Analysis
-
max time kernel
91s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
17-02-2023 19:38
Static task
static1
Behavioral task
behavioral1
Sample
image.ps1
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
image.ps1
Resource
win10v2004-20220812-en
General
-
Target
image.ps1
-
Size
86KB
-
MD5
b6aacfef1cfb9f7530cca4c12107717e
-
SHA1
ea4b5ebb1b70ef7c6f2c40129bea14153ceb968f
-
SHA256
8dbc7b89aa5900070b098b8f20d4f74613268faa53cea2134ae9904745767171
-
SHA512
a520efe6388347a250cb452c8124eec9476739f53a5e24b1cf3151b0789068463c355c68232de85ca012abc63e6f9861107cd73d648104763c781eb9f7d9e443
-
SSDEEP
1536:lP2N2em5QnDSbYb/QIZGxKd5ja1d/DcaPrDxMgo:oN2A/QI4xFDygo
Malware Config
Extracted
revengerat
MR_ahmed
booksyy.hopto.org:1111
80fd5c83decd4b2fb
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2140 set thread context of 4668 2140 powershell.exe RegSvcs.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 RegSvcs.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 2140 powershell.exe 2140 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2140 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
powershell.exedescription pid process target process PID 2140 wrote to memory of 4668 2140 powershell.exe RegSvcs.exe PID 2140 wrote to memory of 4668 2140 powershell.exe RegSvcs.exe PID 2140 wrote to memory of 4668 2140 powershell.exe RegSvcs.exe PID 2140 wrote to memory of 4668 2140 powershell.exe RegSvcs.exe PID 2140 wrote to memory of 4668 2140 powershell.exe RegSvcs.exe PID 2140 wrote to memory of 4668 2140 powershell.exe RegSvcs.exe PID 2140 wrote to memory of 4668 2140 powershell.exe RegSvcs.exe PID 2140 wrote to memory of 4668 2140 powershell.exe RegSvcs.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\image.ps11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Checks processor information in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2140-132-0x000002BDA6810000-0x000002BDA6832000-memory.dmpFilesize
136KB
-
memory/2140-133-0x00007FFC60ED0000-0x00007FFC61991000-memory.dmpFilesize
10.8MB
-
memory/2140-136-0x00007FFC60ED0000-0x00007FFC61991000-memory.dmpFilesize
10.8MB
-
memory/4668-134-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/4668-135-0x0000000000404F7E-mapping.dmp
-
memory/4668-137-0x00000000058D0000-0x0000000005E74000-memory.dmpFilesize
5.6MB
-
memory/4668-138-0x0000000005740000-0x00000000057DC000-memory.dmpFilesize
624KB
-
memory/4668-139-0x00000000057E0000-0x0000000005846000-memory.dmpFilesize
408KB