Analysis
-
max time kernel
159s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 04:31
Static task
static1
Behavioral task
behavioral1
Sample
3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe
Resource
win10v2004-20220414-en
General
-
Target
3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe
-
Size
193KB
-
MD5
b6c3692bfbd98dcc39a6347fa9f4fb69
-
SHA1
23c2cf93874bb36b5daa25f3bef46b8d93bfa046
-
SHA256
3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769
-
SHA512
0c2ca210ad2b90219227629b6e0009c920b96124cc9d5c00379dd97dadca24abccd45503c177cc5a400ca7f27ce255943cf72f01810576e862d02881cc8b33a7
Malware Config
Extracted
revengerat
bobo2019
hushbob123.hopto.org:4951
hushbob12301.hopto.org:4951
hushbob12302.hopto.org:4951
hushbob12303.hopto.org:4951
RV_MUTEX-XyMpzZJHOwDt
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2632-141-0x0000000000400000-0x0000000000408000-memory.dmp revengerat -
Executes dropped EXE 3 IoCs
Processes:
app.exeapp.exeClient.exepid process 1696 app.exe 2632 app.exe 3376 Client.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exeapp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation app.exe -
Drops startup file 1 IoCs
Processes:
app.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.lnk app.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
app.exedescription pid process target process PID 1696 set thread context of 2632 1696 app.exe app.exe -
Drops file in Program Files directory 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Program Files (x86)\app.exe cmd.exe File opened for modification C:\Program Files (x86)\app.exe cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exeapp.exeapp.exeClient.exedescription pid process Token: SeDebugPrivilege 3080 3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe Token: 33 3080 3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe Token: SeIncBasePriorityPrivilege 3080 3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe Token: SeDebugPrivilege 1696 app.exe Token: 33 1696 app.exe Token: SeIncBasePriorityPrivilege 1696 app.exe Token: SeDebugPrivilege 2632 app.exe Token: SeDebugPrivilege 3376 Client.exe Token: 33 3376 Client.exe Token: SeIncBasePriorityPrivilege 3376 Client.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.execmd.exeapp.exeapp.exedescription pid process target process PID 3080 wrote to memory of 736 3080 3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe cmd.exe PID 3080 wrote to memory of 736 3080 3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe cmd.exe PID 3080 wrote to memory of 736 3080 3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe cmd.exe PID 3080 wrote to memory of 952 3080 3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe cmd.exe PID 3080 wrote to memory of 952 3080 3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe cmd.exe PID 3080 wrote to memory of 952 3080 3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe cmd.exe PID 952 wrote to memory of 1696 952 cmd.exe app.exe PID 952 wrote to memory of 1696 952 cmd.exe app.exe PID 952 wrote to memory of 1696 952 cmd.exe app.exe PID 1696 wrote to memory of 2632 1696 app.exe app.exe PID 1696 wrote to memory of 2632 1696 app.exe app.exe PID 1696 wrote to memory of 2632 1696 app.exe app.exe PID 1696 wrote to memory of 2632 1696 app.exe app.exe PID 1696 wrote to memory of 2632 1696 app.exe app.exe PID 1696 wrote to memory of 2632 1696 app.exe app.exe PID 1696 wrote to memory of 2632 1696 app.exe app.exe PID 2632 wrote to memory of 3376 2632 app.exe Client.exe PID 2632 wrote to memory of 3376 2632 app.exe Client.exe PID 2632 wrote to memory of 3376 2632 app.exe Client.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe"C:\Users\Admin\AppData\Local\Temp\3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe" "C:\Program Files (x86)\app.exe"2⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Program Files (x86)\app.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\app.exe"C:\Program Files (x86)\app.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\app.exe"C:\Program Files (x86)\app.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Client.exe"C:\Users\Admin\AppData\Roaming\Client.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\app.exeFilesize
193KB
MD5b6c3692bfbd98dcc39a6347fa9f4fb69
SHA123c2cf93874bb36b5daa25f3bef46b8d93bfa046
SHA2563ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769
SHA5120c2ca210ad2b90219227629b6e0009c920b96124cc9d5c00379dd97dadca24abccd45503c177cc5a400ca7f27ce255943cf72f01810576e862d02881cc8b33a7
-
C:\Program Files (x86)\app.exeFilesize
193KB
MD5b6c3692bfbd98dcc39a6347fa9f4fb69
SHA123c2cf93874bb36b5daa25f3bef46b8d93bfa046
SHA2563ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769
SHA5120c2ca210ad2b90219227629b6e0009c920b96124cc9d5c00379dd97dadca24abccd45503c177cc5a400ca7f27ce255943cf72f01810576e862d02881cc8b33a7
-
C:\Program Files (x86)\app.exeFilesize
193KB
MD5b6c3692bfbd98dcc39a6347fa9f4fb69
SHA123c2cf93874bb36b5daa25f3bef46b8d93bfa046
SHA2563ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769
SHA5120c2ca210ad2b90219227629b6e0009c920b96124cc9d5c00379dd97dadca24abccd45503c177cc5a400ca7f27ce255943cf72f01810576e862d02881cc8b33a7
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\app.exe.logFilesize
706B
MD5f8bcaf312de8591707436c1dcebba8e4
SHA1a1269828e5f644601622f4a7a611aec8f2eda0b2
SHA256f0f5a90777c70cdceea22bd66b33c1703a318acc45cb012d0b01585a1ac12b29
SHA5123a714f5950584abbc94a27bbd4623bfc5acb1135c8c9fca4d74e70c8481b71ace7dbc1dfbf101dd07c76a050acfb4852f31dd57fc7ae196382336c5edc9e6413
-
C:\Users\Admin\AppData\Roaming\Client.exeFilesize
193KB
MD5b6c3692bfbd98dcc39a6347fa9f4fb69
SHA123c2cf93874bb36b5daa25f3bef46b8d93bfa046
SHA2563ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769
SHA5120c2ca210ad2b90219227629b6e0009c920b96124cc9d5c00379dd97dadca24abccd45503c177cc5a400ca7f27ce255943cf72f01810576e862d02881cc8b33a7
-
C:\Users\Admin\AppData\Roaming\Client.exeFilesize
193KB
MD5b6c3692bfbd98dcc39a6347fa9f4fb69
SHA123c2cf93874bb36b5daa25f3bef46b8d93bfa046
SHA2563ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769
SHA5120c2ca210ad2b90219227629b6e0009c920b96124cc9d5c00379dd97dadca24abccd45503c177cc5a400ca7f27ce255943cf72f01810576e862d02881cc8b33a7
-
memory/736-134-0x0000000000000000-mapping.dmp
-
memory/952-135-0x0000000000000000-mapping.dmp
-
memory/1696-139-0x0000000006B50000-0x0000000006BEC000-memory.dmpFilesize
624KB
-
memory/1696-136-0x0000000000000000-mapping.dmp
-
memory/2632-140-0x0000000000000000-mapping.dmp
-
memory/2632-141-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2632-144-0x0000000005700000-0x0000000005766000-memory.dmpFilesize
408KB
-
memory/3080-131-0x00000000000C0000-0x00000000000F6000-memory.dmpFilesize
216KB
-
memory/3080-133-0x0000000004B50000-0x0000000004BE2000-memory.dmpFilesize
584KB
-
memory/3080-132-0x0000000005240000-0x00000000057E4000-memory.dmpFilesize
5.6MB
-
memory/3376-145-0x0000000000000000-mapping.dmp