Analysis
-
max time kernel
4294210s -
max time network
160s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
29-03-2022 18:47
Static task
static1
Behavioral task
behavioral1
Sample
74053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
74053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377.exe
Resource
win10v2004-en-20220113
General
-
Target
74053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377.exe
-
Size
218KB
-
MD5
bc81f713f5c4ea0d5a77dc19bf4ee185
-
SHA1
05768e9d217782b66e622cdb4d8ec28a63a8a5d8
-
SHA256
74053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377
-
SHA512
a7f96d90cbda54ba5953055f707041ab0b6da3611a5fc024df3ab509d4a75a19293ae4f7ed3759f9a4f412ca3342765ed8dc19cc83e847e5db7f140aa965f541
Malware Config
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 7 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\RegSvcs.exe revengerat \Users\Admin\AppData\Roaming\RegSvcs.exe revengerat \Users\Admin\AppData\Roaming\RegSvcs.exe revengerat C:\Users\Admin\AppData\Roaming\RegSvcs.exe revengerat \Users\Admin\AppData\Roaming\RegSvcs.exe revengerat C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.exe revengerat C:\Users\Admin\AppData\Roaming\RegSvcs.exe revengerat -
Executes dropped EXE 2 IoCs
Processes:
RegSvcs.exeRegSvcs.exepid process 112 RegSvcs.exe 1448 RegSvcs.exe -
Drops startup file 7 IoCs
Processes:
vbc.exeRegSvcs.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.exe vbc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.exe RegSvcs.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.exe RegSvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.vbs RegSvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.js RegSvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.lnk RegSvcs.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.URL RegSvcs.exe -
Loads dropped DLL 3 IoCs
Processes:
74053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377.exeRegSvcs.exepid process 1996 74053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377.exe 1996 74053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377.exe 112 RegSvcs.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegSvcs = "C:\\Users\\Admin\\AppData\\Roaming\\RegSvcs.exe" RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
74053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377.exeRegSvcs.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1996 74053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377.exe Token: SeDebugPrivilege 112 RegSvcs.exe Token: SeDebugPrivilege 1448 RegSvcs.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
74053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377.exeRegSvcs.exevbc.exetaskeng.exedescription pid process target process PID 1996 wrote to memory of 112 1996 74053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377.exe RegSvcs.exe PID 1996 wrote to memory of 112 1996 74053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377.exe RegSvcs.exe PID 1996 wrote to memory of 112 1996 74053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377.exe RegSvcs.exe PID 1996 wrote to memory of 112 1996 74053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377.exe RegSvcs.exe PID 112 wrote to memory of 1520 112 RegSvcs.exe vbc.exe PID 112 wrote to memory of 1520 112 RegSvcs.exe vbc.exe PID 112 wrote to memory of 1520 112 RegSvcs.exe vbc.exe PID 112 wrote to memory of 1520 112 RegSvcs.exe vbc.exe PID 1520 wrote to memory of 1032 1520 vbc.exe cvtres.exe PID 1520 wrote to memory of 1032 1520 vbc.exe cvtres.exe PID 1520 wrote to memory of 1032 1520 vbc.exe cvtres.exe PID 1520 wrote to memory of 1032 1520 vbc.exe cvtres.exe PID 112 wrote to memory of 1352 112 RegSvcs.exe schtasks.exe PID 112 wrote to memory of 1352 112 RegSvcs.exe schtasks.exe PID 112 wrote to memory of 1352 112 RegSvcs.exe schtasks.exe PID 112 wrote to memory of 1352 112 RegSvcs.exe schtasks.exe PID 1708 wrote to memory of 1448 1708 taskeng.exe RegSvcs.exe PID 1708 wrote to memory of 1448 1708 taskeng.exe RegSvcs.exe PID 1708 wrote to memory of 1448 1708 taskeng.exe RegSvcs.exe PID 1708 wrote to memory of 1448 1708 taskeng.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377.exe"C:\Users\Admin\AppData\Local\Temp\74053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RegSvcs.exe"C:\Users\Admin\AppData\Roaming\RegSvcs.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\brm1gaow.cmdline"3⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6691.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6690.tmp"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "RegSvcs" /tr "C:\Users\Admin\AppData\Roaming\RegSvcs.exe"3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {38843208-A0D0-48F4-A7AE-7308B7453144} S-1-5-21-2199625441-3471261906-229485034-1000:DRLQIXCW\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RegSvcs.exeC:\Users\Admin\AppData\Roaming\RegSvcs.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES6691.tmpFilesize
1KB
MD5d8b6ba3ed2061a6e594323f8e880b120
SHA1e07f865d51f2bfaf1a7ac1579a3ba89d97632e39
SHA2560b603a9cb3fa3d4acdeed622736417282b812c374dcd6b988d8f6885a82ca51e
SHA512143570dc0c4050e8e672958454c9249f26b94c1263811fec7bacf5515fa2b05d8e58a8ab69afb6b1085ba25aa4df40500a2e541df0d7740d5fba8e744df86be9
-
C:\Users\Admin\AppData\Local\Temp\brm1gaow.0.vbFilesize
152B
MD558d804d072d197fe2ac06f5a2a29a4f5
SHA106cf7a6be879a1255a755f5166489bd4b01c2eb2
SHA256b3ffab9f80a378c1220d6a94510b7ed4109f3c2856bfdb66e463dcc55e6873f6
SHA512e34db96456f9b9a3a1939e8ac52fdde5848547c38cc09e8ce9ba24a704eeaafba56da570e890805ff20fbc35e0c65c9614441e88481e7f72b583977019573add
-
C:\Users\Admin\AppData\Local\Temp\brm1gaow.cmdlineFilesize
195B
MD56c783cc08c29fad634029a36df3287dd
SHA1ef0e25e6e1d69d18d4881b57226425e42877954a
SHA256224319e4ed04ccca2ffc2a6093c36e9ced160368ef4a3de09157d2929f9b2913
SHA512a20a73f18d7b9c9b796ee7a3d9c8ee1d50d986a25dc0802d3b17313ac3a4f0ad9b50b3cd69b5d10d162166eded98594759626a770c15f98f15ec9e6e6df386c1
-
C:\Users\Admin\AppData\Local\Temp\vbc6690.tmpFilesize
644B
MD51ec7eb9fc04b4875c6d0f0f8a8b07fb0
SHA1bf88f3803548c1d4b7cf13eff8148458d6edf10b
SHA256741e96f4ca691e0a332ada5b72fb8d1e8f4be8b58a98e7b1415c48b1b7eff3e3
SHA512fedd17e57c1f245b65df77427af9ad2fd1f9db8dbe6ceee9844ea83af6e3b92d2fb6445c1ff408926c4409fbcdb6650afccf83da93ed80bccec7087bf999ae90
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.exeFilesize
218KB
MD5bc81f713f5c4ea0d5a77dc19bf4ee185
SHA105768e9d217782b66e622cdb4d8ec28a63a8a5d8
SHA25674053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377
SHA512a7f96d90cbda54ba5953055f707041ab0b6da3611a5fc024df3ab509d4a75a19293ae4f7ed3759f9a4f412ca3342765ed8dc19cc83e847e5db7f140aa965f541
-
C:\Users\Admin\AppData\Roaming\RegSvcs.exeFilesize
218KB
MD5bc81f713f5c4ea0d5a77dc19bf4ee185
SHA105768e9d217782b66e622cdb4d8ec28a63a8a5d8
SHA25674053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377
SHA512a7f96d90cbda54ba5953055f707041ab0b6da3611a5fc024df3ab509d4a75a19293ae4f7ed3759f9a4f412ca3342765ed8dc19cc83e847e5db7f140aa965f541
-
C:\Users\Admin\AppData\Roaming\RegSvcs.exeFilesize
218KB
MD5bc81f713f5c4ea0d5a77dc19bf4ee185
SHA105768e9d217782b66e622cdb4d8ec28a63a8a5d8
SHA25674053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377
SHA512a7f96d90cbda54ba5953055f707041ab0b6da3611a5fc024df3ab509d4a75a19293ae4f7ed3759f9a4f412ca3342765ed8dc19cc83e847e5db7f140aa965f541
-
C:\Users\Admin\AppData\Roaming\RegSvcs.exeFilesize
218KB
MD5bc81f713f5c4ea0d5a77dc19bf4ee185
SHA105768e9d217782b66e622cdb4d8ec28a63a8a5d8
SHA25674053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377
SHA512a7f96d90cbda54ba5953055f707041ab0b6da3611a5fc024df3ab509d4a75a19293ae4f7ed3759f9a4f412ca3342765ed8dc19cc83e847e5db7f140aa965f541
-
\Users\Admin\AppData\Roaming\RegSvcs.exeFilesize
218KB
MD5bc81f713f5c4ea0d5a77dc19bf4ee185
SHA105768e9d217782b66e622cdb4d8ec28a63a8a5d8
SHA25674053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377
SHA512a7f96d90cbda54ba5953055f707041ab0b6da3611a5fc024df3ab509d4a75a19293ae4f7ed3759f9a4f412ca3342765ed8dc19cc83e847e5db7f140aa965f541
-
\Users\Admin\AppData\Roaming\RegSvcs.exeFilesize
218KB
MD5bc81f713f5c4ea0d5a77dc19bf4ee185
SHA105768e9d217782b66e622cdb4d8ec28a63a8a5d8
SHA25674053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377
SHA512a7f96d90cbda54ba5953055f707041ab0b6da3611a5fc024df3ab509d4a75a19293ae4f7ed3759f9a4f412ca3342765ed8dc19cc83e847e5db7f140aa965f541
-
\Users\Admin\AppData\Roaming\RegSvcs.exeFilesize
218KB
MD5bc81f713f5c4ea0d5a77dc19bf4ee185
SHA105768e9d217782b66e622cdb4d8ec28a63a8a5d8
SHA25674053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377
SHA512a7f96d90cbda54ba5953055f707041ab0b6da3611a5fc024df3ab509d4a75a19293ae4f7ed3759f9a4f412ca3342765ed8dc19cc83e847e5db7f140aa965f541
-
memory/112-58-0x0000000000000000-mapping.dmp
-
memory/112-62-0x0000000073C50000-0x00000000741FB000-memory.dmpFilesize
5.7MB
-
memory/1032-68-0x0000000000000000-mapping.dmp
-
memory/1352-71-0x0000000000000000-mapping.dmp
-
memory/1448-72-0x0000000000000000-mapping.dmp
-
memory/1448-75-0x0000000073C50000-0x00000000741FB000-memory.dmpFilesize
5.7MB
-
memory/1520-64-0x0000000000000000-mapping.dmp
-
memory/1996-54-0x0000000074C61000-0x0000000074C63000-memory.dmpFilesize
8KB
-
memory/1996-55-0x0000000074200000-0x00000000747AB000-memory.dmpFilesize
5.7MB