Analysis
-
max time kernel
77s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
06-09-2022 13:21
Behavioral task
behavioral1
Sample
c51ddb34c1a0bcd8af4829d8a54c4341.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c51ddb34c1a0bcd8af4829d8a54c4341.exe
Resource
win10v2004-20220901-en
General
-
Target
c51ddb34c1a0bcd8af4829d8a54c4341.exe
-
Size
140KB
-
MD5
c51ddb34c1a0bcd8af4829d8a54c4341
-
SHA1
84860f90d7c7344a315e9ddc176d8e4a966ad7ad
-
SHA256
880ac454f385019390e07ff3f7e1986ffb806951413d6d3774df9ba57a4fe8af
-
SHA512
924bd3791a353328e7b946b846b02279bb588c6e7f0ba88d9579e320a343f4572d9a773bd92ef520c562e6c5a5e156108b6d865537bdacb01bbe006d64756a17
-
SSDEEP
3072:aMSncRzAO/5XRUAoVFwkIV35QWYBkU+KbRMcP+MQWv:5SncRlBS9VTkYiU+KbR7j
Malware Config
Extracted
revengerat
Guest
194.5.179.83:4040
127.0.0.1:4040
RV_MUTEX
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\WORKER.EXE revengerat C:\Users\Admin\AppData\Local\Temp\WORKER.EXE revengerat C:\Users\Admin\AppData\Roaming\svhost.exe revengerat C:\Users\Admin\AppData\Roaming\svhost.exe revengerat -
Executes dropped EXE 4 IoCs
Processes:
WORKER.EXEWORKERORG.EXEsvhost.exe982946.exepid process 3796 WORKER.EXE 552 WORKERORG.EXE 1916 svhost.exe 3476 982946.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c51ddb34c1a0bcd8af4829d8a54c4341.exeWORKER.EXEsvhost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation c51ddb34c1a0bcd8af4829d8a54c4341.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WORKER.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation svhost.exe -
Drops startup file 2 IoCs
Processes:
svhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe svhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WORKER.EXEsvhost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WORKER.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 svhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svhost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 WORKER.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
WORKERORG.EXE982946.exepid process 552 WORKERORG.EXE 3476 982946.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
WORKER.EXEWORKERORG.EXEsvhost.exe982946.exedescription pid process Token: SeDebugPrivilege 3796 WORKER.EXE Token: SeDebugPrivilege 552 WORKERORG.EXE Token: SeDebugPrivilege 1916 svhost.exe Token: SeDebugPrivilege 3476 982946.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
c51ddb34c1a0bcd8af4829d8a54c4341.exeWORKER.EXEsvhost.exedescription pid process target process PID 4296 wrote to memory of 3796 4296 c51ddb34c1a0bcd8af4829d8a54c4341.exe WORKER.EXE PID 4296 wrote to memory of 3796 4296 c51ddb34c1a0bcd8af4829d8a54c4341.exe WORKER.EXE PID 4296 wrote to memory of 552 4296 c51ddb34c1a0bcd8af4829d8a54c4341.exe WORKERORG.EXE PID 4296 wrote to memory of 552 4296 c51ddb34c1a0bcd8af4829d8a54c4341.exe WORKERORG.EXE PID 4296 wrote to memory of 552 4296 c51ddb34c1a0bcd8af4829d8a54c4341.exe WORKERORG.EXE PID 3796 wrote to memory of 1916 3796 WORKER.EXE svhost.exe PID 3796 wrote to memory of 1916 3796 WORKER.EXE svhost.exe PID 1916 wrote to memory of 3476 1916 svhost.exe 982946.exe PID 1916 wrote to memory of 3476 1916 svhost.exe 982946.exe PID 1916 wrote to memory of 3476 1916 svhost.exe 982946.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c51ddb34c1a0bcd8af4829d8a54c4341.exe"C:\Users\Admin\AppData\Local\Temp\c51ddb34c1a0bcd8af4829d8a54c4341.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WORKER.EXE"C:\Users\Admin\AppData\Local\Temp\WORKER.EXE"2⤵
- Executes dropped EXE
- Checks computer location settings
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svhost.exe"C:\Users\Admin\AppData\Roaming\svhost.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\982946.exe"C:\Users\Admin\AppData\Local\Temp\982946.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\WORKERORG.EXE"C:\Users\Admin\AppData\Local\Temp\WORKERORG.EXE"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\982946.exeFilesize
24KB
MD5f8c68280e2f30157639d5c345da04172
SHA15ef1f44e41f61d28abc3d08ddb205dc77f763cfb
SHA25638f988f3367ba56bcb20d2f4a7380e349b702e367cc6ef32259eb96d8e069f4e
SHA512087887dbcb2af5cc9547b4cac4d1a6f79d0c128a1ea5028df044e66d77c3c41a07313e4d804d10bbeda20d47da8cf9739e240fda3b82cc7bd03cabc6855d219b
-
C:\Users\Admin\AppData\Local\Temp\982946.exeFilesize
24KB
MD5f8c68280e2f30157639d5c345da04172
SHA15ef1f44e41f61d28abc3d08ddb205dc77f763cfb
SHA25638f988f3367ba56bcb20d2f4a7380e349b702e367cc6ef32259eb96d8e069f4e
SHA512087887dbcb2af5cc9547b4cac4d1a6f79d0c128a1ea5028df044e66d77c3c41a07313e4d804d10bbeda20d47da8cf9739e240fda3b82cc7bd03cabc6855d219b
-
C:\Users\Admin\AppData\Local\Temp\WORKER.EXEFilesize
63KB
MD56b5c0e29662a332947386b371a337a52
SHA1c7bc42ad31263077e59dc8cd85aadd3731c69a77
SHA25694151f693fab777c75599728098c54d63aa1e9fb646aabe0d2c0e7270dfc56f7
SHA5129beae50ab693a5b525d44fab5e64d6dc86a20ee4d59c32b3470d5bab804151d1af4578e19ee310d4b41ec500909d541a910e316859abc62d5fa29e79e829ff82
-
C:\Users\Admin\AppData\Local\Temp\WORKER.EXEFilesize
63KB
MD56b5c0e29662a332947386b371a337a52
SHA1c7bc42ad31263077e59dc8cd85aadd3731c69a77
SHA25694151f693fab777c75599728098c54d63aa1e9fb646aabe0d2c0e7270dfc56f7
SHA5129beae50ab693a5b525d44fab5e64d6dc86a20ee4d59c32b3470d5bab804151d1af4578e19ee310d4b41ec500909d541a910e316859abc62d5fa29e79e829ff82
-
C:\Users\Admin\AppData\Local\Temp\WORKERORG.EXEFilesize
24KB
MD5f8c68280e2f30157639d5c345da04172
SHA15ef1f44e41f61d28abc3d08ddb205dc77f763cfb
SHA25638f988f3367ba56bcb20d2f4a7380e349b702e367cc6ef32259eb96d8e069f4e
SHA512087887dbcb2af5cc9547b4cac4d1a6f79d0c128a1ea5028df044e66d77c3c41a07313e4d804d10bbeda20d47da8cf9739e240fda3b82cc7bd03cabc6855d219b
-
C:\Users\Admin\AppData\Local\Temp\WORKERORG.EXEFilesize
24KB
MD5f8c68280e2f30157639d5c345da04172
SHA15ef1f44e41f61d28abc3d08ddb205dc77f763cfb
SHA25638f988f3367ba56bcb20d2f4a7380e349b702e367cc6ef32259eb96d8e069f4e
SHA512087887dbcb2af5cc9547b4cac4d1a6f79d0c128a1ea5028df044e66d77c3c41a07313e4d804d10bbeda20d47da8cf9739e240fda3b82cc7bd03cabc6855d219b
-
C:\Users\Admin\AppData\Roaming\svhost.exeFilesize
63KB
MD56b5c0e29662a332947386b371a337a52
SHA1c7bc42ad31263077e59dc8cd85aadd3731c69a77
SHA25694151f693fab777c75599728098c54d63aa1e9fb646aabe0d2c0e7270dfc56f7
SHA5129beae50ab693a5b525d44fab5e64d6dc86a20ee4d59c32b3470d5bab804151d1af4578e19ee310d4b41ec500909d541a910e316859abc62d5fa29e79e829ff82
-
C:\Users\Admin\AppData\Roaming\svhost.exeFilesize
63KB
MD56b5c0e29662a332947386b371a337a52
SHA1c7bc42ad31263077e59dc8cd85aadd3731c69a77
SHA25694151f693fab777c75599728098c54d63aa1e9fb646aabe0d2c0e7270dfc56f7
SHA5129beae50ab693a5b525d44fab5e64d6dc86a20ee4d59c32b3470d5bab804151d1af4578e19ee310d4b41ec500909d541a910e316859abc62d5fa29e79e829ff82
-
memory/552-140-0x0000000005010000-0x00000000055B4000-memory.dmpFilesize
5.6MB
-
memory/552-141-0x0000000004A60000-0x0000000004AF2000-memory.dmpFilesize
584KB
-
memory/552-142-0x0000000004A10000-0x0000000004A1A000-memory.dmpFilesize
40KB
-
memory/552-138-0x0000000000040000-0x000000000004C000-memory.dmpFilesize
48KB
-
memory/552-135-0x0000000000000000-mapping.dmp
-
memory/1916-143-0x0000000000000000-mapping.dmp
-
memory/1916-146-0x00007FF98E0D0000-0x00007FF98EB06000-memory.dmpFilesize
10.2MB
-
memory/3476-147-0x0000000000000000-mapping.dmp
-
memory/3796-139-0x00007FF98E0D0000-0x00007FF98EB06000-memory.dmpFilesize
10.2MB
-
memory/3796-132-0x0000000000000000-mapping.dmp