Analysis
-
max time kernel
131s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
15-09-2023 15:58
Static task
static1
Behavioral task
behavioral1
Sample
15663f7481c8b2a19dbe62014fa8a948.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
15663f7481c8b2a19dbe62014fa8a948.exe
Resource
win10v2004-20230915-en
General
-
Target
15663f7481c8b2a19dbe62014fa8a948.exe
-
Size
85KB
-
MD5
15663f7481c8b2a19dbe62014fa8a948
-
SHA1
d5875cbdf0b84e14cef8cf1249bae06a3ab4f57b
-
SHA256
a96543da023e22eff83c1f152b980627a3efba8bd0d228171df6e4ac3b95ab89
-
SHA512
49883051f92e52094345e0b710754ce8445156ef9b20ad3cf0594a894615784b7b6240dfc2f5b0e915b5d5329163826988136921dd02a5e2d35fa60997c8820a
-
SSDEEP
1536:ER6XtX3eJG53G73mxdvd830Shhcqv/J+Kf/+9HIxCLsgmzU:o6t32GhNvWPhhco/J+Kn+9HIxCLsgmg
Malware Config
Extracted
revengerat
Test crypt
pplfoot1.ddns.net:1177
RV_MUTEX-wpnFwUnoWrUU
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 1 IoCs
resource yara_rule behavioral1/memory/2016-4-0x00000000006B0000-0x00000000006B8000-memory.dmp revengerat -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe 15663f7481c8b2a19dbe62014fa8a948.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe 15663f7481c8b2a19dbe62014fa8a948.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe chrome.exe -
Executes dropped EXE 1 IoCs
pid Process 2616 chrome.exe -
Loads dropped DLL 1 IoCs
pid Process 2016 15663f7481c8b2a19dbe62014fa8a948.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 15663f7481c8b2a19dbe62014fa8a948.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 15663f7481c8b2a19dbe62014fa8a948.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString chrome.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2016 15663f7481c8b2a19dbe62014fa8a948.exe Token: SeDebugPrivilege 2616 chrome.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2016 wrote to memory of 2616 2016 15663f7481c8b2a19dbe62014fa8a948.exe 31 PID 2016 wrote to memory of 2616 2016 15663f7481c8b2a19dbe62014fa8a948.exe 31 PID 2016 wrote to memory of 2616 2016 15663f7481c8b2a19dbe62014fa8a948.exe 31 PID 2016 wrote to memory of 2616 2016 15663f7481c8b2a19dbe62014fa8a948.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\15663f7481c8b2a19dbe62014fa8a948.exe"C:\Users\Admin\AppData\Local\Temp\15663f7481c8b2a19dbe62014fa8a948.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
85KB
MD515663f7481c8b2a19dbe62014fa8a948
SHA1d5875cbdf0b84e14cef8cf1249bae06a3ab4f57b
SHA256a96543da023e22eff83c1f152b980627a3efba8bd0d228171df6e4ac3b95ab89
SHA51249883051f92e52094345e0b710754ce8445156ef9b20ad3cf0594a894615784b7b6240dfc2f5b0e915b5d5329163826988136921dd02a5e2d35fa60997c8820a
-
Filesize
85KB
MD515663f7481c8b2a19dbe62014fa8a948
SHA1d5875cbdf0b84e14cef8cf1249bae06a3ab4f57b
SHA256a96543da023e22eff83c1f152b980627a3efba8bd0d228171df6e4ac3b95ab89
SHA51249883051f92e52094345e0b710754ce8445156ef9b20ad3cf0594a894615784b7b6240dfc2f5b0e915b5d5329163826988136921dd02a5e2d35fa60997c8820a
-
Filesize
85KB
MD515663f7481c8b2a19dbe62014fa8a948
SHA1d5875cbdf0b84e14cef8cf1249bae06a3ab4f57b
SHA256a96543da023e22eff83c1f152b980627a3efba8bd0d228171df6e4ac3b95ab89
SHA51249883051f92e52094345e0b710754ce8445156ef9b20ad3cf0594a894615784b7b6240dfc2f5b0e915b5d5329163826988136921dd02a5e2d35fa60997c8820a