Analysis
-
max time kernel
156s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-06-2022 13:55
Static task
static1
Behavioral task
behavioral1
Sample
ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe
Resource
win10v2004-20220414-en
General
-
Target
ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe
-
Size
474KB
-
MD5
29949b137d1cedcce284cd603b3c9a21
-
SHA1
004bd05389be80be22120457351a02212d93e69c
-
SHA256
ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914
-
SHA512
93f24a3d3b2cedbcb7dd492d1eaf2b22cd4ad3fabcab6ebcf2e82f5e0318f376d61a0b9578aa3a6bfa0d428e691d7b2f34e72a78964061c3f5b4ceb420143936
Malware Config
Extracted
revengerat
Guest
MTg1LjE2MS4yMDkuNDg=:Njc2Nw==
Random
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Executes dropped EXE 1 IoCs
Processes:
WindowsUpdata.exepid process 5084 WindowsUpdata.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe -
Drops startup file 2 IoCs
Processes:
ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdata.exe ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdata.exe ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Updata = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe" ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exedescription pid process target process PID 540 set thread context of 3468 540 ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exepid process 540 ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe 540 ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exedescription pid process Token: SeDebugPrivilege 540 ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exeed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exedescription pid process target process PID 540 wrote to memory of 3468 540 ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe PID 540 wrote to memory of 3468 540 ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe PID 540 wrote to memory of 3468 540 ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe PID 540 wrote to memory of 3468 540 ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe PID 540 wrote to memory of 3468 540 ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe PID 540 wrote to memory of 3468 540 ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe PID 540 wrote to memory of 3468 540 ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe PID 540 wrote to memory of 3468 540 ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe PID 3468 wrote to memory of 5084 3468 ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe WindowsUpdata.exe PID 3468 wrote to memory of 5084 3468 ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe WindowsUpdata.exe PID 3468 wrote to memory of 5084 3468 ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe WindowsUpdata.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe"C:\Users\Admin\AppData\Local\Temp\ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exeC:\Users\Admin\AppData\Local\Temp\ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe2⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdata.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdata.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914.exe.logFilesize
418B
MD51439db7996c841101009567fdc3f956a
SHA1746414426c3c0aa5912cd1602951f5a980d09bc8
SHA256e7bbc9d040c7ea8f121033625bb66c3d86823246793833298d3e70bd4327bf6d
SHA512f68a97425091cdcd0fd1d617c3a0d91908b0b39ff9a156fa802598582f3368bd0df624163fc2cbbd0851d88c342c690e9cc1decd80e7023337debb61cf11eea9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdata.exeFilesize
474KB
MD529949b137d1cedcce284cd603b3c9a21
SHA1004bd05389be80be22120457351a02212d93e69c
SHA256ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914
SHA51293f24a3d3b2cedbcb7dd492d1eaf2b22cd4ad3fabcab6ebcf2e82f5e0318f376d61a0b9578aa3a6bfa0d428e691d7b2f34e72a78964061c3f5b4ceb420143936
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdata.exeFilesize
474KB
MD529949b137d1cedcce284cd603b3c9a21
SHA1004bd05389be80be22120457351a02212d93e69c
SHA256ed50a7dd6b0cb92ea190a8a08511c540a63da514747d0169be3b49ebb6d97914
SHA51293f24a3d3b2cedbcb7dd492d1eaf2b22cd4ad3fabcab6ebcf2e82f5e0318f376d61a0b9578aa3a6bfa0d428e691d7b2f34e72a78964061c3f5b4ceb420143936
-
memory/540-130-0x00000000004F0000-0x000000000056C000-memory.dmpFilesize
496KB
-
memory/540-131-0x0000000005180000-0x000000000521C000-memory.dmpFilesize
624KB
-
memory/540-132-0x00000000059D0000-0x0000000005F74000-memory.dmpFilesize
5.6MB
-
memory/3468-133-0x0000000000000000-mapping.dmp
-
memory/3468-134-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/3468-135-0x00000000052E0000-0x0000000005346000-memory.dmpFilesize
408KB
-
memory/5084-136-0x0000000000000000-mapping.dmp