Analysis
-
max time kernel
135s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-07-2022 07:59
Static task
static1
Behavioral task
behavioral1
Sample
7dcf9edbb6c768e78ac0f21c2096f64ae4a2502b687435b578cc2a1a828384a2.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
7dcf9edbb6c768e78ac0f21c2096f64ae4a2502b687435b578cc2a1a828384a2.exe
Resource
win10v2004-20220414-en
General
-
Target
7dcf9edbb6c768e78ac0f21c2096f64ae4a2502b687435b578cc2a1a828384a2.exe
-
Size
17KB
-
MD5
3e2021ca808317e1eb7c2e0a0c8ae009
-
SHA1
713c6d2139f0f0a00b911d2b3ac2a5cdda08995b
-
SHA256
7dcf9edbb6c768e78ac0f21c2096f64ae4a2502b687435b578cc2a1a828384a2
-
SHA512
73e64d3adf64310ee56d4c2774cc318fae633e1cb3f80df15436a37c4a8185ab881a3906ec99c360f8a8fa3e8341c06898f26233ffe6462eb708947bc8ef9371
Malware Config
Extracted
revengerat
Guest
dnstext.publicvm.com:111
RV_MUTEX-DxjEexVoqqNL
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\C.exe revengerat C:\Users\Admin\AppData\Local\Temp\C.exe revengerat -
Executes dropped EXE 1 IoCs
Processes:
C.exepid process 1672 C.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
C.exedescription pid process Token: SeDebugPrivilege 1672 C.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
7dcf9edbb6c768e78ac0f21c2096f64ae4a2502b687435b578cc2a1a828384a2.exedescription pid process target process PID 2024 wrote to memory of 1672 2024 7dcf9edbb6c768e78ac0f21c2096f64ae4a2502b687435b578cc2a1a828384a2.exe C.exe PID 2024 wrote to memory of 1672 2024 7dcf9edbb6c768e78ac0f21c2096f64ae4a2502b687435b578cc2a1a828384a2.exe C.exe PID 2024 wrote to memory of 1672 2024 7dcf9edbb6c768e78ac0f21c2096f64ae4a2502b687435b578cc2a1a828384a2.exe C.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7dcf9edbb6c768e78ac0f21c2096f64ae4a2502b687435b578cc2a1a828384a2.exe"C:\Users\Admin\AppData\Local\Temp\7dcf9edbb6c768e78ac0f21c2096f64ae4a2502b687435b578cc2a1a828384a2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\C.exe"C:\Users\Admin\AppData\Local\Temp\C.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\C.exeFilesize
16KB
MD5076830ba20c76c34a86002ca274eb7e1
SHA101ff5288ac557d5f05941f407d59ccec137c2b50
SHA256bdd3be1ad38415332fff82064cf84f0753662939481b358c815fe40334a5c5cc
SHA512700d48de064b08288d49abefb34145b9ccab2518cae4f879e47c9749bf928f8409d049260259cf25c356bb769bd1d9954880d02cc9a279c57c230fa72f80ebf8
-
C:\Users\Admin\AppData\Local\Temp\C.exeFilesize
16KB
MD5076830ba20c76c34a86002ca274eb7e1
SHA101ff5288ac557d5f05941f407d59ccec137c2b50
SHA256bdd3be1ad38415332fff82064cf84f0753662939481b358c815fe40334a5c5cc
SHA512700d48de064b08288d49abefb34145b9ccab2518cae4f879e47c9749bf928f8409d049260259cf25c356bb769bd1d9954880d02cc9a279c57c230fa72f80ebf8
-
memory/1672-56-0x0000000000000000-mapping.dmp
-
memory/1672-59-0x000007FEF4FD0000-0x000007FEF59F3000-memory.dmpFilesize
10.1MB
-
memory/1672-60-0x000007FEF3410000-0x000007FEF44A6000-memory.dmpFilesize
16.6MB
-
memory/2024-54-0x00000000013B0000-0x00000000013BA000-memory.dmpFilesize
40KB
-
memory/2024-55-0x000007FEFC061000-0x000007FEFC063000-memory.dmpFilesize
8KB