Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-07-2022 16:03
Static task
static1
Behavioral task
behavioral1
Sample
1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe
Resource
win10v2004-20220414-en
General
-
Target
1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe
-
Size
3.4MB
-
MD5
7ddaf6c0ccdf99faced8f866a3670206
-
SHA1
08f5844c6413dbcc5d1b765247c93d4c13c97914
-
SHA256
1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe
-
SHA512
3321c6c6f9982cd179597dfa7b0612b81358b594a7e216a1bfde0dd638d4324a90b9f373f5be9681de9324c363193dd7c5fd565cc57e7766ffe1fb077b4bdf02
Malware Config
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Server.exe revengerat C:\Users\Admin\AppData\Local\Temp\Server.exe revengerat C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe revengerat C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe revengerat C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe revengerat -
Executes dropped EXE 3 IoCs
Processes:
TempDev.exeServer.exesvchost.exepid process 1468 TempDev.exe 4808 Server.exe 2212 svchost.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exeTempDev.exeServer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation TempDev.exe Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation Server.exe -
Drops startup file 6 IoCs
Processes:
svchost.exevbc.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.vbs svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.js svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings 1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid process 4544 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vlc.exepid process 4544 vlc.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Server.exeAUDIODG.EXEvlc.exesvchost.exedescription pid process Token: SeDebugPrivilege 4808 Server.exe Token: 33 5008 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 5008 AUDIODG.EXE Token: 33 4544 vlc.exe Token: SeIncBasePriorityPrivilege 4544 vlc.exe Token: SeDebugPrivilege 2212 svchost.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
vlc.exepid process 4544 vlc.exe 4544 vlc.exe 4544 vlc.exe 4544 vlc.exe 4544 vlc.exe 4544 vlc.exe 4544 vlc.exe 4544 vlc.exe 4544 vlc.exe 4544 vlc.exe 4544 vlc.exe 4544 vlc.exe 4544 vlc.exe 4544 vlc.exe 4544 vlc.exe 4544 vlc.exe 4544 vlc.exe 4544 vlc.exe 4544 vlc.exe 4544 vlc.exe 4544 vlc.exe 4544 vlc.exe 4544 vlc.exe 4544 vlc.exe 4544 vlc.exe -
Suspicious use of SendNotifyMessage 8 IoCs
Processes:
vlc.exepid process 4544 vlc.exe 4544 vlc.exe 4544 vlc.exe 4544 vlc.exe 4544 vlc.exe 4544 vlc.exe 4544 vlc.exe 4544 vlc.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
vlc.exepid process 4544 vlc.exe 4544 vlc.exe 4544 vlc.exe 4544 vlc.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exeTempDev.exeServer.exesvchost.exevbc.exedescription pid process target process PID 4232 wrote to memory of 1468 4232 1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe TempDev.exe PID 4232 wrote to memory of 1468 4232 1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe TempDev.exe PID 4232 wrote to memory of 1468 4232 1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe TempDev.exe PID 4232 wrote to memory of 4544 4232 1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe vlc.exe PID 4232 wrote to memory of 4544 4232 1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe vlc.exe PID 1468 wrote to memory of 4808 1468 TempDev.exe Server.exe PID 1468 wrote to memory of 4808 1468 TempDev.exe Server.exe PID 1468 wrote to memory of 4808 1468 TempDev.exe Server.exe PID 4808 wrote to memory of 2212 4808 Server.exe svchost.exe PID 4808 wrote to memory of 2212 4808 Server.exe svchost.exe PID 4808 wrote to memory of 2212 4808 Server.exe svchost.exe PID 2212 wrote to memory of 2276 2212 svchost.exe vbc.exe PID 2212 wrote to memory of 2276 2212 svchost.exe vbc.exe PID 2212 wrote to memory of 2276 2212 svchost.exe vbc.exe PID 2276 wrote to memory of 1932 2276 vbc.exe cvtres.exe PID 2276 wrote to memory of 1932 2276 vbc.exe cvtres.exe PID 2276 wrote to memory of 1932 2276 vbc.exe cvtres.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe"C:\Users\Admin\AppData\Local\Temp\1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\TempDev.exe"C:\Users\Admin\AppData\Local\TempDev.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s69wevbx.cmdline"5⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD36D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc149E929A6614E71B653BC319BE550E9.TMP"6⤵
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Tempskype.mp4"2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x450 0x3281⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\TempDev.exeFilesize
191KB
MD5b077a236e6cb4f710626b9ef56df8e8a
SHA1ab7b6f4b9af0919f55dfb64a090630c4e7b191fd
SHA25665a6a2d2702b3a6e81ad3ee7c3bcc7a40d99fe16c166bd554bfa07c1b7e29ba8
SHA51288bba2ee188e5b10377e123fbfb178f15987b9341b750fda8daa15b9d27e9c3257c8dcdea700631c5c3325da466964ea439bbb5f847ddceb2f068b989ffa3400
-
C:\Users\Admin\AppData\Local\TempDev.exeFilesize
191KB
MD5b077a236e6cb4f710626b9ef56df8e8a
SHA1ab7b6f4b9af0919f55dfb64a090630c4e7b191fd
SHA25665a6a2d2702b3a6e81ad3ee7c3bcc7a40d99fe16c166bd554bfa07c1b7e29ba8
SHA51288bba2ee188e5b10377e123fbfb178f15987b9341b750fda8daa15b9d27e9c3257c8dcdea700631c5c3325da466964ea439bbb5f847ddceb2f068b989ffa3400
-
C:\Users\Admin\AppData\Local\Temp\RESD36D.tmpFilesize
1KB
MD53b3ab957ac7416711836ffa8d660239a
SHA1ee20fed5e6a7b92659cca051cbab96cfbdcc9d7a
SHA256e13dbc388a28e7a904df00db2570c2a3627602dea860c89b668663f79840a318
SHA5126029a490dcfa0679d5ec9fbb965dbdfa8c1a97525fadefbc87c0932710fed46144403a9eea0ba0085f804ee6f8e219365f808aca9d4fb6dd72227ffe26531f24
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
53KB
MD5ee2798ed9616f341959ffa8b191c012f
SHA1060ee139042e6e45e5faf38c826e8ae019d785a2
SHA256f7a76d4cfa1b187a48d34e497f4defed10e11962d8cf138fa7ab8268e0c32de4
SHA512ef93efd176632a8c5fe88e6da05693512169fd13f2e42122b01f7d3bd0fd0e4bd629b274f6a600a92b0d64d1243b514c91f5a85881e5bda3c6f9f682a6c2c7e6
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
53KB
MD5ee2798ed9616f341959ffa8b191c012f
SHA1060ee139042e6e45e5faf38c826e8ae019d785a2
SHA256f7a76d4cfa1b187a48d34e497f4defed10e11962d8cf138fa7ab8268e0c32de4
SHA512ef93efd176632a8c5fe88e6da05693512169fd13f2e42122b01f7d3bd0fd0e4bd629b274f6a600a92b0d64d1243b514c91f5a85881e5bda3c6f9f682a6c2c7e6
-
C:\Users\Admin\AppData\Local\Temp\s69wevbx.0.vbFilesize
179B
MD589923fa6e5d214f70f33024fbcec55da
SHA1f3cdb3b25a010fd74381fb7dc2a51fa7381ac168
SHA256fba87273861c2b2f7b37784013bdf4de9694e303151b46b48a0a8e9b9fe0be0e
SHA51254d829ff58eb032612e39e3853516d2a074a1e213485d07242807a01633457560cc57e0860857fb09d14324415924bcfffa82f87464af2857397d9557f4125d8
-
C:\Users\Admin\AppData\Local\Temp\s69wevbx.cmdlineFilesize
195B
MD57d6f714cdee4c68c9085f626ad515fae
SHA17f4328aded9400f56c372eaeb2f1c9693ea64ccc
SHA2562731b32d363b39fca78c30793aa557cc9f3e53aaf40bea6aaa64cc070bfce16a
SHA51247c75dc511f5a3ddac528c52e166eaf067b92c75f7032ee890a9e85d271320260eefd82d1ae63801bb5c692d5e499e785b45c812a4eb8c920245c3bd8687ceb9
-
C:\Users\Admin\AppData\Local\Temp\vbc149E929A6614E71B653BC319BE550E9.TMPFilesize
644B
MD52a1292826a47da43a7f430c4fd2022ec
SHA1aa05c2f60651842c7b16a741169945f611c5fc64
SHA2565cb8cedbc321cc29521008679cc737965557e4c8f3a787d7679939ffd6c21b5b
SHA5124b90c6b158175a7ec812f97f106bf50e9d7a2b7e96f01aa23a3bd4561a6e8e6a43b29914b1bc0b92773e585add738026910cd9df8359d7c0d4be08319dc7636a
-
C:\Users\Admin\AppData\Local\Tempskype.mp4Filesize
3.2MB
MD5c964e27a154347bfd7ec916ab7d3013b
SHA1f18253fbf190248dbcf27724223252523bf38922
SHA256ef82ac9c6ea1141b85dfe6ecf24392046f54b505d71da9c4547aeaada5878447
SHA512b9e17b0243c486d76df0c472126fd201174dbf3cc2f45adfea0c9227493dec6774fdfa8d2018cdd4280a91af934f43ea073b07210ed84dcf84df8b06cd998627
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exeFilesize
53KB
MD5ee2798ed9616f341959ffa8b191c012f
SHA1060ee139042e6e45e5faf38c826e8ae019d785a2
SHA256f7a76d4cfa1b187a48d34e497f4defed10e11962d8cf138fa7ab8268e0c32de4
SHA512ef93efd176632a8c5fe88e6da05693512169fd13f2e42122b01f7d3bd0fd0e4bd629b274f6a600a92b0d64d1243b514c91f5a85881e5bda3c6f9f682a6c2c7e6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exeFilesize
53KB
MD5ee2798ed9616f341959ffa8b191c012f
SHA1060ee139042e6e45e5faf38c826e8ae019d785a2
SHA256f7a76d4cfa1b187a48d34e497f4defed10e11962d8cf138fa7ab8268e0c32de4
SHA512ef93efd176632a8c5fe88e6da05693512169fd13f2e42122b01f7d3bd0fd0e4bd629b274f6a600a92b0d64d1243b514c91f5a85881e5bda3c6f9f682a6c2c7e6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exeFilesize
53KB
MD5ee2798ed9616f341959ffa8b191c012f
SHA1060ee139042e6e45e5faf38c826e8ae019d785a2
SHA256f7a76d4cfa1b187a48d34e497f4defed10e11962d8cf138fa7ab8268e0c32de4
SHA512ef93efd176632a8c5fe88e6da05693512169fd13f2e42122b01f7d3bd0fd0e4bd629b274f6a600a92b0d64d1243b514c91f5a85881e5bda3c6f9f682a6c2c7e6
-
memory/1468-142-0x00000000747F0000-0x0000000074DA1000-memory.dmpFilesize
5.7MB
-
memory/1468-131-0x0000000000000000-mapping.dmp
-
memory/1468-140-0x00000000747F0000-0x0000000074DA1000-memory.dmpFilesize
5.7MB
-
memory/1932-154-0x0000000000000000-mapping.dmp
-
memory/2212-144-0x0000000000000000-mapping.dmp
-
memory/2212-148-0x00000000747F0000-0x0000000074DA1000-memory.dmpFilesize
5.7MB
-
memory/2212-149-0x00000000747F0000-0x0000000074DA1000-memory.dmpFilesize
5.7MB
-
memory/2276-150-0x0000000000000000-mapping.dmp
-
memory/4232-135-0x00000000747F0000-0x0000000074DA1000-memory.dmpFilesize
5.7MB
-
memory/4232-130-0x00000000747F0000-0x0000000074DA1000-memory.dmpFilesize
5.7MB
-
memory/4544-134-0x0000000000000000-mapping.dmp
-
memory/4808-141-0x00000000747F0000-0x0000000074DA1000-memory.dmpFilesize
5.7MB
-
memory/4808-137-0x0000000000000000-mapping.dmp
-
memory/4808-147-0x00000000747F0000-0x0000000074DA1000-memory.dmpFilesize
5.7MB
-
memory/4808-143-0x00000000747F0000-0x0000000074DA1000-memory.dmpFilesize
5.7MB