Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 04:05
Static task
static1
Behavioral task
behavioral1
Sample
fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe
Resource
win10v2004-20220414-en
General
-
Target
fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe
-
Size
17KB
-
MD5
4a1e9090a6a6bc9dda8706d35e5ef027
-
SHA1
8f8a66cb388f0ed59c46c3bc23c95c6724b8c2be
-
SHA256
fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e
-
SHA512
961e334b79d36a781f732f6e4116d84b99d7fb2063e94bd901d42a092d664141e59ff4d7cade49d848ee16cd5be8bba3e849c9a12b8c24469e5a7aa264cfd33a
Malware Config
Extracted
revengerat
Guest
0.tcp.ngrok.io:17455
RV_MUTEX-iYAoBLOacwYd
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\Documents\Client.exe revengerat C:\Users\Admin\Documents\Client.exe revengerat -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 4760 Client.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exeClient.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 Client.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Client.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1736 powershell.exe 1736 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exeClient.exepowershell.exedescription pid process Token: SeDebugPrivilege 2496 fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe Token: SeDebugPrivilege 4760 Client.exe Token: SeDebugPrivilege 1736 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exeClient.exedescription pid process target process PID 2496 wrote to memory of 4760 2496 fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe Client.exe PID 2496 wrote to memory of 4760 2496 fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe Client.exe PID 4760 wrote to memory of 1736 4760 Client.exe powershell.exe PID 4760 wrote to memory of 1736 4760 Client.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe"C:\Users\Admin\AppData\Local\Temp\fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe"1⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\Client.exe"C:\Users\Admin\Documents\Client.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('congradulations you got fuckin hacked','HAHA')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\Client.exeFilesize
17KB
MD54a1e9090a6a6bc9dda8706d35e5ef027
SHA18f8a66cb388f0ed59c46c3bc23c95c6724b8c2be
SHA256fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e
SHA512961e334b79d36a781f732f6e4116d84b99d7fb2063e94bd901d42a092d664141e59ff4d7cade49d848ee16cd5be8bba3e849c9a12b8c24469e5a7aa264cfd33a
-
C:\Users\Admin\Documents\Client.exeFilesize
17KB
MD54a1e9090a6a6bc9dda8706d35e5ef027
SHA18f8a66cb388f0ed59c46c3bc23c95c6724b8c2be
SHA256fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e
SHA512961e334b79d36a781f732f6e4116d84b99d7fb2063e94bd901d42a092d664141e59ff4d7cade49d848ee16cd5be8bba3e849c9a12b8c24469e5a7aa264cfd33a
-
memory/1736-135-0x0000000000000000-mapping.dmp
-
memory/1736-136-0x000002CEA6710000-0x000002CEA6732000-memory.dmpFilesize
136KB
-
memory/1736-137-0x000002CE8CD30000-0x000002CE8D7F1000-memory.dmpFilesize
10.8MB
-
memory/2496-130-0x00007FFD44AB0000-0x00007FFD454E6000-memory.dmpFilesize
10.2MB
-
memory/4760-131-0x0000000000000000-mapping.dmp
-
memory/4760-134-0x00007FFD44AB0000-0x00007FFD454E6000-memory.dmpFilesize
10.2MB