Analysis
-
max time kernel
71s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 22:51
Static task
static1
Behavioral task
behavioral1
Sample
86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exe
Resource
win10v2004-20220414-en
General
-
Target
86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exe
-
Size
73KB
-
MD5
c614070ca1587a1512a857dd520e22ca
-
SHA1
ba8f33ced64886e0d8f02ecef1da17f653e8438c
-
SHA256
86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee
-
SHA512
865aa8428b784119d48ea5969968d5f8b872e22b8b3aab2db7f907324d02290188f0e3d3654650178e013a528f8f5f9265f563b0056b0c365114757869601ead
Malware Config
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Eeuxi.exe revengerat C:\Users\Admin\AppData\Local\Temp\Eeuxi.exe revengerat behavioral2/memory/8-141-0x0000000000400000-0x0000000000418000-memory.dmp revengerat behavioral2/memory/8-139-0x0000000000400000-0x0000000000418000-memory.dmp revengerat -
Executes dropped EXE 1 IoCs
Processes:
Eeuxi.exepid process 4556 Eeuxi.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Eeuxi.exeRegAsm.exedescription pid process target process PID 4556 set thread context of 8 4556 Eeuxi.exe RegAsm.exe PID 8 set thread context of 4468 8 RegAsm.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings 86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 4852 NOTEPAD.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Eeuxi.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 4556 Eeuxi.exe Token: SeDebugPrivilege 8 RegAsm.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exeEeuxi.exeRegAsm.exedescription pid process target process PID 3232 wrote to memory of 4556 3232 86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exe Eeuxi.exe PID 3232 wrote to memory of 4556 3232 86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exe Eeuxi.exe PID 3232 wrote to memory of 4556 3232 86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exe Eeuxi.exe PID 3232 wrote to memory of 4852 3232 86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exe NOTEPAD.EXE PID 3232 wrote to memory of 4852 3232 86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exe NOTEPAD.EXE PID 3232 wrote to memory of 4852 3232 86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exe NOTEPAD.EXE PID 4556 wrote to memory of 8 4556 Eeuxi.exe RegAsm.exe PID 4556 wrote to memory of 8 4556 Eeuxi.exe RegAsm.exe PID 4556 wrote to memory of 8 4556 Eeuxi.exe RegAsm.exe PID 4556 wrote to memory of 8 4556 Eeuxi.exe RegAsm.exe PID 4556 wrote to memory of 8 4556 Eeuxi.exe RegAsm.exe PID 4556 wrote to memory of 8 4556 Eeuxi.exe RegAsm.exe PID 4556 wrote to memory of 8 4556 Eeuxi.exe RegAsm.exe PID 4556 wrote to memory of 8 4556 Eeuxi.exe RegAsm.exe PID 4556 wrote to memory of 8 4556 Eeuxi.exe RegAsm.exe PID 8 wrote to memory of 4468 8 RegAsm.exe RegAsm.exe PID 8 wrote to memory of 4468 8 RegAsm.exe RegAsm.exe PID 8 wrote to memory of 4468 8 RegAsm.exe RegAsm.exe PID 8 wrote to memory of 4468 8 RegAsm.exe RegAsm.exe PID 8 wrote to memory of 4468 8 RegAsm.exe RegAsm.exe PID 8 wrote to memory of 4468 8 RegAsm.exe RegAsm.exe PID 8 wrote to memory of 4468 8 RegAsm.exe RegAsm.exe PID 8 wrote to memory of 4468 8 RegAsm.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exe"C:\Users\Admin\AppData\Local\Temp\86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Rkcrkt.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Users\Admin\AppData\Local\Temp\Eeuxi.exe"C:\Users\Admin\AppData\Local\Temp\Eeuxi.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
-
C:\Users\Admin\AppData\Local\Temp\Eeuxi.exeFilesize
62KB
MD5d688b3d533d9c52e3c0c1d3bfa5776d4
SHA193a192a0f6eee57cec912737fedca5c3ff3e4cf5
SHA256582c68421be1066bfbe96b80acbe651ad6981f498b34a031bac13be52cb61396
SHA51266747bcb9629421730fd7909e8cf385741d335565fda2796bc6803353d91a4abdc8658d3dd11e12433c83ed8aa099e3b4232d4b0a10408dc45eaf01b0bb604cb
-
C:\Users\Admin\AppData\Local\Temp\Eeuxi.exeFilesize
62KB
MD5d688b3d533d9c52e3c0c1d3bfa5776d4
SHA193a192a0f6eee57cec912737fedca5c3ff3e4cf5
SHA256582c68421be1066bfbe96b80acbe651ad6981f498b34a031bac13be52cb61396
SHA51266747bcb9629421730fd7909e8cf385741d335565fda2796bc6803353d91a4abdc8658d3dd11e12433c83ed8aa099e3b4232d4b0a10408dc45eaf01b0bb604cb
-
C:\Users\Admin\AppData\Local\Temp\UwCkjosn.txtFilesize
43B
MD5231a2b62e49e8c8ff5f2b629166efa0d
SHA1689336b77ff41d2c4fabe2fff95ba288c94860ea
SHA2561df0e755f2abdd2f5c644964a38f578c58b63a36425c65882132728222e4c903
SHA512b7cc64a84cf7bbd227d86b309644efd7f2d080eeecea3ac7aaa2b919b662e068b7e38e7ab6223b2d86f7732dfca45fed50d24185e8eec8ef9c072c9f6d1a617b
-
memory/8-138-0x0000000000000000-mapping.dmp
-
memory/8-141-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/8-144-0x0000000005050000-0x00000000050B6000-memory.dmpFilesize
408KB
-
memory/8-143-0x0000000004F40000-0x0000000004FDC000-memory.dmpFilesize
624KB
-
memory/8-139-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/3232-130-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/3232-133-0x0000000005120000-0x000000000512A000-memory.dmpFilesize
40KB
-
memory/3232-132-0x0000000004930000-0x00000000049C2000-memory.dmpFilesize
584KB
-
memory/3232-131-0x0000000004A00000-0x0000000004FA4000-memory.dmpFilesize
5.6MB
-
memory/4468-146-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4468-145-0x0000000000000000-mapping.dmp
-
memory/4556-142-0x000000006F670000-0x000000006FC21000-memory.dmpFilesize
5.7MB
-
memory/4556-134-0x0000000000000000-mapping.dmp
-
memory/4852-137-0x0000000000000000-mapping.dmp