Analysis
-
max time kernel
94s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-06-2022 14:11
Static task
static1
Behavioral task
behavioral1
Sample
00INVN0987.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
00INVN0987.js
Resource
win10v2004-20220414-en
General
-
Target
00INVN0987.js
-
Size
204KB
-
MD5
3a2a1650aa3f0bdf262b244f636c01c5
-
SHA1
a7d61b35c91326e983c7d725b1ed8f49162f4758
-
SHA256
06672589c9c70009f9342ba946bcf8f671b7fc3a1f1031b02442f3d85e0afe94
-
SHA512
d05201160c7e3331db834a5d986e93c13506e2f28b431ffc452f4aef47266d0a7b0541dc9178cb974f73c18064d964bda5d6d43ce0f3519e5cc1275c7b03fb3f
Malware Config
Extracted
revengerat
Guest
blessed147.ddns.net:8089
RV_MUTEX
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\001.exe revengerat C:\Users\Admin\AppData\Local\Temp\001.exe revengerat C:\Users\Admin\AppData\Roaming\Client.exe revengerat C:\Users\Admin\AppData\Roaming\Client.exe revengerat -
Executes dropped EXE 2 IoCs
Processes:
001.exeClient.exepid process 3128 001.exe 1532 Client.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exe001.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 001.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
001.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 001.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 001.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
001.exeClient.exedescription pid process Token: SeDebugPrivilege 3128 001.exe Token: SeDebugPrivilege 1532 Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exe001.exedescription pid process target process PID 4080 wrote to memory of 5024 4080 wscript.exe wscript.exe PID 4080 wrote to memory of 5024 4080 wscript.exe wscript.exe PID 4080 wrote to memory of 3128 4080 wscript.exe 001.exe PID 4080 wrote to memory of 3128 4080 wscript.exe 001.exe PID 3128 wrote to memory of 1532 3128 001.exe Client.exe PID 3128 wrote to memory of 1532 3128 001.exe Client.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\00INVN0987.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\myNUstntrH.js"2⤵
-
C:\Users\Admin\AppData\Local\Temp\001.exe"C:\Users\Admin\AppData\Local\Temp\001.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Client.exe"C:\Users\Admin\AppData\Roaming\Client.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\001.exeFilesize
86KB
MD5117fa52c8400ad57e1a32503e7138abc
SHA1e6cfae7554a85bf343089ba627688ff122188a9e
SHA256e2b4fb5fd4705700ffa3423a9384039f03967d60c6eac79cc9b9171401ea19ce
SHA512e615ad092197caca9e6b60d9599b1dc6b66554d9030237bfb109ffc2fbd851efbc623037fe0c9d776cbac9ae8ef232e84b3432df7bed653f343269cac8a17f23
-
C:\Users\Admin\AppData\Local\Temp\001.exeFilesize
86KB
MD5117fa52c8400ad57e1a32503e7138abc
SHA1e6cfae7554a85bf343089ba627688ff122188a9e
SHA256e2b4fb5fd4705700ffa3423a9384039f03967d60c6eac79cc9b9171401ea19ce
SHA512e615ad092197caca9e6b60d9599b1dc6b66554d9030237bfb109ffc2fbd851efbc623037fe0c9d776cbac9ae8ef232e84b3432df7bed653f343269cac8a17f23
-
C:\Users\Admin\AppData\Roaming\Client.exeFilesize
86KB
MD5117fa52c8400ad57e1a32503e7138abc
SHA1e6cfae7554a85bf343089ba627688ff122188a9e
SHA256e2b4fb5fd4705700ffa3423a9384039f03967d60c6eac79cc9b9171401ea19ce
SHA512e615ad092197caca9e6b60d9599b1dc6b66554d9030237bfb109ffc2fbd851efbc623037fe0c9d776cbac9ae8ef232e84b3432df7bed653f343269cac8a17f23
-
C:\Users\Admin\AppData\Roaming\Client.exeFilesize
86KB
MD5117fa52c8400ad57e1a32503e7138abc
SHA1e6cfae7554a85bf343089ba627688ff122188a9e
SHA256e2b4fb5fd4705700ffa3423a9384039f03967d60c6eac79cc9b9171401ea19ce
SHA512e615ad092197caca9e6b60d9599b1dc6b66554d9030237bfb109ffc2fbd851efbc623037fe0c9d776cbac9ae8ef232e84b3432df7bed653f343269cac8a17f23
-
C:\Users\Admin\AppData\Roaming\myNUstntrH.jsFilesize
17KB
MD57fcc69ae32f6a2886980fb92a08bf480
SHA18cb6feca11b461acef5878e9473dbe62f34aa65f
SHA25689cc7795ed9ad5189dca10a64a89cd3bfd59ed1e6aa17137f45846574e35bdd4
SHA512684d5345e6190948fc9f915beeb040dbb7ac28b6865925fcdc11778f63cfdecd7feddd2e5dad44b0e4b0478943e3d88ce4f04c0f8b382fcdfbe3fef044b73cd3
-
memory/1532-136-0x0000000000000000-mapping.dmp
-
memory/1532-139-0x00007FF85CA60000-0x00007FF85D496000-memory.dmpFilesize
10.2MB
-
memory/3128-132-0x0000000000000000-mapping.dmp
-
memory/3128-135-0x00007FF85CA60000-0x00007FF85D496000-memory.dmpFilesize
10.2MB
-
memory/5024-130-0x0000000000000000-mapping.dmp