Analysis
-
max time kernel
147s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-05-2022 21:31
Static task
static1
Behavioral task
behavioral1
Sample
196daae5b03840f378df5af46824ff7bd77fdee3eea83d342ee952a1bd25548c.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
196daae5b03840f378df5af46824ff7bd77fdee3eea83d342ee952a1bd25548c.exe
Resource
win10v2004-20220414-en
General
-
Target
196daae5b03840f378df5af46824ff7bd77fdee3eea83d342ee952a1bd25548c.exe
-
Size
7.2MB
-
MD5
3955a6d8e167f30a9254d4754425da8d
-
SHA1
0bfee09bc4d80744a28c32670d8c2c09e696e0ef
-
SHA256
196daae5b03840f378df5af46824ff7bd77fdee3eea83d342ee952a1bd25548c
-
SHA512
3b7a838e7207b4eaf770d55ad7f929839f4197d15b2a51787da52eafe63151ee117a8f995c58350f94596e8d2e1a1a2093cc1415835f1c09b51caad1b7faa484
Malware Config
Extracted
revengerat
Guest
rattedlmao.ddns.net:1337
RV_MUTEX
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\svchost.exe revengerat C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\svchost.exe revengerat -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1636 svchost.exe -
Drops startup file 7 IoCs
Processes:
svchost.exevbc.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.URL svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe vbc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.vbs svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.js svchost.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nigga = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\svchost.exe" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
196daae5b03840f378df5af46824ff7bd77fdee3eea83d342ee952a1bd25548c.exesvchost.exedescription pid process Token: SeDebugPrivilege 1688 196daae5b03840f378df5af46824ff7bd77fdee3eea83d342ee952a1bd25548c.exe Token: SeDebugPrivilege 1636 svchost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
196daae5b03840f378df5af46824ff7bd77fdee3eea83d342ee952a1bd25548c.exesvchost.exevbc.exedescription pid process target process PID 1688 wrote to memory of 1636 1688 196daae5b03840f378df5af46824ff7bd77fdee3eea83d342ee952a1bd25548c.exe svchost.exe PID 1688 wrote to memory of 1636 1688 196daae5b03840f378df5af46824ff7bd77fdee3eea83d342ee952a1bd25548c.exe svchost.exe PID 1688 wrote to memory of 1636 1688 196daae5b03840f378df5af46824ff7bd77fdee3eea83d342ee952a1bd25548c.exe svchost.exe PID 1636 wrote to memory of 1300 1636 svchost.exe vbc.exe PID 1636 wrote to memory of 1300 1636 svchost.exe vbc.exe PID 1636 wrote to memory of 1300 1636 svchost.exe vbc.exe PID 1300 wrote to memory of 1680 1300 vbc.exe cvtres.exe PID 1300 wrote to memory of 1680 1300 vbc.exe cvtres.exe PID 1300 wrote to memory of 1680 1300 vbc.exe cvtres.exe PID 1636 wrote to memory of 1660 1636 svchost.exe schtasks.exe PID 1636 wrote to memory of 1660 1636 svchost.exe schtasks.exe PID 1636 wrote to memory of 1660 1636 svchost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\196daae5b03840f378df5af46824ff7bd77fdee3eea83d342ee952a1bd25548c.exe"C:\Users\Admin\AppData\Local\Temp\196daae5b03840f378df5af46824ff7bd77fdee3eea83d342ee952a1bd25548c.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\svchost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ndz78q3o.cmdline"3⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7947.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7936.tmp"4⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Cozmics" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\svchost.exe"3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {F9A92814-BB8B-49A9-BCF5-8932A280C06D} S-1-5-21-1083475884-596052423-1669053738-1000:WYZSGDWS\Admin:Interactive:[1]1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES7947.tmp
-
C:\Users\Admin\AppData\Local\Temp\ndz78q3o.0.vbFilesize
180B
MD5b8fa89af650dbff72d2e0538daea9d76
SHA136201ecf6ab056d059c07a2cf01b3771c08c956e
SHA25659909c12b1a7d2d7269cb565a12ae3621ac7d1d7aea6c08d471bafa235b78959
SHA5128f3879c6fe947b7285b7252fc88416d25e81c004338908ad4464de9fc119e30e625f7ffcaf96fc96e408488ccf0251526b947c60a6f17deaaa75eca7c84c5678
-
C:\Users\Admin\AppData\Local\Temp\ndz78q3o.cmdlineFilesize
195B
MD52f5ce560a77436efdb06f2fce9611ee7
SHA1fc20f9a6e9366604689f1722d88eabcee9b54d05
SHA2563746e04a63c2faca87f343621babbe576d9611cc8fa005368383218487a54f6c
SHA5120e8eb5c472b95ca82e8567f0d2c0431ebd23766b6743774e419d7fad3f18413b06af17b3af5ca8f21c997ea08f3808188f4badb8e39372ca43f419ca4bb79017
-
C:\Users\Admin\AppData\Local\Temp\vbc7936.tmp
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\svchost.exeFilesize
3.4MB
MD52cc295938bd451dd6307e4881c8c9a5b
SHA1b0f605fba15ddd8e2f8c4058bd7e346cf85df75f
SHA256d75f9ee76cf68e915afd9b9285d3693f4df756102a46994149c307f9833fa359
SHA5121fc3ecc8c0c7c8803e2663f79afd7c4aaa5feab26b3a483ff456b3e31dd0a5ad2512e518594b4ac483220719edf138b8dc3a4192b04e636aa98d8ec6bc7c26c9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\svchost.exeFilesize
4.9MB
MD5591e0a58f891a5adc426c5db28a1ab69
SHA1b79f43fd6f4cbd48663a127650f48da0ac14c801
SHA2566385f1a2603ffb71351aa870120bf62975cf573f1e7b9e89deee6c2d8ede6808
SHA512e5d8b82ebe1bc9c74481e02b1811aa56a3d7a5802ba6dcde90ebe281b2746bd54cece4558776cb5a9351b1956109c9f73575dcae64d81f2aa65b1b5f95b0f406
-
memory/1300-61-0x0000000000000000-mapping.dmp
-
memory/1636-59-0x000007FEF2830000-0x000007FEF38C6000-memory.dmpFilesize
16.6MB
-
memory/1636-56-0x0000000000000000-mapping.dmp
-
memory/1660-68-0x0000000000000000-mapping.dmp
-
memory/1680-65-0x0000000000000000-mapping.dmp
-
memory/1688-54-0x000007FEF2AA0000-0x000007FEF3B36000-memory.dmpFilesize
16.6MB
-
memory/1688-55-0x000007FEFB871000-0x000007FEFB873000-memory.dmpFilesize
8KB