Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
25-07-2022 03:51
Behavioral task
behavioral1
Sample
6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0.exe
Resource
win10v2004-20220721-en
General
-
Target
6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0.exe
-
Size
53KB
-
MD5
b585af67793f866a758b533870daee47
-
SHA1
e202f5897b60fabc23e4400cf4929be84f8607ae
-
SHA256
6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0
-
SHA512
0b3b47e9dcce53b8d88ee470b0a2e4f0b3256a6148e833d96702a4940dddea7561e351b5536a50f908efe4c4550e0657505b6469fbfd0c755a8be277a873d7a1
Malware Config
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 5 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe revengerat \Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe revengerat C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe revengerat C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe revengerat C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe revengerat -
Executes dropped EXE 2 IoCs
Processes:
svchost.exesvchost.exepid process 1360 svchost.exe 1476 svchost.exe -
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe svchost.exe -
Loads dropped DLL 2 IoCs
Processes:
6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0.exepid process 1896 6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0.exe 1896 6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\History\\svchost.exe" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0.exesvchost.exesvchost.exedescription pid process Token: SeDebugPrivilege 1896 6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0.exe Token: SeDebugPrivilege 1360 svchost.exe Token: SeDebugPrivilege 1476 svchost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0.exesvchost.exetaskeng.exedescription pid process target process PID 1896 wrote to memory of 1360 1896 6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0.exe svchost.exe PID 1896 wrote to memory of 1360 1896 6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0.exe svchost.exe PID 1896 wrote to memory of 1360 1896 6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0.exe svchost.exe PID 1896 wrote to memory of 1360 1896 6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0.exe svchost.exe PID 1360 wrote to memory of 652 1360 svchost.exe schtasks.exe PID 1360 wrote to memory of 652 1360 svchost.exe schtasks.exe PID 1360 wrote to memory of 652 1360 svchost.exe schtasks.exe PID 1360 wrote to memory of 652 1360 svchost.exe schtasks.exe PID 920 wrote to memory of 1476 920 taskeng.exe svchost.exe PID 920 wrote to memory of 1476 920 taskeng.exe svchost.exe PID 920 wrote to memory of 1476 920 taskeng.exe svchost.exe PID 920 wrote to memory of 1476 920 taskeng.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0.exe"C:\Users\Admin\AppData\Local\Temp\6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Network Menager" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe"3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {27724153-D0B3-47EC-A5BE-CDD8DB361040} S-1-5-21-3440072777-2118400376-1759599358-1000:NKWDSIWE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exeFilesize
53KB
MD5b585af67793f866a758b533870daee47
SHA1e202f5897b60fabc23e4400cf4929be84f8607ae
SHA2566fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0
SHA5120b3b47e9dcce53b8d88ee470b0a2e4f0b3256a6148e833d96702a4940dddea7561e351b5536a50f908efe4c4550e0657505b6469fbfd0c755a8be277a873d7a1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exeFilesize
53KB
MD5b585af67793f866a758b533870daee47
SHA1e202f5897b60fabc23e4400cf4929be84f8607ae
SHA2566fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0
SHA5120b3b47e9dcce53b8d88ee470b0a2e4f0b3256a6148e833d96702a4940dddea7561e351b5536a50f908efe4c4550e0657505b6469fbfd0c755a8be277a873d7a1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exeFilesize
53KB
MD5b585af67793f866a758b533870daee47
SHA1e202f5897b60fabc23e4400cf4929be84f8607ae
SHA2566fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0
SHA5120b3b47e9dcce53b8d88ee470b0a2e4f0b3256a6148e833d96702a4940dddea7561e351b5536a50f908efe4c4550e0657505b6469fbfd0c755a8be277a873d7a1
-
\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exeFilesize
53KB
MD5b585af67793f866a758b533870daee47
SHA1e202f5897b60fabc23e4400cf4929be84f8607ae
SHA2566fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0
SHA5120b3b47e9dcce53b8d88ee470b0a2e4f0b3256a6148e833d96702a4940dddea7561e351b5536a50f908efe4c4550e0657505b6469fbfd0c755a8be277a873d7a1
-
\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exeFilesize
53KB
MD5b585af67793f866a758b533870daee47
SHA1e202f5897b60fabc23e4400cf4929be84f8607ae
SHA2566fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0
SHA5120b3b47e9dcce53b8d88ee470b0a2e4f0b3256a6148e833d96702a4940dddea7561e351b5536a50f908efe4c4550e0657505b6469fbfd0c755a8be277a873d7a1
-
memory/652-66-0x0000000000000000-mapping.dmp
-
memory/1360-59-0x0000000000000000-mapping.dmp
-
memory/1360-64-0x0000000074F70000-0x000000007551B000-memory.dmpFilesize
5.7MB
-
memory/1360-65-0x0000000074F70000-0x000000007551B000-memory.dmpFilesize
5.7MB
-
memory/1476-67-0x0000000000000000-mapping.dmp
-
memory/1476-71-0x0000000074F70000-0x000000007551B000-memory.dmpFilesize
5.7MB
-
memory/1476-70-0x0000000074F70000-0x000000007551B000-memory.dmpFilesize
5.7MB
-
memory/1896-56-0x0000000074F70000-0x000000007551B000-memory.dmpFilesize
5.7MB
-
memory/1896-54-0x00000000762A1000-0x00000000762A3000-memory.dmpFilesize
8KB
-
memory/1896-55-0x0000000074F70000-0x000000007551B000-memory.dmpFilesize
5.7MB
-
memory/1896-63-0x0000000074F70000-0x000000007551B000-memory.dmpFilesize
5.7MB