Analysis
-
max time kernel
126s -
max time network
105s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
19-07-2022 23:26
Static task
static1
Behavioral task
behavioral1
Sample
microsoft.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
microsoft.exe
Resource
win10v2004-20220718-en
General
-
Target
microsoft.exe
-
Size
410KB
-
MD5
0c2c9f346c5c3d6ece9f0bd3241a356f
-
SHA1
4df27264caaea246eab651d618ad8e554cf1ad6e
-
SHA256
4a08fa0e9d46964ee88efa05ac7aec0a2889b8b7094fbb3834102423b1915593
-
SHA512
6fc7a2ae524184178a93fa729192b194ff387447f341153ea1ed840075b6c58ec1b3792fc0d9ba1e9426a4029c9a0ea920ed0673e2908c9d5bb803cedbd65263
Malware Config
Extracted
revengerat
@-NOVOS HOTEIS-@
cdtoriginal.ddns.net:1166
office365update.duckdns.org:1166
SoftwareRemovalToolwINDOWS
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1632-55-0x0000000000360000-0x000000000036A000-memory.dmp revengerat -
Drops startup file 1 IoCs
Processes:
microsoft.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SoftwareLicensingProductWindows.lnk microsoft.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
microsoft.exedescription pid process Token: SeDebugPrivilege 1632 microsoft.exe