Analysis
-
max time kernel
187s -
max time network
194s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
02-05-2022 18:17
Static task
static1
Behavioral task
behavioral1
Sample
37b319541d45bfb21b89977e579d81b161c55d24e580a455b0fb2d1dbb471e69.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
37b319541d45bfb21b89977e579d81b161c55d24e580a455b0fb2d1dbb471e69.exe
Resource
win10v2004-20220414-en
General
-
Target
37b319541d45bfb21b89977e579d81b161c55d24e580a455b0fb2d1dbb471e69.exe
-
Size
55KB
-
MD5
e62a598e2a43efb4aa080455d70ad9c4
-
SHA1
ec296fd2130c41479c9743fb93cdaab8675882d6
-
SHA256
37b319541d45bfb21b89977e579d81b161c55d24e580a455b0fb2d1dbb471e69
-
SHA512
593e714e18181f95b2f25bc556f0ee3e9ed26981d4611eeb7516c7453405387562ab693dd24df39019d226e14352b4095fe8a787e4c8723fa1e51649d9000d29
Malware Config
Extracted
revengerat
MR_ahmed
192.168.1.2:333
9f8d2a8cc3e644
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Drops startup file 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1.exe cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
37b319541d45bfb21b89977e579d81b161c55d24e580a455b0fb2d1dbb471e69.exedescription pid process target process PID 4180 set thread context of 2568 4180 37b319541d45bfb21b89977e579d81b161c55d24e580a455b0fb2d1dbb471e69.exe 37b319541d45bfb21b89977e579d81b161c55d24e580a455b0fb2d1dbb471e69.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
37b319541d45bfb21b89977e579d81b161c55d24e580a455b0fb2d1dbb471e69.exedescription pid process Token: SeDebugPrivilege 4180 37b319541d45bfb21b89977e579d81b161c55d24e580a455b0fb2d1dbb471e69.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
37b319541d45bfb21b89977e579d81b161c55d24e580a455b0fb2d1dbb471e69.execmd.exedescription pid process target process PID 4180 wrote to memory of 2568 4180 37b319541d45bfb21b89977e579d81b161c55d24e580a455b0fb2d1dbb471e69.exe 37b319541d45bfb21b89977e579d81b161c55d24e580a455b0fb2d1dbb471e69.exe PID 4180 wrote to memory of 2568 4180 37b319541d45bfb21b89977e579d81b161c55d24e580a455b0fb2d1dbb471e69.exe 37b319541d45bfb21b89977e579d81b161c55d24e580a455b0fb2d1dbb471e69.exe PID 4180 wrote to memory of 2568 4180 37b319541d45bfb21b89977e579d81b161c55d24e580a455b0fb2d1dbb471e69.exe 37b319541d45bfb21b89977e579d81b161c55d24e580a455b0fb2d1dbb471e69.exe PID 4180 wrote to memory of 2568 4180 37b319541d45bfb21b89977e579d81b161c55d24e580a455b0fb2d1dbb471e69.exe 37b319541d45bfb21b89977e579d81b161c55d24e580a455b0fb2d1dbb471e69.exe PID 4180 wrote to memory of 2568 4180 37b319541d45bfb21b89977e579d81b161c55d24e580a455b0fb2d1dbb471e69.exe 37b319541d45bfb21b89977e579d81b161c55d24e580a455b0fb2d1dbb471e69.exe PID 4180 wrote to memory of 2568 4180 37b319541d45bfb21b89977e579d81b161c55d24e580a455b0fb2d1dbb471e69.exe 37b319541d45bfb21b89977e579d81b161c55d24e580a455b0fb2d1dbb471e69.exe PID 4180 wrote to memory of 2568 4180 37b319541d45bfb21b89977e579d81b161c55d24e580a455b0fb2d1dbb471e69.exe 37b319541d45bfb21b89977e579d81b161c55d24e580a455b0fb2d1dbb471e69.exe PID 4180 wrote to memory of 2568 4180 37b319541d45bfb21b89977e579d81b161c55d24e580a455b0fb2d1dbb471e69.exe 37b319541d45bfb21b89977e579d81b161c55d24e580a455b0fb2d1dbb471e69.exe PID 4180 wrote to memory of 2936 4180 37b319541d45bfb21b89977e579d81b161c55d24e580a455b0fb2d1dbb471e69.exe cmd.exe PID 4180 wrote to memory of 2936 4180 37b319541d45bfb21b89977e579d81b161c55d24e580a455b0fb2d1dbb471e69.exe cmd.exe PID 4180 wrote to memory of 2936 4180 37b319541d45bfb21b89977e579d81b161c55d24e580a455b0fb2d1dbb471e69.exe cmd.exe PID 2936 wrote to memory of 3676 2936 cmd.exe PING.EXE PID 2936 wrote to memory of 3676 2936 cmd.exe PING.EXE PID 2936 wrote to memory of 3676 2936 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\37b319541d45bfb21b89977e579d81b161c55d24e580a455b0fb2d1dbb471e69.exe"C:\Users\Admin\AppData\Local\Temp\37b319541d45bfb21b89977e579d81b161c55d24e580a455b0fb2d1dbb471e69.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Users\Admin\AppData\Local\Temp\37b319541d45bfb21b89977e579d81b161c55d24e580a455b0fb2d1dbb471e69.exe"C:\Users\Admin\AppData\Local\Temp\37b319541d45bfb21b89977e579d81b161c55d24e580a455b0fb2d1dbb471e69.exe"2⤵PID:2568
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 10 & copy "C:\Users\Admin\AppData\Local\Temp\x.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1.exe"2⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 103⤵
- Runs ping.exe
PID:3676
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\x.exeFilesize
11KB
MD59b8b1fc82d2a8c79261cec2175c2a61e
SHA1b7b1fccfe1e933593102ef3578406054df28dee8
SHA256997f95070dd2348e0b2018c0f848a317a0bab05fd9befd3483508f9130572cb8
SHA5126894269391f398ed4c4e3c0a00257db2c862de4ef01648c6505f3aa72f1014c8f2282499f4e861e0c7d81828b9465006f17ecac5e608dcc5fb0561938211f7ef
-
memory/2568-131-0x0000000000000000-mapping.dmp
-
memory/2568-132-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2568-135-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB
-
memory/2936-133-0x0000000000000000-mapping.dmp
-
memory/3676-134-0x0000000000000000-mapping.dmp
-
memory/4180-130-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB