Analysis
-
max time kernel
150s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
17-07-2022 16:42
Behavioral task
behavioral1
Sample
b2qE.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
b2qE.exe
Resource
win10v2004-20220414-en
General
-
Target
b2qE.exe
-
Size
17KB
-
MD5
3efae209d698fc477f958bd0f9d0a9d3
-
SHA1
466a722b0a262abb4f6fb08132814573cd5cdab5
-
SHA256
dd203194d0ea8460ac3173e861737a77fa684e5334503867e91a70acc7f73195
-
SHA512
c28bcabffb4b88c7e0f4e7a5a8da75abd8294f68ed04f67f47928608dbd9050e54591ea9f97a5a94f4076a9373792978dc09b6b10092d0d3a2093df11b612b4f
Malware Config
Extracted
revengerat
Airport
69.87.219.76:4040
RV_MUTEX
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Saberdll revengerat -
Drops startup file 2 IoCs
Processes:
b2qE.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Saberdll b2qE.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Saberdll b2qE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000_Classes\Local Settings rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
b2qE.exedescription pid process Token: SeDebugPrivilege 1972 b2qE.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
AcroRd32.exepid process 944 AcroRd32.exe 944 AcroRd32.exe 944 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
b2qE.exerundll32.exedescription pid process target process PID 1972 wrote to memory of 1504 1972 b2qE.exe rundll32.exe PID 1972 wrote to memory of 1504 1972 b2qE.exe rundll32.exe PID 1972 wrote to memory of 1504 1972 b2qE.exe rundll32.exe PID 1504 wrote to memory of 944 1504 rundll32.exe AcroRd32.exe PID 1504 wrote to memory of 944 1504 rundll32.exe AcroRd32.exe PID 1504 wrote to memory of 944 1504 rundll32.exe AcroRd32.exe PID 1504 wrote to memory of 944 1504 rundll32.exe AcroRd32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2qE.exe"C:\Users\Admin\AppData\Local\Temp\b2qE.exe"1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Saberdll2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Saberdll"3⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SaberdllFilesize
17KB
MD53efae209d698fc477f958bd0f9d0a9d3
SHA1466a722b0a262abb4f6fb08132814573cd5cdab5
SHA256dd203194d0ea8460ac3173e861737a77fa684e5334503867e91a70acc7f73195
SHA512c28bcabffb4b88c7e0f4e7a5a8da75abd8294f68ed04f67f47928608dbd9050e54591ea9f97a5a94f4076a9373792978dc09b6b10092d0d3a2093df11b612b4f
-
memory/944-60-0x0000000000000000-mapping.dmp
-
memory/944-61-0x0000000074F71000-0x0000000074F73000-memory.dmpFilesize
8KB
-
memory/1504-57-0x0000000000000000-mapping.dmp
-
memory/1972-54-0x000007FEF37C0000-0x000007FEF41E3000-memory.dmpFilesize
10.1MB
-
memory/1972-55-0x000007FEF1FE0000-0x000007FEF3076000-memory.dmpFilesize
16.6MB
-
memory/1972-56-0x000007FEFBB91000-0x000007FEFBB93000-memory.dmpFilesize
8KB