Analysis

  • max time kernel
    78s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    12-06-2022 14:19

General

  • Target

    0x000a0000000122da-58.exe

  • Size

    86KB

  • MD5

    117fa52c8400ad57e1a32503e7138abc

  • SHA1

    e6cfae7554a85bf343089ba627688ff122188a9e

  • SHA256

    e2b4fb5fd4705700ffa3423a9384039f03967d60c6eac79cc9b9171401ea19ce

  • SHA512

    e615ad092197caca9e6b60d9599b1dc6b66554d9030237bfb109ffc2fbd851efbc623037fe0c9d776cbac9ae8ef232e84b3432df7bed653f343269cac8a17f23

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

blessed147.ddns.net:8089

Mutex

RV_MUTEX

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

  • RevengeRat Executable 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 7 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0x000a0000000122da-58.exe
    "C:\Users\Admin\AppData\Local\Temp\0x000a0000000122da-58.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:776
    • C:\Users\Admin\AppData\Roaming\Client.exe
      "C:\Users\Admin\AppData\Roaming\Client.exe"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Checks processor information in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:268
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v5esxkt-.cmdline"
        3⤵
        • Drops startup file
        • Suspicious use of WriteProcessMemory
        PID:1800
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4980.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4970.tmp"
          4⤵
            PID:740

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RES4980.tmp

      Filesize

      1KB

      MD5

      bf16bebfc07e9fefe78e14755ba6a175

      SHA1

      f506956e6ff6a8ebaa5beef746c807a124b2ccef

      SHA256

      7be0ad327a5b8d6493a55597b61a1530ace316b83d18d99a2b6c0e099bb2474e

      SHA512

      17adaa2f89be2919ad22b412907f0542448a7f344a0de72d48190b167bb3e1b669dfe4ef2e565b4978b19f87c20d40b9b2605026f7d2eed5e4394e420d30b499

    • C:\Users\Admin\AppData\Local\Temp\v5esxkt-.0.vb

      Filesize

      150B

      MD5

      1b4fb5e3edf737cc570101af098b8b8b

      SHA1

      697dbfdbc070868122e4d909e3115547c82ff5ed

      SHA256

      d667f032a9538d08f05f8ac3c53d791251bc709ce6ea2ad2b8d2dbff9e3dff31

      SHA512

      c85eab737e23aa984a6d18035ec122ef711d54b405efb1476f5226c3f140cb5c208543f8111d13747ca563926cc244e6ec0f8b5593b1ca75bc2e07bb6aa7f387

    • C:\Users\Admin\AppData\Local\Temp\v5esxkt-.cmdline

      Filesize

      194B

      MD5

      d97b582ab70b313114a9566639e399a4

      SHA1

      5d8d377846481db4f030884fb239dc5dc6ebd16e

      SHA256

      fcba2231d3a3dac7a8133d4cb612db03fb63481a6ea32da944a46d89120418a0

      SHA512

      4ac6fdbde3bb7008b4ff823c4bcc819117debe58048b877f1ff2779433b33cebdd8f5e34786171de92e5a082a06a041b1d85776d05d6936ee839fa76d7a9efe6

    • C:\Users\Admin\AppData\Local\Temp\vbc4970.tmp

      Filesize

      644B

      MD5

      23c5f6c5bb4e5de59ec5aa884ea098d3

      SHA1

      7240ba716de1d9ddaa3f9e3a0adcd7e00c4e6a83

      SHA256

      7e090465b6d810c988f61a89f11debded56b4bff54c07369c26ab8afd9e8ba27

      SHA512

      bef35b5af9bb58041f3783a43e85f204a088f44e19168815eea881c2864f9c9038f0e8ba2ab136b6514028e6c22652496cee61fe6dab467b56f0a31809ca1f51

    • C:\Users\Admin\AppData\Roaming\Client.exe

      Filesize

      86KB

      MD5

      117fa52c8400ad57e1a32503e7138abc

      SHA1

      e6cfae7554a85bf343089ba627688ff122188a9e

      SHA256

      e2b4fb5fd4705700ffa3423a9384039f03967d60c6eac79cc9b9171401ea19ce

      SHA512

      e615ad092197caca9e6b60d9599b1dc6b66554d9030237bfb109ffc2fbd851efbc623037fe0c9d776cbac9ae8ef232e84b3432df7bed653f343269cac8a17f23

    • C:\Users\Admin\AppData\Roaming\Client.exe

      Filesize

      86KB

      MD5

      117fa52c8400ad57e1a32503e7138abc

      SHA1

      e6cfae7554a85bf343089ba627688ff122188a9e

      SHA256

      e2b4fb5fd4705700ffa3423a9384039f03967d60c6eac79cc9b9171401ea19ce

      SHA512

      e615ad092197caca9e6b60d9599b1dc6b66554d9030237bfb109ffc2fbd851efbc623037fe0c9d776cbac9ae8ef232e84b3432df7bed653f343269cac8a17f23

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe

      Filesize

      86KB

      MD5

      117fa52c8400ad57e1a32503e7138abc

      SHA1

      e6cfae7554a85bf343089ba627688ff122188a9e

      SHA256

      e2b4fb5fd4705700ffa3423a9384039f03967d60c6eac79cc9b9171401ea19ce

      SHA512

      e615ad092197caca9e6b60d9599b1dc6b66554d9030237bfb109ffc2fbd851efbc623037fe0c9d776cbac9ae8ef232e84b3432df7bed653f343269cac8a17f23

    • memory/268-57-0x0000000000000000-mapping.dmp

    • memory/268-61-0x000007FEF21D0000-0x000007FEF3266000-memory.dmp

      Filesize

      16.6MB

    • memory/268-60-0x000007FEF4600000-0x000007FEF5023000-memory.dmp

      Filesize

      10.1MB

    • memory/740-67-0x0000000000000000-mapping.dmp

    • memory/776-54-0x000007FEF3720000-0x000007FEF4143000-memory.dmp

      Filesize

      10.1MB

    • memory/776-56-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmp

      Filesize

      8KB

    • memory/776-55-0x000007FEF2680000-0x000007FEF3716000-memory.dmp

      Filesize

      16.6MB

    • memory/1800-63-0x0000000000000000-mapping.dmp