Analysis
-
max time kernel
90s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 22:56
Static task
static1
Behavioral task
behavioral1
Sample
35bf683f6d7cde1df919c3a5e3e23f9c972e051e31f491c6bf87d19ec30de9f5.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
35bf683f6d7cde1df919c3a5e3e23f9c972e051e31f491c6bf87d19ec30de9f5.exe
Resource
win10v2004-20220414-en
General
-
Target
35bf683f6d7cde1df919c3a5e3e23f9c972e051e31f491c6bf87d19ec30de9f5.exe
-
Size
17KB
-
MD5
cbebcbc400c95f9e0902c71000a79eec
-
SHA1
9a190e9e398fa7cdf34a8c251f656a671e6ace31
-
SHA256
35bf683f6d7cde1df919c3a5e3e23f9c972e051e31f491c6bf87d19ec30de9f5
-
SHA512
1effe5d3a55742f070aade5a5038b36517f0de72ce15cdfa9fff0f8ec5f8505fd44860d49becbe8c75b4752adf12a88e50eaac306e9f57c9a7f39d6b0b53716e
Malware Config
Extracted
revengerat
Guest
0.tcp.ngrok.io:17455
RV_MUTEX-bWSTUKIWwiej
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\Documents\Client.exe revengerat C:\Users\Admin\Documents\Client.exe revengerat -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 4176 Client.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
35bf683f6d7cde1df919c3a5e3e23f9c972e051e31f491c6bf87d19ec30de9f5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 35bf683f6d7cde1df919c3a5e3e23f9c972e051e31f491c6bf87d19ec30de9f5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Client.exe35bf683f6d7cde1df919c3a5e3e23f9c972e051e31f491c6bf87d19ec30de9f5.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 Client.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Client.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 35bf683f6d7cde1df919c3a5e3e23f9c972e051e31f491c6bf87d19ec30de9f5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 35bf683f6d7cde1df919c3a5e3e23f9c972e051e31f491c6bf87d19ec30de9f5.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 4356 powershell.exe 4356 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
35bf683f6d7cde1df919c3a5e3e23f9c972e051e31f491c6bf87d19ec30de9f5.exeClient.exepowershell.exedescription pid process Token: SeDebugPrivilege 3484 35bf683f6d7cde1df919c3a5e3e23f9c972e051e31f491c6bf87d19ec30de9f5.exe Token: SeDebugPrivilege 4176 Client.exe Token: SeDebugPrivilege 4356 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
35bf683f6d7cde1df919c3a5e3e23f9c972e051e31f491c6bf87d19ec30de9f5.exeClient.exedescription pid process target process PID 3484 wrote to memory of 4176 3484 35bf683f6d7cde1df919c3a5e3e23f9c972e051e31f491c6bf87d19ec30de9f5.exe Client.exe PID 3484 wrote to memory of 4176 3484 35bf683f6d7cde1df919c3a5e3e23f9c972e051e31f491c6bf87d19ec30de9f5.exe Client.exe PID 4176 wrote to memory of 4356 4176 Client.exe powershell.exe PID 4176 wrote to memory of 4356 4176 Client.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\35bf683f6d7cde1df919c3a5e3e23f9c972e051e31f491c6bf87d19ec30de9f5.exe"C:\Users\Admin\AppData\Local\Temp\35bf683f6d7cde1df919c3a5e3e23f9c972e051e31f491c6bf87d19ec30de9f5.exe"1⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\Client.exe"C:\Users\Admin\Documents\Client.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('congradulations you got fuckin hacked','HAHA')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\Client.exeFilesize
17KB
MD5cbebcbc400c95f9e0902c71000a79eec
SHA19a190e9e398fa7cdf34a8c251f656a671e6ace31
SHA25635bf683f6d7cde1df919c3a5e3e23f9c972e051e31f491c6bf87d19ec30de9f5
SHA5121effe5d3a55742f070aade5a5038b36517f0de72ce15cdfa9fff0f8ec5f8505fd44860d49becbe8c75b4752adf12a88e50eaac306e9f57c9a7f39d6b0b53716e
-
C:\Users\Admin\Documents\Client.exeFilesize
17KB
MD5cbebcbc400c95f9e0902c71000a79eec
SHA19a190e9e398fa7cdf34a8c251f656a671e6ace31
SHA25635bf683f6d7cde1df919c3a5e3e23f9c972e051e31f491c6bf87d19ec30de9f5
SHA5121effe5d3a55742f070aade5a5038b36517f0de72ce15cdfa9fff0f8ec5f8505fd44860d49becbe8c75b4752adf12a88e50eaac306e9f57c9a7f39d6b0b53716e
-
memory/4176-130-0x0000000000000000-mapping.dmp
-
memory/4356-133-0x0000000000000000-mapping.dmp
-
memory/4356-134-0x0000012879870000-0x0000012879892000-memory.dmpFilesize
136KB
-
memory/4356-135-0x0000012878C40000-0x0000012879701000-memory.dmpFilesize
10.8MB