Analysis
-
max time kernel
152s -
max time network
159s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19-09-2022 05:01
Static task
static1
Behavioral task
behavioral1
Sample
19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
Resource
win10v2004-20220812-en
General
-
Target
19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
-
Size
161KB
-
MD5
6dbf9d23086ddc60c06d51b5cef27c27
-
SHA1
d2763cebcf65023707fea835015ae230b5bd48cb
-
SHA256
19a7fcd451dea34b219222ddce8072f3a83a57eeb18dc1598b2a6f0c5bf6546a
-
SHA512
e78812ed50a8f4dc636bc50e3f7ab4ea2979293c824299da83ddd5015f90b8064720c8c6009dfd15fe83b15eace496103e41e0f0265bc8dbd79d656a1650a830
-
SSDEEP
3072:nf/snZ0dRsNedt26sjXkXUpEzFLlYmS2QMN+3j61oXd+RubnMaqPi3:XyZGRsNed1sYXUWxL2mS2n+Tvt+Ebnai
Malware Config
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 7 IoCs
Processes:
resource yara_rule behavioral1/memory/1076-60-0x0000000000400000-0x000000000042C000-memory.dmp revengerat behavioral1/memory/1076-61-0x0000000000400000-0x000000000042C000-memory.dmp revengerat behavioral1/memory/1076-62-0x0000000000400000-0x000000000042C000-memory.dmp revengerat behavioral1/memory/1076-63-0x0000000000400000-0x000000000042C000-memory.dmp revengerat behavioral1/memory/1076-64-0x0000000000424CEE-mapping.dmp revengerat behavioral1/memory/1076-66-0x0000000000400000-0x000000000042C000-memory.dmp revengerat behavioral1/memory/1132-81-0x0000000000424CEE-mapping.dmp revengerat -
Executes dropped EXE 2 IoCs
Processes:
Microsoft .Net Framework Servcies.exeMicrosoft .Net Framework Servcies.exepid process 1328 Microsoft .Net Framework Servcies.exe 1132 Microsoft .Net Framework Servcies.exe -
Loads dropped DLL 1 IoCs
Processes:
19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exepid process 1076 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exeMicrosoft .Net Framework Servcies.exedescription pid process target process PID 2020 set thread context of 1076 2020 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe PID 1328 set thread context of 1132 1328 Microsoft .Net Framework Servcies.exe Microsoft .Net Framework Servcies.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exeMicrosoft .Net Framework Servcies.exedescription pid process Token: SeDebugPrivilege 1076 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe Token: SeDebugPrivilege 1132 Microsoft .Net Framework Servcies.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exeMicrosoft .Net Framework Servcies.exedescription pid process target process PID 2020 wrote to memory of 1076 2020 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe PID 2020 wrote to memory of 1076 2020 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe PID 2020 wrote to memory of 1076 2020 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe PID 2020 wrote to memory of 1076 2020 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe PID 2020 wrote to memory of 1076 2020 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe PID 2020 wrote to memory of 1076 2020 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe PID 2020 wrote to memory of 1076 2020 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe PID 2020 wrote to memory of 1076 2020 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe PID 2020 wrote to memory of 1076 2020 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe PID 2020 wrote to memory of 1076 2020 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe PID 1076 wrote to memory of 1328 1076 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe Microsoft .Net Framework Servcies.exe PID 1076 wrote to memory of 1328 1076 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe Microsoft .Net Framework Servcies.exe PID 1076 wrote to memory of 1328 1076 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe Microsoft .Net Framework Servcies.exe PID 1076 wrote to memory of 1328 1076 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe Microsoft .Net Framework Servcies.exe PID 1328 wrote to memory of 1132 1328 Microsoft .Net Framework Servcies.exe Microsoft .Net Framework Servcies.exe PID 1328 wrote to memory of 1132 1328 Microsoft .Net Framework Servcies.exe Microsoft .Net Framework Servcies.exe PID 1328 wrote to memory of 1132 1328 Microsoft .Net Framework Servcies.exe Microsoft .Net Framework Servcies.exe PID 1328 wrote to memory of 1132 1328 Microsoft .Net Framework Servcies.exe Microsoft .Net Framework Servcies.exe PID 1328 wrote to memory of 1132 1328 Microsoft .Net Framework Servcies.exe Microsoft .Net Framework Servcies.exe PID 1328 wrote to memory of 1132 1328 Microsoft .Net Framework Servcies.exe Microsoft .Net Framework Servcies.exe PID 1328 wrote to memory of 1132 1328 Microsoft .Net Framework Servcies.exe Microsoft .Net Framework Servcies.exe PID 1328 wrote to memory of 1132 1328 Microsoft .Net Framework Servcies.exe Microsoft .Net Framework Servcies.exe PID 1328 wrote to memory of 1132 1328 Microsoft .Net Framework Servcies.exe Microsoft .Net Framework Servcies.exe PID 1328 wrote to memory of 1132 1328 Microsoft .Net Framework Servcies.exe Microsoft .Net Framework Servcies.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe"C:\Users\Admin\AppData\Local\Temp\19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe"C:\Users\Admin\AppData\Local\Temp\19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe"2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft .Net Framework Servcies.exe"C:\Users\Admin\AppData\Roaming\Microsoft .Net Framework Servcies.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft .Net Framework Servcies.exe"C:\Users\Admin\AppData\Roaming\Microsoft .Net Framework Servcies.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft .Net Framework Servcies.exeFilesize
161KB
MD56dbf9d23086ddc60c06d51b5cef27c27
SHA1d2763cebcf65023707fea835015ae230b5bd48cb
SHA25619a7fcd451dea34b219222ddce8072f3a83a57eeb18dc1598b2a6f0c5bf6546a
SHA512e78812ed50a8f4dc636bc50e3f7ab4ea2979293c824299da83ddd5015f90b8064720c8c6009dfd15fe83b15eace496103e41e0f0265bc8dbd79d656a1650a830
-
C:\Users\Admin\AppData\Roaming\Microsoft .Net Framework Servcies.exeFilesize
161KB
MD56dbf9d23086ddc60c06d51b5cef27c27
SHA1d2763cebcf65023707fea835015ae230b5bd48cb
SHA25619a7fcd451dea34b219222ddce8072f3a83a57eeb18dc1598b2a6f0c5bf6546a
SHA512e78812ed50a8f4dc636bc50e3f7ab4ea2979293c824299da83ddd5015f90b8064720c8c6009dfd15fe83b15eace496103e41e0f0265bc8dbd79d656a1650a830
-
C:\Users\Admin\AppData\Roaming\Microsoft .Net Framework Servcies.exeFilesize
161KB
MD56dbf9d23086ddc60c06d51b5cef27c27
SHA1d2763cebcf65023707fea835015ae230b5bd48cb
SHA25619a7fcd451dea34b219222ddce8072f3a83a57eeb18dc1598b2a6f0c5bf6546a
SHA512e78812ed50a8f4dc636bc50e3f7ab4ea2979293c824299da83ddd5015f90b8064720c8c6009dfd15fe83b15eace496103e41e0f0265bc8dbd79d656a1650a830
-
\Users\Admin\AppData\Roaming\Microsoft .Net Framework Servcies.exeFilesize
161KB
MD56dbf9d23086ddc60c06d51b5cef27c27
SHA1d2763cebcf65023707fea835015ae230b5bd48cb
SHA25619a7fcd451dea34b219222ddce8072f3a83a57eeb18dc1598b2a6f0c5bf6546a
SHA512e78812ed50a8f4dc636bc50e3f7ab4ea2979293c824299da83ddd5015f90b8064720c8c6009dfd15fe83b15eace496103e41e0f0265bc8dbd79d656a1650a830
-
memory/1076-63-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1076-61-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1076-62-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1076-60-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1076-64-0x0000000000424CEE-mapping.dmp
-
memory/1076-66-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1076-58-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1076-57-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1132-81-0x0000000000424CEE-mapping.dmp
-
memory/1328-72-0x0000000000E50000-0x0000000000E7E000-memory.dmpFilesize
184KB
-
memory/1328-69-0x0000000000000000-mapping.dmp
-
memory/2020-54-0x0000000000D60000-0x0000000000D8E000-memory.dmpFilesize
184KB
-
memory/2020-56-0x00000000007F0000-0x000000000081E000-memory.dmpFilesize
184KB
-
memory/2020-55-0x0000000075451000-0x0000000075453000-memory.dmpFilesize
8KB