Analysis
-
max time kernel
91s -
max time network
173s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
12-06-2022 14:11
Static task
static1
Behavioral task
behavioral1
Sample
00INVN0987.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
00INVN0987.js
Resource
win10v2004-20220414-en
General
-
Target
00INVN0987.js
-
Size
204KB
-
MD5
3a2a1650aa3f0bdf262b244f636c01c5
-
SHA1
a7d61b35c91326e983c7d725b1ed8f49162f4758
-
SHA256
06672589c9c70009f9342ba946bcf8f671b7fc3a1f1031b02442f3d85e0afe94
-
SHA512
d05201160c7e3331db834a5d986e93c13506e2f28b431ffc452f4aef47266d0a7b0541dc9178cb974f73c18064d964bda5d6d43ce0f3519e5cc1275c7b03fb3f
Malware Config
Extracted
revengerat
Guest
blessed147.ddns.net:8089
RV_MUTEX
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\001.exe revengerat C:\Users\Admin\AppData\Local\Temp\001.exe revengerat C:\Users\Admin\AppData\Roaming\Client.exe revengerat C:\Users\Admin\AppData\Roaming\Client.exe revengerat C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe revengerat -
Executes dropped EXE 2 IoCs
Processes:
001.exeClient.exepid process 956 001.exe 760 Client.exe -
Drops startup file 7 IoCs
Processes:
Client.exevbc.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.vbs Client.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.js Client.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk Client.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.URL Client.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe vbc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe Client.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe Client.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
001.exeClient.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 001.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 001.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 Client.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Client.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
001.exeClient.exedescription pid process Token: SeDebugPrivilege 956 001.exe Token: SeDebugPrivilege 760 Client.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
wscript.exe001.exeClient.exevbc.exedescription pid process target process PID 1364 wrote to memory of 1316 1364 wscript.exe wscript.exe PID 1364 wrote to memory of 1316 1364 wscript.exe wscript.exe PID 1364 wrote to memory of 1316 1364 wscript.exe wscript.exe PID 1364 wrote to memory of 956 1364 wscript.exe 001.exe PID 1364 wrote to memory of 956 1364 wscript.exe 001.exe PID 1364 wrote to memory of 956 1364 wscript.exe 001.exe PID 956 wrote to memory of 760 956 001.exe Client.exe PID 956 wrote to memory of 760 956 001.exe Client.exe PID 956 wrote to memory of 760 956 001.exe Client.exe PID 760 wrote to memory of 1512 760 Client.exe vbc.exe PID 760 wrote to memory of 1512 760 Client.exe vbc.exe PID 760 wrote to memory of 1512 760 Client.exe vbc.exe PID 1512 wrote to memory of 1680 1512 vbc.exe cvtres.exe PID 1512 wrote to memory of 1680 1512 vbc.exe cvtres.exe PID 1512 wrote to memory of 1680 1512 vbc.exe cvtres.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\00INVN0987.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\myNUstntrH.js"2⤵
-
C:\Users\Admin\AppData\Local\Temp\001.exe"C:\Users\Admin\AppData\Local\Temp\001.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Client.exe"C:\Users\Admin\AppData\Roaming\Client.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eosahawn.cmdline"4⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESACF4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcACE3.tmp"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\001.exeFilesize
86KB
MD5117fa52c8400ad57e1a32503e7138abc
SHA1e6cfae7554a85bf343089ba627688ff122188a9e
SHA256e2b4fb5fd4705700ffa3423a9384039f03967d60c6eac79cc9b9171401ea19ce
SHA512e615ad092197caca9e6b60d9599b1dc6b66554d9030237bfb109ffc2fbd851efbc623037fe0c9d776cbac9ae8ef232e84b3432df7bed653f343269cac8a17f23
-
C:\Users\Admin\AppData\Local\Temp\001.exeFilesize
86KB
MD5117fa52c8400ad57e1a32503e7138abc
SHA1e6cfae7554a85bf343089ba627688ff122188a9e
SHA256e2b4fb5fd4705700ffa3423a9384039f03967d60c6eac79cc9b9171401ea19ce
SHA512e615ad092197caca9e6b60d9599b1dc6b66554d9030237bfb109ffc2fbd851efbc623037fe0c9d776cbac9ae8ef232e84b3432df7bed653f343269cac8a17f23
-
C:\Users\Admin\AppData\Local\Temp\RESACF4.tmpFilesize
1KB
MD5b1bcdb2a07819b8ecab7735148e3668e
SHA15ec0fbf507dc963b7ac87998aa435b30ea070b0d
SHA256d5b868f4497b6dcf823318e143fe71e41279b19811de9b9fbfbd01cf0d08380e
SHA512ecdcb56338ca808939bb1bc2aa17bcdfc6343d1211ec43ac7c82edc0921e62921beb04a3feda0308f47b6467f9fa9ad966cc4e6c0783181b7be758b497480562
-
C:\Users\Admin\AppData\Local\Temp\eosahawn.0.vbFilesize
150B
MD51b4fb5e3edf737cc570101af098b8b8b
SHA1697dbfdbc070868122e4d909e3115547c82ff5ed
SHA256d667f032a9538d08f05f8ac3c53d791251bc709ce6ea2ad2b8d2dbff9e3dff31
SHA512c85eab737e23aa984a6d18035ec122ef711d54b405efb1476f5226c3f140cb5c208543f8111d13747ca563926cc244e6ec0f8b5593b1ca75bc2e07bb6aa7f387
-
C:\Users\Admin\AppData\Local\Temp\eosahawn.cmdlineFilesize
194B
MD5b44e54b6358065a3e2baeb06ad8aa868
SHA12e7530a21fd0bfe7321e300c47137b9172b6e8ba
SHA25641c4275e619b870488c27f296bad0bcab33562e14c09c1ef8596b78fe9dfe3e3
SHA512c9a2d3470b711522978d2ac177e02acd8ee4a6ecd21b20c35f3f6bcf1fbbd58818d59adb6585eaab09861fcdae826c9dd99588279885ebda804d742ba1fcbe73
-
C:\Users\Admin\AppData\Local\Temp\vbcACE3.tmpFilesize
644B
MD523c5f6c5bb4e5de59ec5aa884ea098d3
SHA17240ba716de1d9ddaa3f9e3a0adcd7e00c4e6a83
SHA2567e090465b6d810c988f61a89f11debded56b4bff54c07369c26ab8afd9e8ba27
SHA512bef35b5af9bb58041f3783a43e85f204a088f44e19168815eea881c2864f9c9038f0e8ba2ab136b6514028e6c22652496cee61fe6dab467b56f0a31809ca1f51
-
C:\Users\Admin\AppData\Roaming\Client.exeFilesize
86KB
MD5117fa52c8400ad57e1a32503e7138abc
SHA1e6cfae7554a85bf343089ba627688ff122188a9e
SHA256e2b4fb5fd4705700ffa3423a9384039f03967d60c6eac79cc9b9171401ea19ce
SHA512e615ad092197caca9e6b60d9599b1dc6b66554d9030237bfb109ffc2fbd851efbc623037fe0c9d776cbac9ae8ef232e84b3432df7bed653f343269cac8a17f23
-
C:\Users\Admin\AppData\Roaming\Client.exeFilesize
86KB
MD5117fa52c8400ad57e1a32503e7138abc
SHA1e6cfae7554a85bf343089ba627688ff122188a9e
SHA256e2b4fb5fd4705700ffa3423a9384039f03967d60c6eac79cc9b9171401ea19ce
SHA512e615ad092197caca9e6b60d9599b1dc6b66554d9030237bfb109ffc2fbd851efbc623037fe0c9d776cbac9ae8ef232e84b3432df7bed653f343269cac8a17f23
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exeFilesize
86KB
MD5117fa52c8400ad57e1a32503e7138abc
SHA1e6cfae7554a85bf343089ba627688ff122188a9e
SHA256e2b4fb5fd4705700ffa3423a9384039f03967d60c6eac79cc9b9171401ea19ce
SHA512e615ad092197caca9e6b60d9599b1dc6b66554d9030237bfb109ffc2fbd851efbc623037fe0c9d776cbac9ae8ef232e84b3432df7bed653f343269cac8a17f23
-
C:\Users\Admin\AppData\Roaming\myNUstntrH.jsFilesize
17KB
MD57fcc69ae32f6a2886980fb92a08bf480
SHA18cb6feca11b461acef5878e9473dbe62f34aa65f
SHA25689cc7795ed9ad5189dca10a64a89cd3bfd59ed1e6aa17137f45846574e35bdd4
SHA512684d5345e6190948fc9f915beeb040dbb7ac28b6865925fcdc11778f63cfdecd7feddd2e5dad44b0e4b0478943e3d88ce4f04c0f8b382fcdfbe3fef044b73cd3
-
memory/760-63-0x0000000000000000-mapping.dmp
-
memory/760-66-0x000007FEF4180000-0x000007FEF4BA3000-memory.dmpFilesize
10.1MB
-
memory/760-67-0x000007FEEEA10000-0x000007FEEFAA6000-memory.dmpFilesize
16.6MB
-
memory/956-57-0x0000000000000000-mapping.dmp
-
memory/956-61-0x000007FEF3840000-0x000007FEF48D6000-memory.dmpFilesize
16.6MB
-
memory/956-60-0x000007FEF4B20000-0x000007FEF5543000-memory.dmpFilesize
10.1MB
-
memory/1316-55-0x0000000000000000-mapping.dmp
-
memory/1364-54-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmpFilesize
8KB
-
memory/1512-69-0x0000000000000000-mapping.dmp
-
memory/1680-73-0x0000000000000000-mapping.dmp