Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
10-11-2022 10:17
Behavioral task
behavioral1
Sample
FA95D5E77FD4FAB91662C9B1E460807647ACB25769469.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
FA95D5E77FD4FAB91662C9B1E460807647ACB25769469.exe
Resource
win10v2004-20220812-en
General
-
Target
FA95D5E77FD4FAB91662C9B1E460807647ACB25769469.exe
-
Size
20KB
-
MD5
e261906d0d1ceb7b801b380e94515e6b
-
SHA1
71a98ad89380f2fc81ded0d203f7e29ef1d61e2c
-
SHA256
fa95d5e77fd4fab91662c9b1e460807647acb25769469110b59fb6485b17cc8d
-
SHA512
f61539231a486ebfc485f0ef7bb617fdb16a8b7513536b9eb57dabd4740af04c0a2bb3cc784a89bcec2054f33387a9286a19ebb3e8653968e6320e717db41239
-
SSDEEP
384:Ri9FmEqiF1x4our05GkoEIPJvnbisVKfwytLu2s2QCzYcHe+Z:Ri9F5qiFMouUDIRmDxa2nzYcHe+Z
Malware Config
Extracted
revengerat
phitrinh
nhockgame1230.zapto.org:6722
RV_MUTEX
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Microsoft\Windows\History\scvhost.exe revengerat C:\Users\Admin\AppData\Local\Microsoft\Windows\History\scvhost.exe revengerat -
Executes dropped EXE 1 IoCs
Processes:
scvhost.exepid process 1708 scvhost.exe -
Drops startup file 2 IoCs
Processes:
scvhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe scvhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe scvhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
FA95D5E77FD4FAB91662C9B1E460807647ACB25769469.exescvhost.exedescription pid process Token: SeDebugPrivilege 948 FA95D5E77FD4FAB91662C9B1E460807647ACB25769469.exe Token: SeDebugPrivilege 1708 scvhost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
FA95D5E77FD4FAB91662C9B1E460807647ACB25769469.exedescription pid process target process PID 948 wrote to memory of 1708 948 FA95D5E77FD4FAB91662C9B1E460807647ACB25769469.exe scvhost.exe PID 948 wrote to memory of 1708 948 FA95D5E77FD4FAB91662C9B1E460807647ACB25769469.exe scvhost.exe PID 948 wrote to memory of 1708 948 FA95D5E77FD4FAB91662C9B1E460807647ACB25769469.exe scvhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FA95D5E77FD4FAB91662C9B1E460807647ACB25769469.exe"C:\Users\Admin\AppData\Local\Temp\FA95D5E77FD4FAB91662C9B1E460807647ACB25769469.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\scvhost.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\History\scvhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\scvhost.exeFilesize
20KB
MD5e261906d0d1ceb7b801b380e94515e6b
SHA171a98ad89380f2fc81ded0d203f7e29ef1d61e2c
SHA256fa95d5e77fd4fab91662c9b1e460807647acb25769469110b59fb6485b17cc8d
SHA512f61539231a486ebfc485f0ef7bb617fdb16a8b7513536b9eb57dabd4740af04c0a2bb3cc784a89bcec2054f33387a9286a19ebb3e8653968e6320e717db41239
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\scvhost.exeFilesize
20KB
MD5e261906d0d1ceb7b801b380e94515e6b
SHA171a98ad89380f2fc81ded0d203f7e29ef1d61e2c
SHA256fa95d5e77fd4fab91662c9b1e460807647acb25769469110b59fb6485b17cc8d
SHA512f61539231a486ebfc485f0ef7bb617fdb16a8b7513536b9eb57dabd4740af04c0a2bb3cc784a89bcec2054f33387a9286a19ebb3e8653968e6320e717db41239
-
memory/948-54-0x000007FEF3E90000-0x000007FEF48B3000-memory.dmpFilesize
10.1MB
-
memory/948-55-0x000007FEF2BB0000-0x000007FEF3C46000-memory.dmpFilesize
16.6MB
-
memory/948-56-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmpFilesize
8KB
-
memory/1708-57-0x0000000000000000-mapping.dmp
-
memory/1708-60-0x000007FEF3E90000-0x000007FEF48B3000-memory.dmpFilesize
10.1MB
-
memory/1708-61-0x000007FEF2BB0000-0x000007FEF3C46000-memory.dmpFilesize
16.6MB