Analysis
-
max time kernel
129s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01-03-2023 12:02
Static task
static1
Behavioral task
behavioral1
Sample
326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf.exe
Resource
win10v2004-20230220-en
General
-
Target
326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf.exe
-
Size
4.0MB
-
MD5
633a7a8aedf8627097b29d0e707c59af
-
SHA1
f36662cce42d02ed690fbc8e71f4cefc17474200
-
SHA256
326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf
-
SHA512
17033c6eb42190020320cda1a092eb528186bfc1ba7ac4bce30300732b839de9371e843f67404d8e23c74fab95abc20365ade575b30daf3eede1f93b1b24a568
-
SSDEEP
98304:7trbTA1FZZAG/HW4A5vodMJ5thwVX9Gx5VeqC6BIN4ts7BUGI1jF:hc1Fzf/HxOQMthPgtCIBUGI1B
Malware Config
Extracted
revengerat
NyanCatRevenge
marcelotatuape.ddns.net:333
c12ead04c4f046028
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WinRAR.exeCDS.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation WinRAR.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation CDS.exe -
Drops startup file 2 IoCs
Processes:
326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.exe 326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.exe 326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf.exe -
Executes dropped EXE 3 IoCs
Processes:
WinRAR.exeCDS.execrypted.exepid process 4508 WinRAR.exe 396 CDS.exe 3864 crypted.exe -
Loads dropped DLL 1 IoCs
Processes:
CDS.exepid process 396 CDS.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
CDS.exepid process 396 CDS.exe 396 CDS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 392 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 392 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf.exepid process 2888 326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf.exe 2888 326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf.exe 2888 326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf.exepid process 2888 326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf.exe 2888 326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf.exe 2888 326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
CDS.exepid process 396 CDS.exe 396 CDS.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf.exeWinRAR.exeCDS.exedescription pid process target process PID 2888 wrote to memory of 4508 2888 326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf.exe WinRAR.exe PID 2888 wrote to memory of 4508 2888 326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf.exe WinRAR.exe PID 2888 wrote to memory of 4508 2888 326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf.exe WinRAR.exe PID 4508 wrote to memory of 396 4508 WinRAR.exe CDS.exe PID 4508 wrote to memory of 396 4508 WinRAR.exe CDS.exe PID 4508 wrote to memory of 396 4508 WinRAR.exe CDS.exe PID 396 wrote to memory of 3864 396 CDS.exe crypted.exe PID 396 wrote to memory of 3864 396 CDS.exe crypted.exe PID 396 wrote to memory of 3864 396 CDS.exe crypted.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf.exe"C:\Users\Admin\AppData\Local\Temp\326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf.exe"1⤵
- Drops startup file
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CDS.exe"C:\Users\Admin\AppData\Local\Temp\CDS.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\crypted.exe"C:\Users\Admin\AppData\Local\Temp\crypted.exe"4⤵
- Executes dropped EXE
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4b8 0x3401⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\630_10.pngFilesize
2KB
MD5340b294efc691d1b20c64175d565ebc7
SHA181cb9649bd1c9a62ae79e781818fc24d15c29ce7
SHA25672566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9
SHA5121395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d
-
C:\Users\Admin\AppData\Local\Temp\CDS.cddFilesize
13KB
MD53e7ecaeb51c2812d13b07ec852d74aaf
SHA1e9bdab93596ffb0f7f8c65243c579180939acb26
SHA256e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96
SHA512635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d
-
C:\Users\Admin\AppData\Local\Temp\CDS.exeFilesize
6.1MB
MD5424bf196deaeb4ddcafb78e137fa560a
SHA1007738e9486c904a3115daa6e8ba2ee692af58c8
SHA2560963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797
-
C:\Users\Admin\AppData\Local\Temp\CDS.exeFilesize
6.1MB
MD5424bf196deaeb4ddcafb78e137fa560a
SHA1007738e9486c904a3115daa6e8ba2ee692af58c8
SHA2560963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797
-
C:\Users\Admin\AppData\Local\Temp\CDS.exeFilesize
6.1MB
MD5424bf196deaeb4ddcafb78e137fa560a
SHA1007738e9486c904a3115daa6e8ba2ee692af58c8
SHA2560963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797
-
C:\Users\Admin\AppData\Local\Temp\aut6798.tmpFilesize
3.4MB
MD5805e945f731b4b196cb1996a3eb76424
SHA12a42d824f8cdfad379548c1fdf3b629036bb21ae
SHA2560fc458de6a050a2443650b50593020e072f8e123ab1c184ab0e0c3725fce6f3b
SHA5128e4f3b30eb39955b7d21bfc371f35693e7b416c0431258a767149d9d4afceea53b1680d0cce1a5d9569cb8bb63316e2fe524da32a8d0a7171a49aade28fd246a
-
C:\Users\Admin\AppData\Local\Temp\c.datFilesize
14KB
MD524839167b1d44b437b7cb98c775a60d9
SHA1b7d8e46ea9eb30549805dad1912956acc88a54fd
SHA25605e57312161c9975959b551d55337147b2bc69254f12bfc6c77c4269e211f6c5
SHA512a4b54050eb75f0a89019be0dc7359e0e7323649eae8a43335b63a45135d12ae5098b3203a8026231705930c5cccfc7299523eab334653e11548df0eccbf4055f
-
C:\Users\Admin\AppData\Local\Temp\crypted.exeFilesize
14KB
MD56d6ec32f46064bb3239ec07390d22985
SHA1acd5beefdcf00d909d5323fed78f1a0372c613d1
SHA25696be171b781695767effa3802cd02fec22e80b2c139ab0fedf6e551eea8ca879
SHA512fbfbb9a321922abdc819ea374e45a53d01c3c364f9d79bb9fddbca2e9881374cd0ae1394989ed5bdaac2144a9264ef272e11f3a152ad2e9e3d7c27c9dcbaf76e
-
C:\Users\Admin\AppData\Local\Temp\crypted.exeFilesize
14KB
MD56d6ec32f46064bb3239ec07390d22985
SHA1acd5beefdcf00d909d5323fed78f1a0372c613d1
SHA25696be171b781695767effa3802cd02fec22e80b2c139ab0fedf6e551eea8ca879
SHA512fbfbb9a321922abdc819ea374e45a53d01c3c364f9d79bb9fddbca2e9881374cd0ae1394989ed5bdaac2144a9264ef272e11f3a152ad2e9e3d7c27c9dcbaf76e
-
C:\Users\Admin\AppData\Local\Temp\crypted.exeFilesize
14KB
MD56d6ec32f46064bb3239ec07390d22985
SHA1acd5beefdcf00d909d5323fed78f1a0372c613d1
SHA25696be171b781695767effa3802cd02fec22e80b2c139ab0fedf6e551eea8ca879
SHA512fbfbb9a321922abdc819ea374e45a53d01c3c364f9d79bb9fddbca2e9881374cd0ae1394989ed5bdaac2144a9264ef272e11f3a152ad2e9e3d7c27c9dcbaf76e
-
C:\Users\Admin\AppData\Local\Temp\fs.settingsFilesize
5B
MD568934a3e9455fa72420237eb05902327
SHA17cb6efb98ba5972a9b5090dc2e517fe14d12cb04
SHA256fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa
SHA512719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d
-
C:\Users\Admin\AppData\Local\Temp\lua5.1.dllFilesize
322KB
MD5c3256800dce47c14acc83ccca4c3e2ac
SHA19d126818c66991dbc3813a65eddb88bbcf77f30a
SHA256f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866
SHA5126865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25
-
C:\Users\Admin\AppData\Local\Temp\lua5.1.dllFilesize
322KB
MD5c3256800dce47c14acc83ccca4c3e2ac
SHA19d126818c66991dbc3813a65eddb88bbcf77f30a
SHA256f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866
SHA5126865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.exeFilesize
3.4MB
MD5805e945f731b4b196cb1996a3eb76424
SHA12a42d824f8cdfad379548c1fdf3b629036bb21ae
SHA2560fc458de6a050a2443650b50593020e072f8e123ab1c184ab0e0c3725fce6f3b
SHA5128e4f3b30eb39955b7d21bfc371f35693e7b416c0431258a767149d9d4afceea53b1680d0cce1a5d9569cb8bb63316e2fe524da32a8d0a7171a49aade28fd246a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.exeFilesize
3.4MB
MD5805e945f731b4b196cb1996a3eb76424
SHA12a42d824f8cdfad379548c1fdf3b629036bb21ae
SHA2560fc458de6a050a2443650b50593020e072f8e123ab1c184ab0e0c3725fce6f3b
SHA5128e4f3b30eb39955b7d21bfc371f35693e7b416c0431258a767149d9d4afceea53b1680d0cce1a5d9569cb8bb63316e2fe524da32a8d0a7171a49aade28fd246a
-
memory/3864-192-0x0000000001990000-0x00000000019A0000-memory.dmpFilesize
64KB
-
memory/3864-193-0x0000000001990000-0x00000000019A0000-memory.dmpFilesize
64KB