Analysis
-
max time kernel
144s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-07-2022 16:03
Static task
static1
Behavioral task
behavioral1
Sample
1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe
Resource
win10v2004-20220414-en
General
-
Target
1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe
-
Size
3.4MB
-
MD5
7ddaf6c0ccdf99faced8f866a3670206
-
SHA1
08f5844c6413dbcc5d1b765247c93d4c13c97914
-
SHA256
1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe
-
SHA512
3321c6c6f9982cd179597dfa7b0612b81358b594a7e216a1bfde0dd638d4324a90b9f373f5be9681de9324c363193dd7c5fd565cc57e7766ffe1fb077b4bdf02
Malware Config
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 10 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\Server.exe revengerat \Users\Admin\AppData\Local\Temp\Server.exe revengerat C:\Users\Admin\AppData\Local\Temp\Server.exe revengerat C:\Users\Admin\AppData\Local\Temp\Server.exe revengerat \Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe revengerat C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe revengerat \Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe revengerat C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe revengerat \Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe revengerat C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe revengerat -
Executes dropped EXE 3 IoCs
Processes:
TempDev.exeServer.exesvchost.exepid process 2036 TempDev.exe 908 Server.exe 1616 svchost.exe -
Drops startup file 6 IoCs
Processes:
svchost.exevbc.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.vbs svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.js svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe vbc.exe -
Loads dropped DLL 6 IoCs
Processes:
1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exeTempDev.exeServer.exesvchost.exepid process 1808 1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe 2036 TempDev.exe 2036 TempDev.exe 908 Server.exe 908 Server.exe 1616 svchost.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid process 1220 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vlc.exepid process 1220 vlc.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
Server.exeAUDIODG.EXEvlc.exesvchost.exedescription pid process Token: SeDebugPrivilege 908 Server.exe Token: 33 1956 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1956 AUDIODG.EXE Token: 33 1956 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1956 AUDIODG.EXE Token: 33 1220 vlc.exe Token: SeIncBasePriorityPrivilege 1220 vlc.exe Token: SeDebugPrivilege 1616 svchost.exe -
Suspicious use of FindShellTrayWindow 24 IoCs
Processes:
vlc.exepid process 1220 vlc.exe 1220 vlc.exe 1220 vlc.exe 1220 vlc.exe 1220 vlc.exe 1220 vlc.exe 1220 vlc.exe 1220 vlc.exe 1220 vlc.exe 1220 vlc.exe 1220 vlc.exe 1220 vlc.exe 1220 vlc.exe 1220 vlc.exe 1220 vlc.exe 1220 vlc.exe 1220 vlc.exe 1220 vlc.exe 1220 vlc.exe 1220 vlc.exe 1220 vlc.exe 1220 vlc.exe 1220 vlc.exe 1220 vlc.exe -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
vlc.exepid process 1220 vlc.exe 1220 vlc.exe 1220 vlc.exe 1220 vlc.exe 1220 vlc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vlc.exepid process 1220 vlc.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exeTempDev.exeServer.exesvchost.exevbc.exedescription pid process target process PID 1808 wrote to memory of 2036 1808 1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe TempDev.exe PID 1808 wrote to memory of 2036 1808 1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe TempDev.exe PID 1808 wrote to memory of 2036 1808 1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe TempDev.exe PID 1808 wrote to memory of 2036 1808 1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe TempDev.exe PID 1808 wrote to memory of 1220 1808 1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe vlc.exe PID 1808 wrote to memory of 1220 1808 1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe vlc.exe PID 1808 wrote to memory of 1220 1808 1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe vlc.exe PID 1808 wrote to memory of 1220 1808 1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe vlc.exe PID 2036 wrote to memory of 908 2036 TempDev.exe Server.exe PID 2036 wrote to memory of 908 2036 TempDev.exe Server.exe PID 2036 wrote to memory of 908 2036 TempDev.exe Server.exe PID 2036 wrote to memory of 908 2036 TempDev.exe Server.exe PID 908 wrote to memory of 1616 908 Server.exe svchost.exe PID 908 wrote to memory of 1616 908 Server.exe svchost.exe PID 908 wrote to memory of 1616 908 Server.exe svchost.exe PID 908 wrote to memory of 1616 908 Server.exe svchost.exe PID 1616 wrote to memory of 2016 1616 svchost.exe vbc.exe PID 1616 wrote to memory of 2016 1616 svchost.exe vbc.exe PID 1616 wrote to memory of 2016 1616 svchost.exe vbc.exe PID 1616 wrote to memory of 2016 1616 svchost.exe vbc.exe PID 2016 wrote to memory of 1424 2016 vbc.exe cvtres.exe PID 2016 wrote to memory of 1424 2016 vbc.exe cvtres.exe PID 2016 wrote to memory of 1424 2016 vbc.exe cvtres.exe PID 2016 wrote to memory of 1424 2016 vbc.exe cvtres.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe"C:\Users\Admin\AppData\Local\Temp\1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\TempDev.exe"C:\Users\Admin\AppData\Local\TempDev.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mrxcyggp.cmdline"5⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B66.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2B65.tmp"6⤵
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Tempskype.mp4"2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1d41⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\TempDev.exeFilesize
191KB
MD5b077a236e6cb4f710626b9ef56df8e8a
SHA1ab7b6f4b9af0919f55dfb64a090630c4e7b191fd
SHA25665a6a2d2702b3a6e81ad3ee7c3bcc7a40d99fe16c166bd554bfa07c1b7e29ba8
SHA51288bba2ee188e5b10377e123fbfb178f15987b9341b750fda8daa15b9d27e9c3257c8dcdea700631c5c3325da466964ea439bbb5f847ddceb2f068b989ffa3400
-
C:\Users\Admin\AppData\Local\TempDev.exeFilesize
191KB
MD5b077a236e6cb4f710626b9ef56df8e8a
SHA1ab7b6f4b9af0919f55dfb64a090630c4e7b191fd
SHA25665a6a2d2702b3a6e81ad3ee7c3bcc7a40d99fe16c166bd554bfa07c1b7e29ba8
SHA51288bba2ee188e5b10377e123fbfb178f15987b9341b750fda8daa15b9d27e9c3257c8dcdea700631c5c3325da466964ea439bbb5f847ddceb2f068b989ffa3400
-
C:\Users\Admin\AppData\Local\Temp\RES2B66.tmpFilesize
1KB
MD5256a705d396d52ccc273a2c1c5401541
SHA1eb50fca533e9456ce9a454ee1b2476693b52c49c
SHA2568ea81b8b81c94453e545af274794e59fa6d022707bfe24ec71d377731c78d46a
SHA51218c6d03b288c1d7127f4741237c2377247fdc6d7bd8cc43f5138e3b52b487283d758ecf6e8f38279243f35e775bfce9f61cca1b9c90f46a413ed5847f8ca806c
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
53KB
MD5ee2798ed9616f341959ffa8b191c012f
SHA1060ee139042e6e45e5faf38c826e8ae019d785a2
SHA256f7a76d4cfa1b187a48d34e497f4defed10e11962d8cf138fa7ab8268e0c32de4
SHA512ef93efd176632a8c5fe88e6da05693512169fd13f2e42122b01f7d3bd0fd0e4bd629b274f6a600a92b0d64d1243b514c91f5a85881e5bda3c6f9f682a6c2c7e6
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
53KB
MD5ee2798ed9616f341959ffa8b191c012f
SHA1060ee139042e6e45e5faf38c826e8ae019d785a2
SHA256f7a76d4cfa1b187a48d34e497f4defed10e11962d8cf138fa7ab8268e0c32de4
SHA512ef93efd176632a8c5fe88e6da05693512169fd13f2e42122b01f7d3bd0fd0e4bd629b274f6a600a92b0d64d1243b514c91f5a85881e5bda3c6f9f682a6c2c7e6
-
C:\Users\Admin\AppData\Local\Temp\mrxcyggp.0.vbFilesize
179B
MD589923fa6e5d214f70f33024fbcec55da
SHA1f3cdb3b25a010fd74381fb7dc2a51fa7381ac168
SHA256fba87273861c2b2f7b37784013bdf4de9694e303151b46b48a0a8e9b9fe0be0e
SHA51254d829ff58eb032612e39e3853516d2a074a1e213485d07242807a01633457560cc57e0860857fb09d14324415924bcfffa82f87464af2857397d9557f4125d8
-
C:\Users\Admin\AppData\Local\Temp\mrxcyggp.cmdlineFilesize
195B
MD522fa4b4b93ae0109bde60e33b1423144
SHA19394e585492cff79eac445eef487a7785b861036
SHA25619e1b20094dd90f4aef5fe83f5cb93b835cda2fa81920253e9aec6dbcbcb45a5
SHA51293b41e1cae7639006719f13cc0b4e32083cfc5dde78378d60ef34838d9aa38c9f030539be04d199e66401c9427ed129256d715fa5976b7b2434b2ade6ca4ce34
-
C:\Users\Admin\AppData\Local\Temp\vbc2B65.tmpFilesize
644B
MD52a1292826a47da43a7f430c4fd2022ec
SHA1aa05c2f60651842c7b16a741169945f611c5fc64
SHA2565cb8cedbc321cc29521008679cc737965557e4c8f3a787d7679939ffd6c21b5b
SHA5124b90c6b158175a7ec812f97f106bf50e9d7a2b7e96f01aa23a3bd4561a6e8e6a43b29914b1bc0b92773e585add738026910cd9df8359d7c0d4be08319dc7636a
-
C:\Users\Admin\AppData\Local\Tempskype.mp4Filesize
3.2MB
MD5c964e27a154347bfd7ec916ab7d3013b
SHA1f18253fbf190248dbcf27724223252523bf38922
SHA256ef82ac9c6ea1141b85dfe6ecf24392046f54b505d71da9c4547aeaada5878447
SHA512b9e17b0243c486d76df0c472126fd201174dbf3cc2f45adfea0c9227493dec6774fdfa8d2018cdd4280a91af934f43ea073b07210ed84dcf84df8b06cd998627
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exeFilesize
53KB
MD5ee2798ed9616f341959ffa8b191c012f
SHA1060ee139042e6e45e5faf38c826e8ae019d785a2
SHA256f7a76d4cfa1b187a48d34e497f4defed10e11962d8cf138fa7ab8268e0c32de4
SHA512ef93efd176632a8c5fe88e6da05693512169fd13f2e42122b01f7d3bd0fd0e4bd629b274f6a600a92b0d64d1243b514c91f5a85881e5bda3c6f9f682a6c2c7e6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exeFilesize
53KB
MD5ee2798ed9616f341959ffa8b191c012f
SHA1060ee139042e6e45e5faf38c826e8ae019d785a2
SHA256f7a76d4cfa1b187a48d34e497f4defed10e11962d8cf138fa7ab8268e0c32de4
SHA512ef93efd176632a8c5fe88e6da05693512169fd13f2e42122b01f7d3bd0fd0e4bd629b274f6a600a92b0d64d1243b514c91f5a85881e5bda3c6f9f682a6c2c7e6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exeFilesize
53KB
MD5ee2798ed9616f341959ffa8b191c012f
SHA1060ee139042e6e45e5faf38c826e8ae019d785a2
SHA256f7a76d4cfa1b187a48d34e497f4defed10e11962d8cf138fa7ab8268e0c32de4
SHA512ef93efd176632a8c5fe88e6da05693512169fd13f2e42122b01f7d3bd0fd0e4bd629b274f6a600a92b0d64d1243b514c91f5a85881e5bda3c6f9f682a6c2c7e6
-
\Users\Admin\AppData\Local\TempDev.exeFilesize
191KB
MD5b077a236e6cb4f710626b9ef56df8e8a
SHA1ab7b6f4b9af0919f55dfb64a090630c4e7b191fd
SHA25665a6a2d2702b3a6e81ad3ee7c3bcc7a40d99fe16c166bd554bfa07c1b7e29ba8
SHA51288bba2ee188e5b10377e123fbfb178f15987b9341b750fda8daa15b9d27e9c3257c8dcdea700631c5c3325da466964ea439bbb5f847ddceb2f068b989ffa3400
-
\Users\Admin\AppData\Local\Temp\Server.exeFilesize
53KB
MD5ee2798ed9616f341959ffa8b191c012f
SHA1060ee139042e6e45e5faf38c826e8ae019d785a2
SHA256f7a76d4cfa1b187a48d34e497f4defed10e11962d8cf138fa7ab8268e0c32de4
SHA512ef93efd176632a8c5fe88e6da05693512169fd13f2e42122b01f7d3bd0fd0e4bd629b274f6a600a92b0d64d1243b514c91f5a85881e5bda3c6f9f682a6c2c7e6
-
\Users\Admin\AppData\Local\Temp\Server.exeFilesize
53KB
MD5ee2798ed9616f341959ffa8b191c012f
SHA1060ee139042e6e45e5faf38c826e8ae019d785a2
SHA256f7a76d4cfa1b187a48d34e497f4defed10e11962d8cf138fa7ab8268e0c32de4
SHA512ef93efd176632a8c5fe88e6da05693512169fd13f2e42122b01f7d3bd0fd0e4bd629b274f6a600a92b0d64d1243b514c91f5a85881e5bda3c6f9f682a6c2c7e6
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exeFilesize
53KB
MD5ee2798ed9616f341959ffa8b191c012f
SHA1060ee139042e6e45e5faf38c826e8ae019d785a2
SHA256f7a76d4cfa1b187a48d34e497f4defed10e11962d8cf138fa7ab8268e0c32de4
SHA512ef93efd176632a8c5fe88e6da05693512169fd13f2e42122b01f7d3bd0fd0e4bd629b274f6a600a92b0d64d1243b514c91f5a85881e5bda3c6f9f682a6c2c7e6
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exeFilesize
53KB
MD5ee2798ed9616f341959ffa8b191c012f
SHA1060ee139042e6e45e5faf38c826e8ae019d785a2
SHA256f7a76d4cfa1b187a48d34e497f4defed10e11962d8cf138fa7ab8268e0c32de4
SHA512ef93efd176632a8c5fe88e6da05693512169fd13f2e42122b01f7d3bd0fd0e4bd629b274f6a600a92b0d64d1243b514c91f5a85881e5bda3c6f9f682a6c2c7e6
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exeFilesize
53KB
MD5ee2798ed9616f341959ffa8b191c012f
SHA1060ee139042e6e45e5faf38c826e8ae019d785a2
SHA256f7a76d4cfa1b187a48d34e497f4defed10e11962d8cf138fa7ab8268e0c32de4
SHA512ef93efd176632a8c5fe88e6da05693512169fd13f2e42122b01f7d3bd0fd0e4bd629b274f6a600a92b0d64d1243b514c91f5a85881e5bda3c6f9f682a6c2c7e6
-
memory/908-81-0x0000000073F50000-0x00000000744FB000-memory.dmpFilesize
5.7MB
-
memory/908-71-0x0000000073F50000-0x00000000744FB000-memory.dmpFilesize
5.7MB
-
memory/908-73-0x0000000073F50000-0x00000000744FB000-memory.dmpFilesize
5.7MB
-
memory/908-65-0x0000000000000000-mapping.dmp
-
memory/1220-69-0x000007FEFB671000-0x000007FEFB673000-memory.dmpFilesize
8KB
-
memory/1220-61-0x0000000000000000-mapping.dmp
-
memory/1424-89-0x0000000000000000-mapping.dmp
-
memory/1616-82-0x0000000073F50000-0x00000000744FB000-memory.dmpFilesize
5.7MB
-
memory/1616-83-0x0000000073F50000-0x00000000744FB000-memory.dmpFilesize
5.7MB
-
memory/1616-77-0x0000000000000000-mapping.dmp
-
memory/1808-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmpFilesize
8KB
-
memory/1808-62-0x0000000073F50000-0x00000000744FB000-memory.dmpFilesize
5.7MB
-
memory/1808-55-0x0000000073F50000-0x00000000744FB000-memory.dmpFilesize
5.7MB
-
memory/2016-85-0x0000000000000000-mapping.dmp
-
memory/2036-72-0x0000000073F50000-0x00000000744FB000-memory.dmpFilesize
5.7MB
-
memory/2036-74-0x0000000073F50000-0x00000000744FB000-memory.dmpFilesize
5.7MB
-
memory/2036-57-0x0000000000000000-mapping.dmp