Analysis
-
max time kernel
90s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-10-2022 03:18
Static task
static1
Behavioral task
behavioral1
Sample
393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe
Resource
win10v2004-20220812-en
General
-
Target
393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe
-
Size
419KB
-
MD5
36199d74da34290f87be389bb6bb9515
-
SHA1
7d997bf1fc79f9d9cb1a5c47b721a7f1e310a4ff
-
SHA256
393b10aac7f59b3d7a146c654a24777d4b48648c3d8b842754de1ba58b1d5490
-
SHA512
7b7dcb98e36fed88e22435832a8dc604845a463ed82058c1cdbe060839f9926d772cc219890a5f55ef2cbf42cc2037f6404840f0124fbdf27e6820e5ec6b272f
-
SSDEEP
12288:p051XAB4MzIbYyOrCKuBBPcn/txkAWQEho:p+1XAB4wIbfJlcn1xkjh
Malware Config
Extracted
revengerat
NyanCatRevenge
alice2019.myftp.biz:7575
a4765021d3
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Processes:
393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files\Common Files\System\_0xHSei3ure3\svchost.exe = "0" 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe = "0" 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe -
Processes:
393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files\Common Files\System\_0xHSei3ure3\svchost.exe = "0" 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe = "0" 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\_0xHM2sbehave = "C:\\Program Files\\Common Files\\System\\_0xHSei3ure3\\svchost.exe" 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\_0xHM2sbehave = "C:\\Program Files\\Common Files\\System\\_0xHSei3ure3\\svchost.exe" 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exedescription pid process target process PID 3960 set thread context of 2676 3960 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe -
Drops file in Program Files directory 2 IoCs
Processes:
393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exedescription ioc process File created C:\Program Files\Common Files\System\_0xHSei3ure3\svchost.exe 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe File opened for modification C:\Program Files\Common Files\System\_0xHSei3ure3 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exepowershell.exepowershell.exepowershell.exepid process 3960 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe 3960 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe 3960 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe 3960 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe 5088 powershell.exe 4224 powershell.exe 964 powershell.exe 3960 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe 3960 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe 3960 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe 3960 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe 964 powershell.exe 4224 powershell.exe 5088 powershell.exe 3960 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe 3960 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3960 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe Token: SeDebugPrivilege 4224 powershell.exe Token: SeDebugPrivilege 5088 powershell.exe Token: SeDebugPrivilege 964 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exedescription pid process target process PID 3960 wrote to memory of 4224 3960 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe powershell.exe PID 3960 wrote to memory of 4224 3960 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe powershell.exe PID 3960 wrote to memory of 4224 3960 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe powershell.exe PID 3960 wrote to memory of 5088 3960 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe powershell.exe PID 3960 wrote to memory of 5088 3960 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe powershell.exe PID 3960 wrote to memory of 5088 3960 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe powershell.exe PID 3960 wrote to memory of 964 3960 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe powershell.exe PID 3960 wrote to memory of 964 3960 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe powershell.exe PID 3960 wrote to memory of 964 3960 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe powershell.exe PID 3960 wrote to memory of 2676 3960 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe PID 3960 wrote to memory of 2676 3960 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe PID 3960 wrote to memory of 2676 3960 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe PID 3960 wrote to memory of 2676 3960 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe PID 3960 wrote to memory of 2676 3960 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe PID 3960 wrote to memory of 2676 3960 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe PID 3960 wrote to memory of 2676 3960 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe PID 3960 wrote to memory of 2676 3960 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe 393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe"C:\Users\Admin\AppData\Local\Temp\393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe"1⤵
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\_0xHSei3ure3\svchost.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\_0xHSei3ure3\svchost.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe"C:\Users\Admin\AppData\Local\Temp\393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe"2⤵
- Checks processor information in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD50a27a3db521fc8edde6c0952a89a3798
SHA1714acd24f9efd74bec28b7f5ca990716da0c9c4c
SHA2567f764db55fae169cf3a72fe52fb509546ef062a8facdba84f15466a3dca254cd
SHA512e855bced2afc59513cd8804f8e45eafa6422e8cb1b31ec7180f6640b99d9db250484830e9ce42962f87e9d49ebd1886baa7cbf053311a89fd313b5c564acc0b1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD57e9be9b841b286a35a6497c154f6c33f
SHA17eb1167879d0114f9e721a3cfe6ef4b709fb7bd8
SHA256140cf2927b580c5a376419957e44a0d668d6b8d830d9c860de4a248a8b1d30c5
SHA512d57f6ef88a44b1c336f9f6fd2d60e951a19ed497bab2d710fd1323f93212b04588d4709c66083080c0035287db4750d907ab9869892e301dcf6dc8c4b3b37640
-
memory/964-156-0x0000000007270000-0x0000000007306000-memory.dmpFilesize
600KB
-
memory/964-137-0x0000000000000000-mapping.dmp
-
memory/964-154-0x0000000006FF0000-0x000000000700A000-memory.dmpFilesize
104KB
-
memory/964-152-0x000000006FE40000-0x000000006FE8C000-memory.dmpFilesize
304KB
-
memory/2676-145-0x0000000000000000-mapping.dmp
-
memory/2676-146-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/3960-139-0x0000000007960000-0x00000000079F2000-memory.dmpFilesize
584KB
-
memory/3960-132-0x0000000000680000-0x00000000006F0000-memory.dmpFilesize
448KB
-
memory/3960-133-0x0000000005070000-0x000000000510C000-memory.dmpFilesize
624KB
-
memory/3960-134-0x0000000007DB0000-0x0000000008354000-memory.dmpFilesize
5.6MB
-
memory/3960-141-0x00000000078F0000-0x00000000078FA000-memory.dmpFilesize
40KB
-
memory/4224-147-0x0000000005B50000-0x0000000005B6E000-memory.dmpFilesize
120KB
-
memory/4224-155-0x0000000006EC0000-0x0000000006ECA000-memory.dmpFilesize
40KB
-
memory/4224-143-0x0000000005440000-0x00000000054A6000-memory.dmpFilesize
408KB
-
memory/4224-144-0x0000000005520000-0x0000000005586000-memory.dmpFilesize
408KB
-
memory/4224-151-0x0000000006110000-0x000000000612E000-memory.dmpFilesize
120KB
-
memory/4224-149-0x000000006FE40000-0x000000006FE8C000-memory.dmpFilesize
304KB
-
memory/4224-140-0x0000000004CE0000-0x0000000005308000-memory.dmpFilesize
6.2MB
-
memory/4224-153-0x00000000074F0000-0x0000000007B6A000-memory.dmpFilesize
6.5MB
-
memory/4224-138-0x0000000004580000-0x00000000045B6000-memory.dmpFilesize
216KB
-
memory/4224-142-0x0000000004C70000-0x0000000004C92000-memory.dmpFilesize
136KB
-
memory/4224-135-0x0000000000000000-mapping.dmp
-
memory/4224-159-0x0000000007170000-0x0000000007178000-memory.dmpFilesize
32KB
-
memory/4224-158-0x0000000007190000-0x00000000071AA000-memory.dmpFilesize
104KB
-
memory/5088-157-0x0000000007450000-0x000000000745E000-memory.dmpFilesize
56KB
-
memory/5088-136-0x0000000000000000-mapping.dmp
-
memory/5088-150-0x000000006FE40000-0x000000006FE8C000-memory.dmpFilesize
304KB
-
memory/5088-148-0x00000000064E0000-0x0000000006512000-memory.dmpFilesize
200KB