Analysis
-
max time kernel
157s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 13:29
Static task
static1
Behavioral task
behavioral1
Sample
REORDER_.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
REORDER_.exe
Resource
win10v2004-20220414-en
General
-
Target
REORDER_.exe
-
Size
339KB
-
MD5
965a50b0cb0e05ba3fb39aa2dfb64980
-
SHA1
f9d0711a8f6f430ec3bfc597be43592cebdc649e
-
SHA256
cac726f6b0bcb60af61033a9a59ae886ee7466f65e20185cd44be43c80386e7d
-
SHA512
43c37e8457f55ed52b8e9ae3cce7fe4ea5403d27f58a674fa0ee976b99bda8704dedd4fe0caa4cb93d758349b02acea22faf0a0a672cc87ebb938878c6d7c3fb
Malware Config
Extracted
revengerat
Guest
lordiyke.duckdns.org:2336
RV_MUTEX-YqqNLCGRFbTXZM
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3232-135-0x0000000000400000-0x0000000000408000-memory.dmp revengerat -
Suspicious use of SetThreadContext 1 IoCs
Processes:
REORDER_.exedescription pid process target process PID 2356 set thread context of 3232 2356 REORDER_.exe MSBuild.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 3232 MSBuild.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
REORDER_.execmd.exedescription pid process target process PID 2356 wrote to memory of 3848 2356 REORDER_.exe cmd.exe PID 2356 wrote to memory of 3848 2356 REORDER_.exe cmd.exe PID 2356 wrote to memory of 3848 2356 REORDER_.exe cmd.exe PID 3848 wrote to memory of 4228 3848 cmd.exe schtasks.exe PID 3848 wrote to memory of 4228 3848 cmd.exe schtasks.exe PID 3848 wrote to memory of 4228 3848 cmd.exe schtasks.exe PID 2356 wrote to memory of 3232 2356 REORDER_.exe MSBuild.exe PID 2356 wrote to memory of 3232 2356 REORDER_.exe MSBuild.exe PID 2356 wrote to memory of 3232 2356 REORDER_.exe MSBuild.exe PID 2356 wrote to memory of 3232 2356 REORDER_.exe MSBuild.exe PID 2356 wrote to memory of 3232 2356 REORDER_.exe MSBuild.exe PID 2356 wrote to memory of 3232 2356 REORDER_.exe MSBuild.exe PID 2356 wrote to memory of 3232 2356 REORDER_.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\REORDER_.exe"C:\Users\Admin\AppData\Local\Temp\REORDER_.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks /Create /TN Windowsupdator /XML "C:\Users\Admin\AppData\Local\Temp\f923d393131742579d889796201033a6.xml"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN Windowsupdator /XML "C:\Users\Admin\AppData\Local\Temp\f923d393131742579d889796201033a6.xml"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\Users\Admin\AppData\Local\Temp\REORDER_.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\f923d393131742579d889796201033a6.xmlFilesize
1KB
MD54bc650407ae944dd0007bfad84f060aa
SHA151a2c1d9a73bfaa6dc1fe1f7c4133b301f85fd6c
SHA2562ad315e9b94342a64e978378d69ff8ab70b73e8673a88015399378c55e290dfa
SHA512d0cc05f256c55ed86ae8b74d61549106d7eba61b27e5c8594fa97b9094324d7db70c55830ae043e5db28cf744f88e2f0a2e3fba5d7f4aa05c90966835f6aa657
-
memory/2356-130-0x0000000000580000-0x00000000005DA000-memory.dmpFilesize
360KB
-
memory/3232-134-0x0000000000000000-mapping.dmp
-
memory/3232-135-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/3232-136-0x0000000074B00000-0x00000000750B1000-memory.dmpFilesize
5.7MB
-
memory/3848-131-0x0000000000000000-mapping.dmp
-
memory/4228-132-0x0000000000000000-mapping.dmp