Analysis
-
max time kernel
82s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06-09-2022 13:21
Behavioral task
behavioral1
Sample
c51ddb34c1a0bcd8af4829d8a54c4341.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c51ddb34c1a0bcd8af4829d8a54c4341.exe
Resource
win10v2004-20220812-en
General
-
Target
c51ddb34c1a0bcd8af4829d8a54c4341.exe
-
Size
140KB
-
MD5
c51ddb34c1a0bcd8af4829d8a54c4341
-
SHA1
84860f90d7c7344a315e9ddc176d8e4a966ad7ad
-
SHA256
880ac454f385019390e07ff3f7e1986ffb806951413d6d3774df9ba57a4fe8af
-
SHA512
924bd3791a353328e7b946b846b02279bb588c6e7f0ba88d9579e320a343f4572d9a773bd92ef520c562e6c5a5e156108b6d865537bdacb01bbe006d64756a17
-
SSDEEP
3072:aMSncRzAO/5XRUAoVFwkIV35QWYBkU+KbRMcP+MQWv:5SncRlBS9VTkYiU+KbR7j
Malware Config
Extracted
revengerat
Guest
194.5.179.83:4040
127.0.0.1:4040
RV_MUTEX
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 5 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\WORKER.EXE revengerat C:\Users\Admin\AppData\Local\Temp\WORKER.EXE revengerat C:\Users\Admin\AppData\Local\Temp\WORKER.EXE revengerat C:\Users\Admin\AppData\Roaming\svhost.exe revengerat C:\Users\Admin\AppData\Roaming\svhost.exe revengerat -
Executes dropped EXE 4 IoCs
Processes:
WORKER.EXEWORKERORG.EXEsvhost.exe982946.exepid process 1860 WORKER.EXE 1956 WORKERORG.EXE 360 svhost.exe 1664 982946.exe -
Drops startup file 2 IoCs
Processes:
svhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe svhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe svhost.exe -
Loads dropped DLL 2 IoCs
Processes:
c51ddb34c1a0bcd8af4829d8a54c4341.exepid process 1184 c51ddb34c1a0bcd8af4829d8a54c4341.exe 1184 c51ddb34c1a0bcd8af4829d8a54c4341.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WORKER.EXEsvhost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WORKER.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 svhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svhost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 WORKER.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
WORKERORG.EXE982946.exepid process 1956 WORKERORG.EXE 1664 982946.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
WORKER.EXEWORKERORG.EXEsvhost.exe982946.exedescription pid process Token: SeDebugPrivilege 1860 WORKER.EXE Token: SeDebugPrivilege 1956 WORKERORG.EXE Token: SeDebugPrivilege 360 svhost.exe Token: SeDebugPrivilege 1664 982946.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
c51ddb34c1a0bcd8af4829d8a54c4341.exeWORKER.EXEsvhost.exedescription pid process target process PID 1184 wrote to memory of 1860 1184 c51ddb34c1a0bcd8af4829d8a54c4341.exe WORKER.EXE PID 1184 wrote to memory of 1860 1184 c51ddb34c1a0bcd8af4829d8a54c4341.exe WORKER.EXE PID 1184 wrote to memory of 1860 1184 c51ddb34c1a0bcd8af4829d8a54c4341.exe WORKER.EXE PID 1184 wrote to memory of 1860 1184 c51ddb34c1a0bcd8af4829d8a54c4341.exe WORKER.EXE PID 1184 wrote to memory of 1956 1184 c51ddb34c1a0bcd8af4829d8a54c4341.exe WORKERORG.EXE PID 1184 wrote to memory of 1956 1184 c51ddb34c1a0bcd8af4829d8a54c4341.exe WORKERORG.EXE PID 1184 wrote to memory of 1956 1184 c51ddb34c1a0bcd8af4829d8a54c4341.exe WORKERORG.EXE PID 1184 wrote to memory of 1956 1184 c51ddb34c1a0bcd8af4829d8a54c4341.exe WORKERORG.EXE PID 1860 wrote to memory of 360 1860 WORKER.EXE svhost.exe PID 1860 wrote to memory of 360 1860 WORKER.EXE svhost.exe PID 1860 wrote to memory of 360 1860 WORKER.EXE svhost.exe PID 360 wrote to memory of 1664 360 svhost.exe 982946.exe PID 360 wrote to memory of 1664 360 svhost.exe 982946.exe PID 360 wrote to memory of 1664 360 svhost.exe 982946.exe PID 360 wrote to memory of 1664 360 svhost.exe 982946.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c51ddb34c1a0bcd8af4829d8a54c4341.exe"C:\Users\Admin\AppData\Local\Temp\c51ddb34c1a0bcd8af4829d8a54c4341.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WORKER.EXE"C:\Users\Admin\AppData\Local\Temp\WORKER.EXE"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svhost.exe"C:\Users\Admin\AppData\Roaming\svhost.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\982946.exe"C:\Users\Admin\AppData\Local\Temp\982946.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\WORKERORG.EXE"C:\Users\Admin\AppData\Local\Temp\WORKERORG.EXE"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\982946.exeFilesize
24KB
MD5f8c68280e2f30157639d5c345da04172
SHA15ef1f44e41f61d28abc3d08ddb205dc77f763cfb
SHA25638f988f3367ba56bcb20d2f4a7380e349b702e367cc6ef32259eb96d8e069f4e
SHA512087887dbcb2af5cc9547b4cac4d1a6f79d0c128a1ea5028df044e66d77c3c41a07313e4d804d10bbeda20d47da8cf9739e240fda3b82cc7bd03cabc6855d219b
-
C:\Users\Admin\AppData\Local\Temp\982946.exeFilesize
24KB
MD5f8c68280e2f30157639d5c345da04172
SHA15ef1f44e41f61d28abc3d08ddb205dc77f763cfb
SHA25638f988f3367ba56bcb20d2f4a7380e349b702e367cc6ef32259eb96d8e069f4e
SHA512087887dbcb2af5cc9547b4cac4d1a6f79d0c128a1ea5028df044e66d77c3c41a07313e4d804d10bbeda20d47da8cf9739e240fda3b82cc7bd03cabc6855d219b
-
C:\Users\Admin\AppData\Local\Temp\WORKER.EXEFilesize
63KB
MD56b5c0e29662a332947386b371a337a52
SHA1c7bc42ad31263077e59dc8cd85aadd3731c69a77
SHA25694151f693fab777c75599728098c54d63aa1e9fb646aabe0d2c0e7270dfc56f7
SHA5129beae50ab693a5b525d44fab5e64d6dc86a20ee4d59c32b3470d5bab804151d1af4578e19ee310d4b41ec500909d541a910e316859abc62d5fa29e79e829ff82
-
C:\Users\Admin\AppData\Local\Temp\WORKER.EXEFilesize
63KB
MD56b5c0e29662a332947386b371a337a52
SHA1c7bc42ad31263077e59dc8cd85aadd3731c69a77
SHA25694151f693fab777c75599728098c54d63aa1e9fb646aabe0d2c0e7270dfc56f7
SHA5129beae50ab693a5b525d44fab5e64d6dc86a20ee4d59c32b3470d5bab804151d1af4578e19ee310d4b41ec500909d541a910e316859abc62d5fa29e79e829ff82
-
C:\Users\Admin\AppData\Local\Temp\WORKERORG.EXEFilesize
24KB
MD5f8c68280e2f30157639d5c345da04172
SHA15ef1f44e41f61d28abc3d08ddb205dc77f763cfb
SHA25638f988f3367ba56bcb20d2f4a7380e349b702e367cc6ef32259eb96d8e069f4e
SHA512087887dbcb2af5cc9547b4cac4d1a6f79d0c128a1ea5028df044e66d77c3c41a07313e4d804d10bbeda20d47da8cf9739e240fda3b82cc7bd03cabc6855d219b
-
C:\Users\Admin\AppData\Local\Temp\WORKERORG.EXEFilesize
24KB
MD5f8c68280e2f30157639d5c345da04172
SHA15ef1f44e41f61d28abc3d08ddb205dc77f763cfb
SHA25638f988f3367ba56bcb20d2f4a7380e349b702e367cc6ef32259eb96d8e069f4e
SHA512087887dbcb2af5cc9547b4cac4d1a6f79d0c128a1ea5028df044e66d77c3c41a07313e4d804d10bbeda20d47da8cf9739e240fda3b82cc7bd03cabc6855d219b
-
C:\Users\Admin\AppData\Roaming\svhost.exeFilesize
63KB
MD56b5c0e29662a332947386b371a337a52
SHA1c7bc42ad31263077e59dc8cd85aadd3731c69a77
SHA25694151f693fab777c75599728098c54d63aa1e9fb646aabe0d2c0e7270dfc56f7
SHA5129beae50ab693a5b525d44fab5e64d6dc86a20ee4d59c32b3470d5bab804151d1af4578e19ee310d4b41ec500909d541a910e316859abc62d5fa29e79e829ff82
-
C:\Users\Admin\AppData\Roaming\svhost.exeFilesize
63KB
MD56b5c0e29662a332947386b371a337a52
SHA1c7bc42ad31263077e59dc8cd85aadd3731c69a77
SHA25694151f693fab777c75599728098c54d63aa1e9fb646aabe0d2c0e7270dfc56f7
SHA5129beae50ab693a5b525d44fab5e64d6dc86a20ee4d59c32b3470d5bab804151d1af4578e19ee310d4b41ec500909d541a910e316859abc62d5fa29e79e829ff82
-
\Users\Admin\AppData\Local\Temp\WORKER.EXEFilesize
63KB
MD56b5c0e29662a332947386b371a337a52
SHA1c7bc42ad31263077e59dc8cd85aadd3731c69a77
SHA25694151f693fab777c75599728098c54d63aa1e9fb646aabe0d2c0e7270dfc56f7
SHA5129beae50ab693a5b525d44fab5e64d6dc86a20ee4d59c32b3470d5bab804151d1af4578e19ee310d4b41ec500909d541a910e316859abc62d5fa29e79e829ff82
-
\Users\Admin\AppData\Local\Temp\WORKERORG.EXEFilesize
24KB
MD5f8c68280e2f30157639d5c345da04172
SHA15ef1f44e41f61d28abc3d08ddb205dc77f763cfb
SHA25638f988f3367ba56bcb20d2f4a7380e349b702e367cc6ef32259eb96d8e069f4e
SHA512087887dbcb2af5cc9547b4cac4d1a6f79d0c128a1ea5028df044e66d77c3c41a07313e4d804d10bbeda20d47da8cf9739e240fda3b82cc7bd03cabc6855d219b
-
memory/360-70-0x0000000000000000-mapping.dmp
-
memory/360-73-0x000007FEF4B60000-0x000007FEF5583000-memory.dmpFilesize
10.1MB
-
memory/360-74-0x000007FEED730000-0x000007FEEE7C6000-memory.dmpFilesize
16.6MB
-
memory/1184-54-0x0000000074BB1000-0x0000000074BB3000-memory.dmpFilesize
8KB
-
memory/1664-81-0x00000000043A5000-0x00000000043B6000-memory.dmpFilesize
68KB
-
memory/1664-79-0x0000000000C00000-0x0000000000C0C000-memory.dmpFilesize
48KB
-
memory/1664-76-0x0000000000000000-mapping.dmp
-
memory/1860-64-0x000007FEF2940000-0x000007FEF39D6000-memory.dmpFilesize
16.6MB
-
memory/1860-69-0x000007FEFB7D1000-0x000007FEFB7D3000-memory.dmpFilesize
8KB
-
memory/1860-63-0x000007FEF3E10000-0x000007FEF4833000-memory.dmpFilesize
10.1MB
-
memory/1860-56-0x0000000000000000-mapping.dmp
-
memory/1956-60-0x0000000000000000-mapping.dmp
-
memory/1956-68-0x0000000004B35000-0x0000000004B46000-memory.dmpFilesize
68KB
-
memory/1956-67-0x0000000004B35000-0x0000000004B46000-memory.dmpFilesize
68KB
-
memory/1956-65-0x0000000000AF0000-0x0000000000AFC000-memory.dmpFilesize
48KB