Analysis
-
max time kernel
161s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 21:31
Static task
static1
Behavioral task
behavioral1
Sample
196daae5b03840f378df5af46824ff7bd77fdee3eea83d342ee952a1bd25548c.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
196daae5b03840f378df5af46824ff7bd77fdee3eea83d342ee952a1bd25548c.exe
Resource
win10v2004-20220414-en
General
-
Target
196daae5b03840f378df5af46824ff7bd77fdee3eea83d342ee952a1bd25548c.exe
-
Size
7.2MB
-
MD5
3955a6d8e167f30a9254d4754425da8d
-
SHA1
0bfee09bc4d80744a28c32670d8c2c09e696e0ef
-
SHA256
196daae5b03840f378df5af46824ff7bd77fdee3eea83d342ee952a1bd25548c
-
SHA512
3b7a838e7207b4eaf770d55ad7f929839f4197d15b2a51787da52eafe63151ee117a8f995c58350f94596e8d2e1a1a2093cc1415835f1c09b51caad1b7faa484
Malware Config
Extracted
revengerat
Guest
rattedlmao.ddns.net:1337
RV_MUTEX
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\svchost.exe revengerat C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\svchost.exe revengerat -
Executes dropped EXE 2 IoCs
Processes:
svchost.exesvchost.exepid process 3036 svchost.exe 868 svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
196daae5b03840f378df5af46824ff7bd77fdee3eea83d342ee952a1bd25548c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 196daae5b03840f378df5af46824ff7bd77fdee3eea83d342ee952a1bd25548c.exe -
Drops startup file 7 IoCs
Processes:
svchost.exevbc.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.vbs svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.js svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.URL svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe vbc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe svchost.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nigga = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\svchost.exe" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
196daae5b03840f378df5af46824ff7bd77fdee3eea83d342ee952a1bd25548c.exesvchost.exesvchost.exedescription pid process Token: SeDebugPrivilege 3628 196daae5b03840f378df5af46824ff7bd77fdee3eea83d342ee952a1bd25548c.exe Token: SeDebugPrivilege 3036 svchost.exe Token: SeDebugPrivilege 868 svchost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
196daae5b03840f378df5af46824ff7bd77fdee3eea83d342ee952a1bd25548c.exesvchost.exevbc.exedescription pid process target process PID 3628 wrote to memory of 3036 3628 196daae5b03840f378df5af46824ff7bd77fdee3eea83d342ee952a1bd25548c.exe svchost.exe PID 3628 wrote to memory of 3036 3628 196daae5b03840f378df5af46824ff7bd77fdee3eea83d342ee952a1bd25548c.exe svchost.exe PID 3036 wrote to memory of 3168 3036 svchost.exe vbc.exe PID 3036 wrote to memory of 3168 3036 svchost.exe vbc.exe PID 3168 wrote to memory of 4868 3168 vbc.exe cvtres.exe PID 3168 wrote to memory of 4868 3168 vbc.exe cvtres.exe PID 3036 wrote to memory of 3740 3036 svchost.exe schtasks.exe PID 3036 wrote to memory of 3740 3036 svchost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\196daae5b03840f378df5af46824ff7bd77fdee3eea83d342ee952a1bd25548c.exe"C:\Users\Admin\AppData\Local\Temp\196daae5b03840f378df5af46824ff7bd77fdee3eea83d342ee952a1bd25548c.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\svchost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h2ou5nxt.cmdline"3⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES42B1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBD3DA8F1217546C5B697E878563C170.TMP"4⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Cozmics" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\svchost.exe"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES42B1.tmp
-
C:\Users\Admin\AppData\Local\Temp\h2ou5nxt.0.vb
-
C:\Users\Admin\AppData\Local\Temp\h2ou5nxt.cmdline
-
C:\Users\Admin\AppData\Local\Temp\vbcBD3DA8F1217546C5B697E878563C170.TMP
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\svchost.exeFilesize
4.9MB
MD53f5e3a2bc51d95dcb5c5d1885fe3be50
SHA12d0583c5a44bfb212eac4688b135092b75231967
SHA2565810289beb84532db618e5fa9cdbd1b16bf8f7d13b96af2551152801774d1e79
SHA5125fa6679c84d7949b8d965f70622af9dd401a02290c23dcb696ec8424e80a1fdd1e53aba628d2e368c81e32e8b95925793dee128b2c7bc79e31d5cedcc1067c99
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\svchost.exeFilesize
4.4MB
MD56760e3011051726c4d9a5148d6a37917
SHA1b844ec3fb1dc128209ceccf6971f2213b1bcf829
SHA256ab79c67171969af077941e4c2323da7809841c360dc84f60212c965d78f1fed5
SHA512084cedb71a865d627b22d40172f4287a65f81d1f5f90b03dd68fe13a8a7a9941f8aca0b196da3623d27438188f0c5df5a3d0e11d656557044423ab5abe546749
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\svchost.exe
-
memory/3036-130-0x0000000000000000-mapping.dmp
-
memory/3168-133-0x0000000000000000-mapping.dmp
-
memory/3740-140-0x0000000000000000-mapping.dmp
-
memory/4868-137-0x0000000000000000-mapping.dmp