Analysis
-
max time kernel
140s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06-09-2022 13:21
Behavioral task
behavioral1
Sample
c51ddb34c1a0bcd8af4829d8a54c4341.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c51ddb34c1a0bcd8af4829d8a54c4341.exe
Resource
win10v2004-20220812-en
General
-
Target
c51ddb34c1a0bcd8af4829d8a54c4341.exe
-
Size
140KB
-
MD5
c51ddb34c1a0bcd8af4829d8a54c4341
-
SHA1
84860f90d7c7344a315e9ddc176d8e4a966ad7ad
-
SHA256
880ac454f385019390e07ff3f7e1986ffb806951413d6d3774df9ba57a4fe8af
-
SHA512
924bd3791a353328e7b946b846b02279bb588c6e7f0ba88d9579e320a343f4572d9a773bd92ef520c562e6c5a5e156108b6d865537bdacb01bbe006d64756a17
-
SSDEEP
3072:aMSncRzAO/5XRUAoVFwkIV35QWYBkU+KbRMcP+MQWv:5SncRlBS9VTkYiU+KbR7j
Malware Config
Extracted
revengerat
Guest
194.5.179.83:4040
127.0.0.1:4040
RV_MUTEX
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\WORKER.EXE revengerat C:\Users\Admin\AppData\Local\Temp\WORKER.EXE revengerat C:\Users\Admin\AppData\Roaming\svhost.exe revengerat C:\Users\Admin\AppData\Roaming\svhost.exe revengerat -
Executes dropped EXE 3 IoCs
Processes:
WORKER.EXEWORKERORG.EXEsvhost.exepid process 3016 WORKER.EXE 1904 WORKERORG.EXE 4164 svhost.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c51ddb34c1a0bcd8af4829d8a54c4341.exeWORKER.EXEdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation c51ddb34c1a0bcd8af4829d8a54c4341.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation WORKER.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WORKER.EXEdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 WORKER.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WORKER.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
WORKERORG.EXEpid process 1904 WORKERORG.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WORKER.EXEWORKERORG.EXEsvhost.exedescription pid process Token: SeDebugPrivilege 3016 WORKER.EXE Token: SeDebugPrivilege 1904 WORKERORG.EXE Token: SeDebugPrivilege 4164 svhost.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
c51ddb34c1a0bcd8af4829d8a54c4341.exeWORKER.EXEdescription pid process target process PID 1740 wrote to memory of 3016 1740 c51ddb34c1a0bcd8af4829d8a54c4341.exe WORKER.EXE PID 1740 wrote to memory of 3016 1740 c51ddb34c1a0bcd8af4829d8a54c4341.exe WORKER.EXE PID 1740 wrote to memory of 1904 1740 c51ddb34c1a0bcd8af4829d8a54c4341.exe WORKERORG.EXE PID 1740 wrote to memory of 1904 1740 c51ddb34c1a0bcd8af4829d8a54c4341.exe WORKERORG.EXE PID 1740 wrote to memory of 1904 1740 c51ddb34c1a0bcd8af4829d8a54c4341.exe WORKERORG.EXE PID 3016 wrote to memory of 4164 3016 WORKER.EXE svhost.exe PID 3016 wrote to memory of 4164 3016 WORKER.EXE svhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c51ddb34c1a0bcd8af4829d8a54c4341.exe"C:\Users\Admin\AppData\Local\Temp\c51ddb34c1a0bcd8af4829d8a54c4341.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WORKER.EXE"C:\Users\Admin\AppData\Local\Temp\WORKER.EXE"2⤵
- Executes dropped EXE
- Checks computer location settings
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svhost.exe"C:\Users\Admin\AppData\Roaming\svhost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\WORKERORG.EXE"C:\Users\Admin\AppData\Local\Temp\WORKERORG.EXE"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\WORKER.EXEFilesize
63KB
MD56b5c0e29662a332947386b371a337a52
SHA1c7bc42ad31263077e59dc8cd85aadd3731c69a77
SHA25694151f693fab777c75599728098c54d63aa1e9fb646aabe0d2c0e7270dfc56f7
SHA5129beae50ab693a5b525d44fab5e64d6dc86a20ee4d59c32b3470d5bab804151d1af4578e19ee310d4b41ec500909d541a910e316859abc62d5fa29e79e829ff82
-
C:\Users\Admin\AppData\Local\Temp\WORKER.EXEFilesize
63KB
MD56b5c0e29662a332947386b371a337a52
SHA1c7bc42ad31263077e59dc8cd85aadd3731c69a77
SHA25694151f693fab777c75599728098c54d63aa1e9fb646aabe0d2c0e7270dfc56f7
SHA5129beae50ab693a5b525d44fab5e64d6dc86a20ee4d59c32b3470d5bab804151d1af4578e19ee310d4b41ec500909d541a910e316859abc62d5fa29e79e829ff82
-
C:\Users\Admin\AppData\Local\Temp\WORKERORG.EXEFilesize
24KB
MD5f8c68280e2f30157639d5c345da04172
SHA15ef1f44e41f61d28abc3d08ddb205dc77f763cfb
SHA25638f988f3367ba56bcb20d2f4a7380e349b702e367cc6ef32259eb96d8e069f4e
SHA512087887dbcb2af5cc9547b4cac4d1a6f79d0c128a1ea5028df044e66d77c3c41a07313e4d804d10bbeda20d47da8cf9739e240fda3b82cc7bd03cabc6855d219b
-
C:\Users\Admin\AppData\Local\Temp\WORKERORG.EXEFilesize
24KB
MD5f8c68280e2f30157639d5c345da04172
SHA15ef1f44e41f61d28abc3d08ddb205dc77f763cfb
SHA25638f988f3367ba56bcb20d2f4a7380e349b702e367cc6ef32259eb96d8e069f4e
SHA512087887dbcb2af5cc9547b4cac4d1a6f79d0c128a1ea5028df044e66d77c3c41a07313e4d804d10bbeda20d47da8cf9739e240fda3b82cc7bd03cabc6855d219b
-
C:\Users\Admin\AppData\Roaming\svhost.exeFilesize
63KB
MD56b5c0e29662a332947386b371a337a52
SHA1c7bc42ad31263077e59dc8cd85aadd3731c69a77
SHA25694151f693fab777c75599728098c54d63aa1e9fb646aabe0d2c0e7270dfc56f7
SHA5129beae50ab693a5b525d44fab5e64d6dc86a20ee4d59c32b3470d5bab804151d1af4578e19ee310d4b41ec500909d541a910e316859abc62d5fa29e79e829ff82
-
C:\Users\Admin\AppData\Roaming\svhost.exeFilesize
63KB
MD56b5c0e29662a332947386b371a337a52
SHA1c7bc42ad31263077e59dc8cd85aadd3731c69a77
SHA25694151f693fab777c75599728098c54d63aa1e9fb646aabe0d2c0e7270dfc56f7
SHA5129beae50ab693a5b525d44fab5e64d6dc86a20ee4d59c32b3470d5bab804151d1af4578e19ee310d4b41ec500909d541a910e316859abc62d5fa29e79e829ff82
-
memory/1904-138-0x0000000000A10000-0x0000000000A1C000-memory.dmpFilesize
48KB
-
memory/1904-139-0x00000000059C0000-0x0000000005F64000-memory.dmpFilesize
5.6MB
-
memory/1904-140-0x0000000005410000-0x00000000054A2000-memory.dmpFilesize
584KB
-
memory/1904-142-0x00000000053C0000-0x00000000053CA000-memory.dmpFilesize
40KB
-
memory/1904-135-0x0000000000000000-mapping.dmp
-
memory/3016-141-0x00007FFFEC890000-0x00007FFFED2C6000-memory.dmpFilesize
10.2MB
-
memory/3016-132-0x0000000000000000-mapping.dmp
-
memory/4164-143-0x0000000000000000-mapping.dmp
-
memory/4164-146-0x00007FFFEC890000-0x00007FFFED2C6000-memory.dmpFilesize
10.2MB