Analysis
-
max time kernel
81s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-05-2022 22:56
Static task
static1
Behavioral task
behavioral1
Sample
35bf683f6d7cde1df919c3a5e3e23f9c972e051e31f491c6bf87d19ec30de9f5.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
35bf683f6d7cde1df919c3a5e3e23f9c972e051e31f491c6bf87d19ec30de9f5.exe
Resource
win10v2004-20220414-en
General
-
Target
35bf683f6d7cde1df919c3a5e3e23f9c972e051e31f491c6bf87d19ec30de9f5.exe
-
Size
17KB
-
MD5
cbebcbc400c95f9e0902c71000a79eec
-
SHA1
9a190e9e398fa7cdf34a8c251f656a671e6ace31
-
SHA256
35bf683f6d7cde1df919c3a5e3e23f9c972e051e31f491c6bf87d19ec30de9f5
-
SHA512
1effe5d3a55742f070aade5a5038b36517f0de72ce15cdfa9fff0f8ec5f8505fd44860d49becbe8c75b4752adf12a88e50eaac306e9f57c9a7f39d6b0b53716e
Malware Config
Extracted
revengerat
Guest
0.tcp.ngrok.io:17455
RV_MUTEX-bWSTUKIWwiej
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\Documents\Client.exe revengerat C:\Users\Admin\Documents\Client.exe revengerat -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 1492 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
35bf683f6d7cde1df919c3a5e3e23f9c972e051e31f491c6bf87d19ec30de9f5.exeClient.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 35bf683f6d7cde1df919c3a5e3e23f9c972e051e31f491c6bf87d19ec30de9f5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 35bf683f6d7cde1df919c3a5e3e23f9c972e051e31f491c6bf87d19ec30de9f5.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 Client.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Client.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1356 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
35bf683f6d7cde1df919c3a5e3e23f9c972e051e31f491c6bf87d19ec30de9f5.exeClient.exepowershell.exedescription pid process Token: SeDebugPrivilege 560 35bf683f6d7cde1df919c3a5e3e23f9c972e051e31f491c6bf87d19ec30de9f5.exe Token: SeDebugPrivilege 1492 Client.exe Token: SeDebugPrivilege 1356 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
35bf683f6d7cde1df919c3a5e3e23f9c972e051e31f491c6bf87d19ec30de9f5.exeClient.exedescription pid process target process PID 560 wrote to memory of 1492 560 35bf683f6d7cde1df919c3a5e3e23f9c972e051e31f491c6bf87d19ec30de9f5.exe Client.exe PID 560 wrote to memory of 1492 560 35bf683f6d7cde1df919c3a5e3e23f9c972e051e31f491c6bf87d19ec30de9f5.exe Client.exe PID 560 wrote to memory of 1492 560 35bf683f6d7cde1df919c3a5e3e23f9c972e051e31f491c6bf87d19ec30de9f5.exe Client.exe PID 1492 wrote to memory of 1356 1492 Client.exe powershell.exe PID 1492 wrote to memory of 1356 1492 Client.exe powershell.exe PID 1492 wrote to memory of 1356 1492 Client.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\35bf683f6d7cde1df919c3a5e3e23f9c972e051e31f491c6bf87d19ec30de9f5.exe"C:\Users\Admin\AppData\Local\Temp\35bf683f6d7cde1df919c3a5e3e23f9c972e051e31f491c6bf87d19ec30de9f5.exe"1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\Client.exe"C:\Users\Admin\Documents\Client.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('congradulations you got fuckin hacked','HAHA')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\Client.exeFilesize
17KB
MD5cbebcbc400c95f9e0902c71000a79eec
SHA19a190e9e398fa7cdf34a8c251f656a671e6ace31
SHA25635bf683f6d7cde1df919c3a5e3e23f9c972e051e31f491c6bf87d19ec30de9f5
SHA5121effe5d3a55742f070aade5a5038b36517f0de72ce15cdfa9fff0f8ec5f8505fd44860d49becbe8c75b4752adf12a88e50eaac306e9f57c9a7f39d6b0b53716e
-
C:\Users\Admin\Documents\Client.exeFilesize
17KB
MD5cbebcbc400c95f9e0902c71000a79eec
SHA19a190e9e398fa7cdf34a8c251f656a671e6ace31
SHA25635bf683f6d7cde1df919c3a5e3e23f9c972e051e31f491c6bf87d19ec30de9f5
SHA5121effe5d3a55742f070aade5a5038b36517f0de72ce15cdfa9fff0f8ec5f8505fd44860d49becbe8c75b4752adf12a88e50eaac306e9f57c9a7f39d6b0b53716e
-
memory/560-55-0x000007FEF25D0000-0x000007FEF3666000-memory.dmpFilesize
16.6MB
-
memory/560-56-0x000007FEFB9F1000-0x000007FEFB9F3000-memory.dmpFilesize
8KB
-
memory/560-54-0x000007FEF3670000-0x000007FEF4093000-memory.dmpFilesize
10.1MB
-
memory/1356-65-0x000007FEEDA80000-0x000007FEEE5DD000-memory.dmpFilesize
11.4MB
-
memory/1356-68-0x000000000283B000-0x000000000285A000-memory.dmpFilesize
124KB
-
memory/1356-67-0x000007FEF2120000-0x000007FEF31B6000-memory.dmpFilesize
16.6MB
-
memory/1356-62-0x0000000000000000-mapping.dmp
-
memory/1356-64-0x000007FEF4550000-0x000007FEF4F73000-memory.dmpFilesize
10.1MB
-
memory/1356-66-0x0000000002834000-0x0000000002837000-memory.dmpFilesize
12KB
-
memory/1492-57-0x0000000000000000-mapping.dmp
-
memory/1492-61-0x000007FEF2120000-0x000007FEF31B6000-memory.dmpFilesize
16.6MB
-
memory/1492-60-0x000007FEF4550000-0x000007FEF4F73000-memory.dmpFilesize
10.1MB