Analysis
-
max time kernel
131s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19-09-2022 05:01
Static task
static1
Behavioral task
behavioral1
Sample
19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
Resource
win10v2004-20220812-en
General
-
Target
19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
-
Size
161KB
-
MD5
6dbf9d23086ddc60c06d51b5cef27c27
-
SHA1
d2763cebcf65023707fea835015ae230b5bd48cb
-
SHA256
19a7fcd451dea34b219222ddce8072f3a83a57eeb18dc1598b2a6f0c5bf6546a
-
SHA512
e78812ed50a8f4dc636bc50e3f7ab4ea2979293c824299da83ddd5015f90b8064720c8c6009dfd15fe83b15eace496103e41e0f0265bc8dbd79d656a1650a830
-
SSDEEP
3072:nf/snZ0dRsNedt26sjXkXUpEzFLlYmS2QMN+3j61oXd+RubnMaqPi3:XyZGRsNed1sYXUWxL2mS2n+Tvt+Ebnai
Malware Config
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3048-141-0x0000000000400000-0x000000000042C000-memory.dmp revengerat behavioral2/memory/3048-143-0x0000000000400000-0x000000000042C000-memory.dmp revengerat -
Executes dropped EXE 1 IoCs
Processes:
Microsoft .Net Framework Servcies.exepid process 2620 Microsoft .Net Framework Servcies.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exedescription pid process target process PID 1944 set thread context of 3048 1944 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exepid process 1944 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe 1944 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe 1944 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe 1944 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exedescription pid process Token: SeDebugPrivilege 1944 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe Token: SeDebugPrivilege 3048 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exedescription pid process target process PID 1944 wrote to memory of 4492 1944 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe PID 1944 wrote to memory of 4492 1944 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe PID 1944 wrote to memory of 4492 1944 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe PID 1944 wrote to memory of 4056 1944 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe PID 1944 wrote to memory of 4056 1944 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe PID 1944 wrote to memory of 4056 1944 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe PID 1944 wrote to memory of 3048 1944 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe PID 1944 wrote to memory of 3048 1944 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe PID 1944 wrote to memory of 3048 1944 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe PID 1944 wrote to memory of 3048 1944 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe PID 1944 wrote to memory of 3048 1944 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe PID 1944 wrote to memory of 3048 1944 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe PID 1944 wrote to memory of 3048 1944 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe PID 1944 wrote to memory of 3048 1944 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe PID 1944 wrote to memory of 3048 1944 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe PID 3048 wrote to memory of 2620 3048 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe Microsoft .Net Framework Servcies.exe PID 3048 wrote to memory of 2620 3048 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe Microsoft .Net Framework Servcies.exe PID 3048 wrote to memory of 2620 3048 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe Microsoft .Net Framework Servcies.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe"C:\Users\Admin\AppData\Local\Temp\19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe"C:\Users\Admin\AppData\Local\Temp\19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe"C:\Users\Admin\AppData\Local\Temp\19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe"C:\Users\Admin\AppData\Local\Temp\19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe"2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft .Net Framework Servcies.exe"C:\Users\Admin\AppData\Roaming\Microsoft .Net Framework Servcies.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe.logFilesize
1KB
MD5b5291f3dcf2c13784e09a057f2e43d13
SHA1fbb72f4b04269e0d35b1d9c29d02d63dbc7ad07e
SHA256ad995b51344d71019f96fc3a424de00256065daad8595ff599f6849c87ae75ce
SHA51211c89caac425bccaa24e2bb24c6f2b4e6d6863278bf8a5304a42bb44475b08ca586e09143e7d5b14db7f1cd9adacd5358769e0d999dc348073431031067bd4d4
-
C:\Users\Admin\AppData\Roaming\Microsoft .Net Framework Servcies.exeFilesize
161KB
MD56dbf9d23086ddc60c06d51b5cef27c27
SHA1d2763cebcf65023707fea835015ae230b5bd48cb
SHA25619a7fcd451dea34b219222ddce8072f3a83a57eeb18dc1598b2a6f0c5bf6546a
SHA512e78812ed50a8f4dc636bc50e3f7ab4ea2979293c824299da83ddd5015f90b8064720c8c6009dfd15fe83b15eace496103e41e0f0265bc8dbd79d656a1650a830
-
C:\Users\Admin\AppData\Roaming\Microsoft .Net Framework Servcies.exeFilesize
161KB
MD56dbf9d23086ddc60c06d51b5cef27c27
SHA1d2763cebcf65023707fea835015ae230b5bd48cb
SHA25619a7fcd451dea34b219222ddce8072f3a83a57eeb18dc1598b2a6f0c5bf6546a
SHA512e78812ed50a8f4dc636bc50e3f7ab4ea2979293c824299da83ddd5015f90b8064720c8c6009dfd15fe83b15eace496103e41e0f0265bc8dbd79d656a1650a830
-
memory/1944-133-0x00000000050C0000-0x0000000005664000-memory.dmpFilesize
5.6MB
-
memory/1944-134-0x0000000004BF0000-0x0000000004C82000-memory.dmpFilesize
584KB
-
memory/1944-135-0x0000000004E10000-0x0000000004E1A000-memory.dmpFilesize
40KB
-
memory/1944-136-0x00000000056F0000-0x0000000005766000-memory.dmpFilesize
472KB
-
memory/1944-137-0x0000000005090000-0x00000000050AE000-memory.dmpFilesize
120KB
-
memory/1944-132-0x0000000000210000-0x000000000023E000-memory.dmpFilesize
184KB
-
memory/2620-146-0x0000000000000000-mapping.dmp
-
memory/3048-140-0x0000000000000000-mapping.dmp
-
memory/3048-144-0x00000000056B0000-0x000000000574C000-memory.dmpFilesize
624KB
-
memory/3048-145-0x0000000005750000-0x00000000057B6000-memory.dmpFilesize
408KB
-
memory/3048-143-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/3048-141-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/4056-139-0x0000000000000000-mapping.dmp
-
memory/4492-138-0x0000000000000000-mapping.dmp