Analysis
-
max time kernel
87s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 04:05
Static task
static1
Behavioral task
behavioral1
Sample
fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe
Resource
win10v2004-20220414-en
General
-
Target
fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe
-
Size
17KB
-
MD5
4a1e9090a6a6bc9dda8706d35e5ef027
-
SHA1
8f8a66cb388f0ed59c46c3bc23c95c6724b8c2be
-
SHA256
fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e
-
SHA512
961e334b79d36a781f732f6e4116d84b99d7fb2063e94bd901d42a092d664141e59ff4d7cade49d848ee16cd5be8bba3e849c9a12b8c24469e5a7aa264cfd33a
Malware Config
Extracted
revengerat
Guest
0.tcp.ngrok.io:17455
RV_MUTEX-iYAoBLOacwYd
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\Documents\Client.exe revengerat C:\Users\Admin\Documents\Client.exe revengerat -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 1232 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exeClient.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 Client.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Client.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1536 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exeClient.exepowershell.exedescription pid process Token: SeDebugPrivilege 1980 fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe Token: SeDebugPrivilege 1232 Client.exe Token: SeDebugPrivilege 1536 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exeClient.exedescription pid process target process PID 1980 wrote to memory of 1232 1980 fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe Client.exe PID 1980 wrote to memory of 1232 1980 fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe Client.exe PID 1980 wrote to memory of 1232 1980 fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe Client.exe PID 1232 wrote to memory of 1536 1232 Client.exe powershell.exe PID 1232 wrote to memory of 1536 1232 Client.exe powershell.exe PID 1232 wrote to memory of 1536 1232 Client.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe"C:\Users\Admin\AppData\Local\Temp\fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe"1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\Client.exe"C:\Users\Admin\Documents\Client.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('congradulations you got fuckin hacked','HAHA')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\Client.exeFilesize
17KB
MD54a1e9090a6a6bc9dda8706d35e5ef027
SHA18f8a66cb388f0ed59c46c3bc23c95c6724b8c2be
SHA256fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e
SHA512961e334b79d36a781f732f6e4116d84b99d7fb2063e94bd901d42a092d664141e59ff4d7cade49d848ee16cd5be8bba3e849c9a12b8c24469e5a7aa264cfd33a
-
C:\Users\Admin\Documents\Client.exeFilesize
17KB
MD54a1e9090a6a6bc9dda8706d35e5ef027
SHA18f8a66cb388f0ed59c46c3bc23c95c6724b8c2be
SHA256fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e
SHA512961e334b79d36a781f732f6e4116d84b99d7fb2063e94bd901d42a092d664141e59ff4d7cade49d848ee16cd5be8bba3e849c9a12b8c24469e5a7aa264cfd33a
-
memory/1232-60-0x000007FEF3540000-0x000007FEF3F63000-memory.dmpFilesize
10.1MB
-
memory/1232-57-0x0000000000000000-mapping.dmp
-
memory/1232-61-0x000007FEEEB50000-0x000007FEEFBE6000-memory.dmpFilesize
16.6MB
-
memory/1536-62-0x0000000000000000-mapping.dmp
-
memory/1536-64-0x000007FEF3540000-0x000007FEF3F63000-memory.dmpFilesize
10.1MB
-
memory/1536-66-0x0000000002404000-0x0000000002407000-memory.dmpFilesize
12KB
-
memory/1536-65-0x000007FEEDFF0000-0x000007FEEEB4D000-memory.dmpFilesize
11.4MB
-
memory/1536-67-0x000000001B710000-0x000000001BA0F000-memory.dmpFilesize
3.0MB
-
memory/1536-68-0x000007FEEEB50000-0x000007FEEFBE6000-memory.dmpFilesize
16.6MB
-
memory/1536-69-0x000000000240B000-0x000000000242A000-memory.dmpFilesize
124KB
-
memory/1980-56-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmpFilesize
8KB
-
memory/1980-55-0x000007FEF2ED0000-0x000007FEF3F66000-memory.dmpFilesize
16.6MB
-
memory/1980-54-0x000007FEF3F70000-0x000007FEF4993000-memory.dmpFilesize
10.1MB