Overview

overview

10

Static

static

393B10AAC7...B8.exe

windows7-x64

3

393B10AAC7...B8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-10-2022 03:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe

  • Size

    419KB

  • MD5

    36199d74da34290f87be389bb6bb9515

  • SHA1

    7d997bf1fc79f9d9cb1a5c47b721a7f1e310a4ff

  • SHA256

    393b10aac7f59b3d7a146c654a24777d4b48648c3d8b842754de1ba58b1d5490

  • SHA512

    7b7dcb98e36fed88e22435832a8dc604845a463ed82058c1cdbe060839f9926d772cc219890a5f55ef2cbf42cc2037f6404840f0124fbdf27e6820e5ec6b272f

  • SSDEEP

    12288:p051XAB4MzIbYyOrCKuBBPcn/txkAWQEho:p+1XAB4wIbfJlcn1xkjh

Score
10/10
revengeratnyancatrevengeevasionpersistencetrojan

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

alice2019.myftp.biz:7575

Mutex

a4765021d3

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • Windows security bypass 2 TTPs 3 IoCs
    evasiontrojan
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe
    "C:\Users\Admin\AppData\Local\Temp\393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe"
    1⤵
    • Windows security bypass
    • Checks computer location settings
    • Windows security modification
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3960
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\_0xHSei3ure3\svchost.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4224
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\_0xHSei3ure3\svchost.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5088
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:964
    • C:\Users\Admin\AppData\Local\Temp\393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe
      "C:\Users\Admin\AppData\Local\Temp\393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe"
      2⤵
      • Checks processor information in registry
      PID:2676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

2
T1089

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    3d086a433708053f9bf9523e1d87a4e8

    SHA1

    b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

    SHA256

    6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

    SHA512

    931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    0a27a3db521fc8edde6c0952a89a3798

    SHA1

    714acd24f9efd74bec28b7f5ca990716da0c9c4c

    SHA256

    7f764db55fae169cf3a72fe52fb509546ef062a8facdba84f15466a3dca254cd

    SHA512

    e855bced2afc59513cd8804f8e45eafa6422e8cb1b31ec7180f6640b99d9db250484830e9ce42962f87e9d49ebd1886baa7cbf053311a89fd313b5c564acc0b1

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    7e9be9b841b286a35a6497c154f6c33f

    SHA1

    7eb1167879d0114f9e721a3cfe6ef4b709fb7bd8

    SHA256

    140cf2927b580c5a376419957e44a0d668d6b8d830d9c860de4a248a8b1d30c5

    SHA512

    d57f6ef88a44b1c336f9f6fd2d60e951a19ed497bab2d710fd1323f93212b04588d4709c66083080c0035287db4750d907ab9869892e301dcf6dc8c4b3b37640

    Download Submit
  • memory/964-156-0x0000000007270000-0x0000000007306000-memory.dmp
    Filesize

    600KB

    Download
  • memory/964-137-0x0000000000000000-mapping.dmp
    Download
  • memory/964-154-0x0000000006FF0000-0x000000000700A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/964-152-0x000000006FE40000-0x000000006FE8C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/2676-145-0x0000000000000000-mapping.dmp
    Download
  • memory/2676-146-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3960-139-0x0000000007960000-0x00000000079F2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3960-132-0x0000000000680000-0x00000000006F0000-memory.dmp
    Filesize

    448KB

    Download
  • memory/3960-133-0x0000000005070000-0x000000000510C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/3960-134-0x0000000007DB0000-0x0000000008354000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3960-141-0x00000000078F0000-0x00000000078FA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4224-147-0x0000000005B50000-0x0000000005B6E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4224-155-0x0000000006EC0000-0x0000000006ECA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4224-143-0x0000000005440000-0x00000000054A6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4224-144-0x0000000005520000-0x0000000005586000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4224-151-0x0000000006110000-0x000000000612E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4224-149-0x000000006FE40000-0x000000006FE8C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/4224-140-0x0000000004CE0000-0x0000000005308000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/4224-153-0x00000000074F0000-0x0000000007B6A000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/4224-138-0x0000000004580000-0x00000000045B6000-memory.dmp
    Filesize

    216KB

    Download
  • memory/4224-142-0x0000000004C70000-0x0000000004C92000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4224-135-0x0000000000000000-mapping.dmp
    Download
  • memory/4224-159-0x0000000007170000-0x0000000007178000-memory.dmp
    Filesize

    32KB

    Download
  • memory/4224-158-0x0000000007190000-0x00000000071AA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/5088-157-0x0000000007450000-0x000000000745E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/5088-136-0x0000000000000000-mapping.dmp
    Download
  • memory/5088-150-0x000000006FE40000-0x000000006FE8C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/5088-148-0x00000000064E0000-0x0000000006512000-memory.dmp
    Filesize

    200KB

    Download