Analysis
-
max time kernel
155s -
max time network
181s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-06-2022 08:24
Static task
static1
Behavioral task
behavioral1
Sample
39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exe
Resource
win10v2004-20220414-en
General
-
Target
39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exe
-
Size
18KB
-
MD5
1a506f45ee5eb2764fdf980f0fbaf7ca
-
SHA1
6dd081bb7b55540bcf9896c6cfbf037d73f03f4a
-
SHA256
39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08
-
SHA512
ed99e3c1c64942af342da0e400463fae33c17496c4fe8ce9d33d26546eb221066b556df24b38d6659d49910d2c28fcde1fc67f7cd8c38266ab00148c85eeda7c
Malware Config
Extracted
revengerat
Anoy
anoy.zapto.org:1155
RV_MUTEX-rClgZblRvZwfR
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\system32.exe revengerat C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\system32.exe revengerat -
Executes dropped EXE 1 IoCs
Processes:
system32.exepid process 2024 system32.exe -
Drops startup file 3 IoCs
Processes:
system32.exevbc.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe system32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe vbc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe system32.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
system32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\system32.exe" system32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exesystem32.exedescription pid process Token: SeDebugPrivilege 1312 39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exe Token: SeDebugPrivilege 2024 system32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exesystem32.exevbc.exedescription pid process target process PID 1312 wrote to memory of 2024 1312 39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exe system32.exe PID 1312 wrote to memory of 2024 1312 39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exe system32.exe PID 1312 wrote to memory of 2024 1312 39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exe system32.exe PID 2024 wrote to memory of 1212 2024 system32.exe vbc.exe PID 2024 wrote to memory of 1212 2024 system32.exe vbc.exe PID 2024 wrote to memory of 1212 2024 system32.exe vbc.exe PID 1212 wrote to memory of 1976 1212 vbc.exe cvtres.exe PID 1212 wrote to memory of 1976 1212 vbc.exe cvtres.exe PID 1212 wrote to memory of 1976 1212 vbc.exe cvtres.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exe"C:\Users\Admin\AppData\Local\Temp\39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\system32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\system32.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tqsph-kn.cmdline"3⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A10.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9A0F.tmp"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES9A10.tmpFilesize
1KB
MD50bd46d394fc418cdf44cd94b72985088
SHA143e719dfe278ddf8af5490a68650aad80c5964b6
SHA256a0ee30323306630bf4743f37a04333be18e4de6b247eab9e7c89c67f6ed37616
SHA5120aeadd71fcfc7ba1ae48bc97eed5757fc9524e7079d9bbf2dc827706787f4102c0663a4f9bf6eb20e7d2b2eaac289abb0762ee42e78842720b92bb57deb9bb40
-
C:\Users\Admin\AppData\Local\Temp\tqsph-kn.0.vbFilesize
182B
MD52c2cd51aa85ac5c56fa326d885f41520
SHA13c675df52e0836d8531053668937387d94c7051c
SHA25694ad5cc78e8cfc502d7cb7f082e72c12f7c69416d109892e5816301b3b754955
SHA512dbd93e01925807ebf94ded675685d67e40de1f3c588b50a530fbde32bd60d5fccd418bb49a7317668e0213cb4b5948a47cfe63fe2c72cccb851b97c738b3a988
-
C:\Users\Admin\AppData\Local\Temp\tqsph-kn.cmdlineFilesize
196B
MD576a2ad81af685d9c55241773ea762870
SHA19efaf779309bdc54e541ba1982962079038a710f
SHA25621bb4ebf1d5cb1958ade5776922ebf78ae6d840530f29c4aaafca8c49792e266
SHA5129ecf14a4f8d0ad67fcec5d71f182946141d93191ff97636565c3938df641a5df82e48b9ddd1d77d87d88f10b7a825fad23990c795178b40f549208707a13db6d
-
C:\Users\Admin\AppData\Local\Temp\vbc9A0F.tmpFilesize
652B
MD5da45d35e63147566a22cf668e5e13d6f
SHA17b2294553e7fedee456a28019cc38c979285e45f
SHA256baa46bfc2bc81152df6239fb25f534f861d3868526e7970300d418d9c6fd8c0c
SHA512882b0a33daafe5c14cb809233b62237403ca2894ce256ad75dfaabfa1e556ef86768b3877d3cd22f684486ca103aa3de2d2b2288f426a8bb2a87388317ac8cc7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\system32.exeFilesize
18KB
MD51a506f45ee5eb2764fdf980f0fbaf7ca
SHA16dd081bb7b55540bcf9896c6cfbf037d73f03f4a
SHA25639ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08
SHA512ed99e3c1c64942af342da0e400463fae33c17496c4fe8ce9d33d26546eb221066b556df24b38d6659d49910d2c28fcde1fc67f7cd8c38266ab00148c85eeda7c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\system32.exeFilesize
18KB
MD51a506f45ee5eb2764fdf980f0fbaf7ca
SHA16dd081bb7b55540bcf9896c6cfbf037d73f03f4a
SHA25639ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08
SHA512ed99e3c1c64942af342da0e400463fae33c17496c4fe8ce9d33d26546eb221066b556df24b38d6659d49910d2c28fcde1fc67f7cd8c38266ab00148c85eeda7c
-
memory/1212-62-0x0000000000000000-mapping.dmp
-
memory/1312-55-0x000007FEF3150000-0x000007FEF41E6000-memory.dmpFilesize
16.6MB
-
memory/1312-56-0x000007FEFBDC1000-0x000007FEFBDC3000-memory.dmpFilesize
8KB
-
memory/1312-54-0x000007FEF4430000-0x000007FEF4E53000-memory.dmpFilesize
10.1MB
-
memory/1976-65-0x0000000000000000-mapping.dmp
-
memory/2024-57-0x0000000000000000-mapping.dmp
-
memory/2024-61-0x000007FEF3150000-0x000007FEF41E6000-memory.dmpFilesize
16.6MB
-
memory/2024-60-0x000007FEF4430000-0x000007FEF4E53000-memory.dmpFilesize
10.1MB