Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 08:24
Static task
static1
Behavioral task
behavioral1
Sample
39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exe
Resource
win10v2004-20220414-en
General
-
Target
39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exe
-
Size
18KB
-
MD5
1a506f45ee5eb2764fdf980f0fbaf7ca
-
SHA1
6dd081bb7b55540bcf9896c6cfbf037d73f03f4a
-
SHA256
39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08
-
SHA512
ed99e3c1c64942af342da0e400463fae33c17496c4fe8ce9d33d26546eb221066b556df24b38d6659d49910d2c28fcde1fc67f7cd8c38266ab00148c85eeda7c
Malware Config
Extracted
revengerat
Anoy
anoy.zapto.org:1155
RV_MUTEX-rClgZblRvZwfR
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\system32.exe revengerat C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\system32.exe revengerat -
Executes dropped EXE 1 IoCs
Processes:
system32.exepid process 368 system32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exe -
Drops startup file 3 IoCs
Processes:
system32.exevbc.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe system32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe system32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
system32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\system32.exe" system32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exesystem32.exedescription pid process Token: SeDebugPrivilege 4972 39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exe Token: SeDebugPrivilege 368 system32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exesystem32.exevbc.exedescription pid process target process PID 4972 wrote to memory of 368 4972 39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exe system32.exe PID 4972 wrote to memory of 368 4972 39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exe system32.exe PID 368 wrote to memory of 1940 368 system32.exe vbc.exe PID 368 wrote to memory of 1940 368 system32.exe vbc.exe PID 1940 wrote to memory of 2524 1940 vbc.exe cvtres.exe PID 1940 wrote to memory of 2524 1940 vbc.exe cvtres.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exe"C:\Users\Admin\AppData\Local\Temp\39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\system32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\system32.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b4wutgih.cmdline"3⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB12F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE59C59C1A6D94C11BAF1A5BD32416037.TMP"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESB12F.tmpFilesize
1KB
MD5847e1bad422191d6e2a0310ec5ca4215
SHA190ffbf6a16285729595ed9581115651a7cb2ab89
SHA2560e13d361db1767aa74477e3c82949f275470de9a9d192ba700c3a0b33431cdb1
SHA512baa4fd215e1130fa574dc4c519371bf7d96aa55fb95fcc9e553cbf79ed4d4ed3c60e95c35178e91332d973b7e71f6741c73df35ce2e06a05597ea34cf33e757f
-
C:\Users\Admin\AppData\Local\Temp\b4wutgih.0.vbFilesize
182B
MD52c2cd51aa85ac5c56fa326d885f41520
SHA13c675df52e0836d8531053668937387d94c7051c
SHA25694ad5cc78e8cfc502d7cb7f082e72c12f7c69416d109892e5816301b3b754955
SHA512dbd93e01925807ebf94ded675685d67e40de1f3c588b50a530fbde32bd60d5fccd418bb49a7317668e0213cb4b5948a47cfe63fe2c72cccb851b97c738b3a988
-
C:\Users\Admin\AppData\Local\Temp\b4wutgih.cmdlineFilesize
196B
MD5495cd9cfa3d17cf52096e4080d9260e6
SHA1a456bded897cceaffbf12e442a4dfb87fc57f0a0
SHA25646785fc0d8fd8554011b8ca2bf5f72b779e9abc46285f95cc438baad65612ba5
SHA512895d4bfda9bcfb18514c0961edf9a2c0ca8609a0948610d641777b49e0792b59e678470d37b30b5c3d7b544bd6836fd75911354308b5fdab940e0d548298c451
-
C:\Users\Admin\AppData\Local\Temp\vbcE59C59C1A6D94C11BAF1A5BD32416037.TMPFilesize
652B
MD5da45d35e63147566a22cf668e5e13d6f
SHA17b2294553e7fedee456a28019cc38c979285e45f
SHA256baa46bfc2bc81152df6239fb25f534f861d3868526e7970300d418d9c6fd8c0c
SHA512882b0a33daafe5c14cb809233b62237403ca2894ce256ad75dfaabfa1e556ef86768b3877d3cd22f684486ca103aa3de2d2b2288f426a8bb2a87388317ac8cc7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\system32.exeFilesize
18KB
MD51a506f45ee5eb2764fdf980f0fbaf7ca
SHA16dd081bb7b55540bcf9896c6cfbf037d73f03f4a
SHA25639ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08
SHA512ed99e3c1c64942af342da0e400463fae33c17496c4fe8ce9d33d26546eb221066b556df24b38d6659d49910d2c28fcde1fc67f7cd8c38266ab00148c85eeda7c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\system32.exeFilesize
18KB
MD51a506f45ee5eb2764fdf980f0fbaf7ca
SHA16dd081bb7b55540bcf9896c6cfbf037d73f03f4a
SHA25639ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08
SHA512ed99e3c1c64942af342da0e400463fae33c17496c4fe8ce9d33d26546eb221066b556df24b38d6659d49910d2c28fcde1fc67f7cd8c38266ab00148c85eeda7c
-
memory/368-131-0x0000000000000000-mapping.dmp
-
memory/368-134-0x00007FFE2D420000-0x00007FFE2DE56000-memory.dmpFilesize
10.2MB
-
memory/1940-135-0x0000000000000000-mapping.dmp
-
memory/2524-138-0x0000000000000000-mapping.dmp
-
memory/4972-130-0x00007FFE2D420000-0x00007FFE2DE56000-memory.dmpFilesize
10.2MB