Overview

overview

10

Static

static

a6bf7a9b69...7a.exe

windows7_x64

10

a6bf7a9b69...7a.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    18-04-2022 18:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a6bf7a9b696448dbc64ed4dfe0c661d6b49d48b421a8b39fa28cb8c9d0b3197a.exe

  • Size

    1.2MB

  • MD5

    9adfedfedfc7b1d46190e5877a805394

  • SHA1

    34dc9f850ae29c7fc9c741c6f965b1eeda2ebdb0

  • SHA256

    a6bf7a9b696448dbc64ed4dfe0c661d6b49d48b421a8b39fa28cb8c9d0b3197a

  • SHA512

    3f7b81d359ff78708c5b3bbc2ec3870747a81c16320a3b3bb83e68bb22e7496acd000769c932e017f242206064ca73297c89381296ca68e72af55f44564f08b0

Score
10/10
revengeratnyancatrevengeevasionpersistencetrojan

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

hpdndbnb.duckdns.org:2404

Mutex

90a49aa7c27647e

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • Turns off Windows Defender SpyNet reporting 2 TTPs
    evasion
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Windows security modification 2 TTPs 11 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a6bf7a9b696448dbc64ed4dfe0c661d6b49d48b421a8b39fa28cb8c9d0b3197a.exe
    "C:\Users\Admin\AppData\Local\Temp\a6bf7a9b696448dbc64ed4dfe0c661d6b49d48b421a8b39fa28cb8c9d0b3197a.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Drops startup file
    • Windows security modification
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4104
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a6bf7a9b696448dbc64ed4dfe0c661d6b49d48b421a8b39fa28cb8c9d0b3197a.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2832
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a6bf7a9b696448dbc64ed4dfe0c661d6b49d48b421a8b39fa28cb8c9d0b3197a.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3004
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a6bf7a9b696448dbc64ed4dfe0c661d6b49d48b421a8b39fa28cb8c9d0b3197a.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4860
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a6bf7a9b696448dbc64ed4dfe0c661d6b49d48b421a8b39fa28cb8c9d0b3197a.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2096
    • C:\Users\Admin\AppData\Local\Temp\a6bf7a9b696448dbc64ed4dfe0c661d6b49d48b421a8b39fa28cb8c9d0b3197a.exe
      "C:\Users\Admin\AppData\Local\Temp\a6bf7a9b696448dbc64ed4dfe0c661d6b49d48b421a8b39fa28cb8c9d0b3197a.exe"
      2⤵
        PID:448
      • C:\Users\Admin\AppData\Local\Temp\a6bf7a9b696448dbc64ed4dfe0c661d6b49d48b421a8b39fa28cb8c9d0b3197a.exe
        "C:\Users\Admin\AppData\Local\Temp\a6bf7a9b696448dbc64ed4dfe0c661d6b49d48b421a8b39fa28cb8c9d0b3197a.exe"
        2⤵
          PID:1992
        • C:\Users\Admin\AppData\Local\Temp\a6bf7a9b696448dbc64ed4dfe0c661d6b49d48b421a8b39fa28cb8c9d0b3197a.exe
          "C:\Users\Admin\AppData\Local\Temp\a6bf7a9b696448dbc64ed4dfe0c661d6b49d48b421a8b39fa28cb8c9d0b3197a.exe"
          2⤵
            PID:3428
          • C:\Users\Admin\AppData\Local\Temp\a6bf7a9b696448dbc64ed4dfe0c661d6b49d48b421a8b39fa28cb8c9d0b3197a.exe
            "C:\Users\Admin\AppData\Local\Temp\a6bf7a9b696448dbc64ed4dfe0c661d6b49d48b421a8b39fa28cb8c9d0b3197a.exe"
            2⤵
            • Checks processor information in registry
            PID:788
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 2356
            2⤵
            • Program crash
            PID:3108
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4104 -ip 4104
          1⤵
            PID:1784

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            968cb9309758126772781b83adb8a28f

            SHA1

            8da30e71accf186b2ba11da1797cf67f8f78b47c

            SHA256

            92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

            SHA512

            4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            18KB

            MD5

            28c2a5cc9f281fa48b76973bf97a98d5

            SHA1

            b960c103bf689381bf10ce95502ca0bba9366fe9

            SHA256

            7f85223302cc875f1142b85fb4df9db74fb22544e7377fc3b2e4f1ddce9f4fd0

            SHA512

            f1f19bf367d5982a1400ebfad5f34f2ecbe3894a65ed5eb5ab43646778f90c63538e349c90dcd003dbfd97e5f3e1ab9796fb75d3ea4d84b26720e08b39fe0cce

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            18KB

            MD5

            fd7f5fadb211537774cc48173c3b347c

            SHA1

            b584a810298fab251274c9d2b20dfac79ba85e95

            SHA256

            2e10a87a3408711c32edc39dbf32050ff7215a016431a5a238361c5cf4a1d2ef

            SHA512

            5b811af9d37c9f97b78d0382caea4e5b386509f14d239a47611390ba87b23b1c0bf63e719ac2025abbcbe9aed08c8ec86cfa24a750b75064f075fe095c0e8ace

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            558ecb2be504923968ad6d3bf0b00737

            SHA1

            7cc12c3679311d8c4b332d60a372e0927a1973e3

            SHA256

            65e19b8bc7e58a099045359d4fca42140a73978d21cdf9b37ac67909ff5bb5f4

            SHA512

            e38855c7abc65dd6f6f2942c3e27f2dcd86bc987ac300c738e7fa1330773f601cf74e5774334b91bf8b7c487bbb6eae5728236c91b560e13b16b169167a50365

            Download Submit

          • memory/448-145-0x0000000000000000-mapping.dmp

            Download

          • memory/788-149-0x0000000000400000-0x000000000040C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/788-148-0x0000000000000000-mapping.dmp

            Download

          • memory/1992-146-0x0000000000000000-mapping.dmp

            Download

          • memory/2096-142-0x0000000006150000-0x00000000061B6000-memory.dmp

            Filesize

            408KB

            Download

          • memory/2096-139-0x0000000000000000-mapping.dmp

            Download

          • memory/2096-165-0x0000000007E80000-0x0000000007E9A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/2096-157-0x000000006F9D0000-0x000000006FA1C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/2096-153-0x00000000054E5000-0x00000000054E7000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2832-156-0x000000006F9D0000-0x000000006FA1C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/2832-151-0x0000000002515000-0x0000000002517000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2832-154-0x00000000061D0000-0x0000000006202000-memory.dmp

            Filesize

            200KB

            Download

          • memory/2832-162-0x0000000006F70000-0x0000000006F7A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2832-138-0x00000000022E0000-0x0000000002316000-memory.dmp

            Filesize

            216KB

            Download

          • memory/2832-135-0x0000000000000000-mapping.dmp

            Download

          • memory/3004-152-0x0000000004855000-0x0000000004857000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3004-143-0x00000000056E0000-0x0000000005746000-memory.dmp

            Filesize

            408KB

            Download

          • memory/3004-141-0x0000000004DA0000-0x0000000004DC2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/3004-159-0x000000006F9D0000-0x000000006FA1C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/3004-166-0x0000000007390000-0x0000000007398000-memory.dmp

            Filesize

            32KB

            Download

          • memory/3004-136-0x0000000000000000-mapping.dmp

            Download

          • memory/3004-164-0x00000000072A0000-0x00000000072AE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/3428-147-0x0000000000000000-mapping.dmp

            Download

          • memory/4104-130-0x0000000000210000-0x000000000033C000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4104-132-0x00000000053E0000-0x0000000005984000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/4104-133-0x0000000004E30000-0x0000000004EC2000-memory.dmp

            Filesize

            584KB

            Download

          • memory/4104-131-0x0000000004C90000-0x0000000004D2C000-memory.dmp

            Filesize

            624KB

            Download

          • memory/4104-134-0x0000000004D70000-0x0000000004D7A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4860-150-0x00000000048A5000-0x00000000048A7000-memory.dmp

            Filesize

            8KB

            Download

          • memory/4860-163-0x0000000007140000-0x00000000071D6000-memory.dmp

            Filesize

            600KB

            Download

          • memory/4860-160-0x0000000007500000-0x0000000007B7A000-memory.dmp

            Filesize

            6.5MB

            Download

          • memory/4860-161-0x0000000006EC0000-0x0000000006EDA000-memory.dmp

            Filesize

            104KB

            Download

          • memory/4860-158-0x0000000006B20000-0x0000000006B3E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/4860-155-0x000000006F9D0000-0x000000006FA1C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/4860-144-0x0000000005BB0000-0x0000000005BCE000-memory.dmp

            Filesize

            120KB

            Download

          • memory/4860-140-0x0000000004EE0000-0x0000000005508000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/4860-137-0x0000000000000000-mapping.dmp

            Download