Analysis
-
max time kernel
89s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2023 02:38
Behavioral task
behavioral1
Sample
ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f.exe
Resource
win10v2004-20230220-en
General
-
Target
ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f.exe
-
Size
136KB
-
MD5
b9d014296827c8d325ba1e1b0f4b2793
-
SHA1
8749106256cdca0d200f76728d0a873dd13c22e9
-
SHA256
ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f
-
SHA512
6d90d55a358568d1f4731c9bb99eea47777a7ce01db8f9fdc1ea38ffab72d06a2ae1d8d425e0a52ea546d790ee4ae9402748666d1bfbeb41f89c29fdace11fa6
-
SSDEEP
3072:rssOu1QbkQzxsf9vIyqhSJTibjMJGEA1u4B+:rsslkkQMvqUibg8EEj+
Malware Config
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 7 IoCs
Processes:
resource yara_rule behavioral2/memory/1560-134-0x0000000000400000-0x0000000000428000-memory.dmp revengerat behavioral2/memory/1560-136-0x0000000000400000-0x0000000000428000-memory.dmp revengerat C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe revengerat C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe revengerat C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe revengerat behavioral2/memory/1752-172-0x00000000001B0000-0x00000000001D8000-memory.dmp revengerat behavioral2/memory/1752-175-0x00000000001B0000-0x00000000001D8000-memory.dmp revengerat -
Drops startup file 2 IoCs
Processes:
aspnet_compiler.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe aspnet_compiler.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe aspnet_compiler.exe -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 4460 Client.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f.exeaspnet_compiler.exeClient.exedescription pid process target process PID 820 set thread context of 1560 820 ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f.exe aspnet_compiler.exe PID 1560 set thread context of 4400 1560 aspnet_compiler.exe aspnet_compiler.exe PID 4460 set thread context of 1752 4460 Client.exe aspnet_compiler.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2732 1752 WerFault.exe aspnet_compiler.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
taskmgr.exepid process 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f.exeaspnet_compiler.exetaskmgr.exeClient.exedescription pid process Token: SeDebugPrivilege 820 ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f.exe Token: SeDebugPrivilege 1560 aspnet_compiler.exe Token: SeDebugPrivilege 4748 taskmgr.exe Token: SeSystemProfilePrivilege 4748 taskmgr.exe Token: SeCreateGlobalPrivilege 4748 taskmgr.exe Token: 33 4748 taskmgr.exe Token: SeIncBasePriorityPrivilege 4748 taskmgr.exe Token: SeDebugPrivilege 4460 Client.exe -
Suspicious use of FindShellTrayWindow 37 IoCs
Processes:
taskmgr.exepid process 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe -
Suspicious use of SendNotifyMessage 37 IoCs
Processes:
taskmgr.exepid process 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe 4748 taskmgr.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f.exeaspnet_compiler.exeClient.exedescription pid process target process PID 820 wrote to memory of 1560 820 ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f.exe aspnet_compiler.exe PID 820 wrote to memory of 1560 820 ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f.exe aspnet_compiler.exe PID 820 wrote to memory of 1560 820 ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f.exe aspnet_compiler.exe PID 820 wrote to memory of 1560 820 ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f.exe aspnet_compiler.exe PID 820 wrote to memory of 1560 820 ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f.exe aspnet_compiler.exe PID 820 wrote to memory of 1560 820 ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f.exe aspnet_compiler.exe PID 820 wrote to memory of 1560 820 ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f.exe aspnet_compiler.exe PID 820 wrote to memory of 1560 820 ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f.exe aspnet_compiler.exe PID 820 wrote to memory of 1560 820 ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f.exe aspnet_compiler.exe PID 1560 wrote to memory of 4400 1560 aspnet_compiler.exe aspnet_compiler.exe PID 1560 wrote to memory of 4400 1560 aspnet_compiler.exe aspnet_compiler.exe PID 1560 wrote to memory of 4400 1560 aspnet_compiler.exe aspnet_compiler.exe PID 1560 wrote to memory of 4400 1560 aspnet_compiler.exe aspnet_compiler.exe PID 1560 wrote to memory of 4400 1560 aspnet_compiler.exe aspnet_compiler.exe PID 1560 wrote to memory of 4400 1560 aspnet_compiler.exe aspnet_compiler.exe PID 1560 wrote to memory of 4400 1560 aspnet_compiler.exe aspnet_compiler.exe PID 1560 wrote to memory of 4400 1560 aspnet_compiler.exe aspnet_compiler.exe PID 1560 wrote to memory of 4460 1560 aspnet_compiler.exe Client.exe PID 1560 wrote to memory of 4460 1560 aspnet_compiler.exe Client.exe PID 1560 wrote to memory of 4460 1560 aspnet_compiler.exe Client.exe PID 4460 wrote to memory of 1752 4460 Client.exe aspnet_compiler.exe PID 4460 wrote to memory of 1752 4460 Client.exe aspnet_compiler.exe PID 4460 wrote to memory of 1752 4460 Client.exe aspnet_compiler.exe PID 4460 wrote to memory of 1752 4460 Client.exe aspnet_compiler.exe PID 4460 wrote to memory of 1752 4460 Client.exe aspnet_compiler.exe PID 4460 wrote to memory of 1752 4460 Client.exe aspnet_compiler.exe PID 4460 wrote to memory of 1752 4460 Client.exe aspnet_compiler.exe PID 4460 wrote to memory of 1752 4460 Client.exe aspnet_compiler.exe PID 4460 wrote to memory of 1752 4460 Client.exe aspnet_compiler.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f.exe"C:\Users\Admin\AppData\Local\Temp\ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 2005⤵
- Program crash
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1752 -ip 17521⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\aspnet_compiler.exe.logFilesize
213B
MD5542799505971e4b49beff1e58bfa61cb
SHA17a3939442a6a4f209fa8f5a6246eeb6d29621596
SHA256af4e0cd2feb1b66da325e63c2b0f6245996c056b3707b8dd6b35b9f20b92c78c
SHA512c07e2e000dd30566a394b171e0cf0927bc65c07b90825c688804f2b73ae1af70c30ed255a1ccc679a979dc4bd96bcb537ff69723aada4549fa81fe8657bc6a7d
-
C:\Users\Admin\AppData\Local\Temp\DvZwfRt.txtFilesize
102B
MD53ea0daae067021cd90162c143f3a0f65
SHA10e68f67af02ea70c86344cab93545fc9e5d13ac4
SHA256692d995eb7fd8139fca7c470396de57a4e2216771944d76437eb88e41dba47db
SHA512c1d6460b1b603c1bcdc40edb707a0fe2bf85b86f8b23739b8610a6406ae170340407da040af5c254a51af0864491323d57961a2bd0dd023cadd74bf424d254c0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exeFilesize
136KB
MD5b9d014296827c8d325ba1e1b0f4b2793
SHA18749106256cdca0d200f76728d0a873dd13c22e9
SHA256ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f
SHA5126d90d55a358568d1f4731c9bb99eea47777a7ce01db8f9fdc1ea38ffab72d06a2ae1d8d425e0a52ea546d790ee4ae9402748666d1bfbeb41f89c29fdace11fa6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exeFilesize
136KB
MD5b9d014296827c8d325ba1e1b0f4b2793
SHA18749106256cdca0d200f76728d0a873dd13c22e9
SHA256ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f
SHA5126d90d55a358568d1f4731c9bb99eea47777a7ce01db8f9fdc1ea38ffab72d06a2ae1d8d425e0a52ea546d790ee4ae9402748666d1bfbeb41f89c29fdace11fa6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exeFilesize
136KB
MD5b9d014296827c8d325ba1e1b0f4b2793
SHA18749106256cdca0d200f76728d0a873dd13c22e9
SHA256ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f
SHA5126d90d55a358568d1f4731c9bb99eea47777a7ce01db8f9fdc1ea38ffab72d06a2ae1d8d425e0a52ea546d790ee4ae9402748666d1bfbeb41f89c29fdace11fa6
-
memory/1560-154-0x0000000001470000-0x0000000001480000-memory.dmpFilesize
64KB
-
memory/1560-136-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1560-137-0x0000000001470000-0x0000000001480000-memory.dmpFilesize
64KB
-
memory/1560-134-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1752-175-0x00000000001B0000-0x00000000001D8000-memory.dmpFilesize
160KB
-
memory/1752-172-0x00000000001B0000-0x00000000001D8000-memory.dmpFilesize
160KB
-
memory/4400-138-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4748-141-0x000002C0C7F40000-0x000002C0C7F41000-memory.dmpFilesize
4KB
-
memory/4748-152-0x000002C0C7F40000-0x000002C0C7F41000-memory.dmpFilesize
4KB
-
memory/4748-153-0x000002C0C7F40000-0x000002C0C7F41000-memory.dmpFilesize
4KB
-
memory/4748-151-0x000002C0C7F40000-0x000002C0C7F41000-memory.dmpFilesize
4KB
-
memory/4748-150-0x000002C0C7F40000-0x000002C0C7F41000-memory.dmpFilesize
4KB
-
memory/4748-149-0x000002C0C7F40000-0x000002C0C7F41000-memory.dmpFilesize
4KB
-
memory/4748-148-0x000002C0C7F40000-0x000002C0C7F41000-memory.dmpFilesize
4KB
-
memory/4748-147-0x000002C0C7F40000-0x000002C0C7F41000-memory.dmpFilesize
4KB
-
memory/4748-143-0x000002C0C7F40000-0x000002C0C7F41000-memory.dmpFilesize
4KB
-
memory/4748-142-0x000002C0C7F40000-0x000002C0C7F41000-memory.dmpFilesize
4KB