revengerat | ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914

General

Target

ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe
Size

474KB
MD5

29949b137d1cedcce284cd603b3c9a21
SHA1

004bd05389be80be22120457351a02212d93e69c
SHA256

ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914
SHA512

93f24a3d3b2cedbcb7dd492d1eaf2b22cd4ad3fabcab6ebcf2e82f5e0318f376d61a0b9578aa3a6bfa0d428e691d7b2f34e72a78964061c3f5b4ceb420143936

Score

10^/10

revengerat guest persistence trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

MTg1LjE2MS4yMDkuNDg=:Njc2Nw==

Mutex

Random

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Executes dropped EXE 1 IoCs

Processes:

WindowsUpdata.exe

pid process

5084 WindowsUpdata.exe

pid	process
5084	WindowsUpdata.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe

Drops startup file 2 IoCs

Processes:

ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdata.exe	ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdata.exe	ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Updata = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe"	ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe

description	pid	process	target process
PID 540 set thread context of 3468	540	ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe	ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe

pid	process
540	ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe
540	ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe

description pid process

Token: SeDebugPrivilege 540 ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe

description	pid	process
Token: SeDebugPrivilege	540	ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exeed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe

description	pid	process	target process
PID 540 wrote to memory of 3468	540	ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe	ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe
PID 540 wrote to memory of 3468	540	ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe	ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe
PID 540 wrote to memory of 3468	540	ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe	ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe
PID 540 wrote to memory of 3468	540	ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe	ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe
PID 540 wrote to memory of 3468	540	ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe	ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe
PID 540 wrote to memory of 3468	540	ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe	ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe
PID 540 wrote to memory of 3468	540	ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe	ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe
PID 540 wrote to memory of 3468	540	ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe	ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe
PID 3468 wrote to memory of 5084	3468	ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe	WindowsUpdata.exe
PID 3468 wrote to memory of 5084	3468	ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe	WindowsUpdata.exe
PID 3468 wrote to memory of 5084	3468	ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe	WindowsUpdata.exe

C:\Users\Admin\AppData\Local\Temp\ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe
"C:\Users\Admin\AppData\Local\Temp\ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:540

C:\Users\Admin\AppData\Local\Temp\ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe
C:\Users\Admin\AppData\Local\Temp\ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe
2⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3468

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdata.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdata.exe"
3⤵
- Executes dropped EXE
PID:5084

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe.log
Filesize
418B

MD5
1439db7996c841101009567fdc3f956a

SHA1
746414426c3c0aa5912cd1602951f5a980d09bc8

SHA256
e7bbc9d040c7ea8f121033625bb66c3d86823246793833298d3e70bd4327bf6d

SHA512
f68a97425091cdcd0fd1d617c3a0d91908b0b39ff9a156fa802598582f3368bd0df624163fc2cbbd0851d88c342c690e9cc1decd80e7023337debb61cf11eea9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdata.exe
Filesize
474KB

MD5
29949b137d1cedcce284cd603b3c9a21

SHA1
004bd05389be80be22120457351a02212d93e69c

SHA256
ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914

SHA512
93f24a3d3b2cedbcb7dd492d1eaf2b22cd4ad3fabcab6ebcf2e82f5e0318f376d61a0b9578aa3a6bfa0d428e691d7b2f34e72a78964061c3f5b4ceb420143936

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdata.exe
Filesize
474KB

MD5
29949b137d1cedcce284cd603b3c9a21

SHA1
004bd05389be80be22120457351a02212d93e69c

SHA256
ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914

SHA512
93f24a3d3b2cedbcb7dd492d1eaf2b22cd4ad3fabcab6ebcf2e82f5e0318f376d61a0b9578aa3a6bfa0d428e691d7b2f34e72a78964061c3f5b4ceb420143936

Download Submit
memory/540-130-0x00000000004F0000-0x000000000056C000-memory.dmp

Filesize
496KB

Download
memory/540-131-0x0000000005180000-0x000000000521C000-memory.dmp

Filesize
624KB

Download
memory/540-132-0x00000000059D0000-0x0000000005F74000-memory.dmp

Filesize
5.6MB

Download
memory/3468-133-0x0000000000000000-mapping.dmp

Download
memory/3468-134-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3468-135-0x00000000052E0000-0x0000000005346000-memory.dmp

Filesize
408KB

Download
memory/5084-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads