1420 892 f3499767b9a757f79b6c92df777b9de33ff65b0f8c2f49eda60c6306d4c632dc.exe f3499767b9a757f79b6c92df777b9de33ff65b0f8c2f49eda60c6306d4c632dc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
f3499767b9a757f79b6c92df777b9de33ff65b0f8c2f49eda60c6306d4c632dc.exedescription pid process Token: SeDebugPrivilege 892 f3499767b9a757f79b6c92df777b9de33ff65b0f8c2f49eda60c6306d4c632dc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
f3499767b9a757f79b6c92df777b9de33ff65b0f8c2f49eda60c6306d4c632dc.exedescription pid process target process PID 892 wrote to memory of 1420 892 f3499767b9a757f79b6c92df777b9de33ff65b0f8c2f49eda60c6306d4c632dc.exe f3499767b9a757f79b6c92df777b9de33ff65b0f8c2f49eda60c6306d4c632dc.exe PID 892 wrote to memory of 1420 892 f3499767b9a757f79b6c92df777b9de33ff65b0f8c2f49eda60c6306d4c632dc.exe f3499767b9a757f79b6c92df777b9de33ff65b0f8c2f49eda60c6306d4c632dc.exe PID 892 wrote to memory of 1420 892 f3499767b9a757f79b6c92df777b9de33ff65b0f8c2f49eda60c6306d4c632dc.exe f3499767b9a757f79b6c92df777b9de33ff65b0f8c2f49eda60c6306d4c632dc.exe PID 892 wrote to memory of 1420 892 f3499767b9a757f79b6c92df777b9de33ff65b0f8c2f49eda60c6306d4c632dc.exe f3499767b9a757f79b6c92df777b9de33ff65b0f8c2f49eda60c6306d4c632dc.exe PID 892 wrote to memory of 1420 892 f3499767b9a757f79b6c92df777b9de33ff65b0f8c2f49eda60c6306d4c632dc.exe f3499767b9a757f79b6c92df777b9de33ff65b0f8c2f49eda60c6306d4c632dc.exe PID 892 wrote to memory of 1420 892 f3499767b9a757f79b6c92df777b9de33ff65b0f8c2f49eda60c6306d4c632dc.exe f3499767b9a757f79b6c92df777b9de33ff65b0f8c2f49eda60c6306d4c632dc.exe PID 892 wrote to memory of 1420 892 f3499767b9a757f79b6c92df777b9de33ff65b0f8c2f49eda60c6306d4c632dc.exe f3499767b9a757f79b6c92df777b9de33ff65b0f8c2f49eda60c6306d4c632dc.exe PID 892 wrote to memory of 1420 892 f3499767b9a757f79b6c92df777b9de33ff65b0f8c2f49eda60c6306d4c632dc.exe f3499767b9a757f79b6c92df777b9de33ff65b0f8c2f49eda60c6306d4c632dc.exe PID 892 wrote to memory of 1420 892 f3499767b9a757f79b6c92df777b9de33ff65b0f8c2f49eda60c6306d4c632dc.exe f3499767b9a757f79b6c92df777b9de33ff65b0f8c2f49eda60c6306d4c632dc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3499767b9a757f79b6c92df777b9de33ff65b0f8c2f49eda60c6306d4c632dc.exe"C:\Users\Admin\AppData\Local\Temp\f3499767b9a757f79b6c92df777b9de33ff65b0f8c2f49eda60c6306d4c632dc.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Users\Admin\AppData\Local\Temp\f3499767b9a757f79b6c92df777b9de33ff65b0f8c2f49eda60c6306d4c632dc.exe"C:\Users\Admin\AppData\Local\Temp\f3499767b9a757f79b6c92df777b9de33ff65b0f8c2f49eda60c6306d4c632dc.exe"2⤵PID:1420
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/892-54-0x0000000000FB0000-0x0000000000FFA000-memory.dmpFilesize
296KB
-
memory/892-55-0x0000000004940000-0x00000000049BE000-memory.dmpFilesize
504KB
-
memory/892-56-0x0000000000410000-0x0000000000452000-memory.dmpFilesize
264KB
-
memory/892-57-0x00000000004C0000-0x00000000004DC000-memory.dmpFilesize
112KB
-
memory/1420-59-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/1420-58-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/1420-61-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/1420-62-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/1420-63-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/1420-64-0x0000000000404F7E-mapping.dmp
-
memory/1420-66-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/1420-68-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB