Analysis Overview
SHA256
33f2e43c3d209ede2937d61e006f64eb8ed55cf6a3184f03054940bf7926fd3d
Threat Level: Known bad
The file explorer.exe was found to be: Known bad.
Malicious Activity Summary
RevengeRAT
RevengeRat Executable
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Kills process with taskkill
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-19 09:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-19 09:21
Reported
2023-09-19 09:23
Platform
win7-20230831-en
Max time kernel
134s
Max time network
146s
Command Line
Signatures
RevengeRAT
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" | C:\Users\Admin\AppData\Local\Temp\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\explorer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | blog.geoiplookup.live | udp |
| US | 147.185.221.16:33160 | blog.geoiplookup.live | tcp |
| US | 147.185.221.16:33160 | blog.geoiplookup.live | tcp |
| US | 147.185.221.16:33160 | blog.geoiplookup.live | tcp |
| US | 147.185.221.16:33160 | blog.geoiplookup.live | tcp |
| US | 147.185.221.16:33160 | blog.geoiplookup.live | tcp |
| US | 147.185.221.16:33160 | blog.geoiplookup.live | tcp |
Files
memory/1700-0-0x0000000001340000-0x0000000001366000-memory.dmp
memory/1700-1-0x000007FEF5680000-0x000007FEF606C000-memory.dmp
memory/1700-2-0x000000001ADD0000-0x000000001AE50000-memory.dmp
memory/1700-3-0x00000000001C0000-0x00000000001CE000-memory.dmp
memory/1700-4-0x00000000001E0000-0x00000000001EC000-memory.dmp
memory/1700-7-0x000007FEF5680000-0x000007FEF606C000-memory.dmp
memory/1700-8-0x000000001ADD0000-0x000000001AE50000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-19 09:21
Reported
2023-09-19 09:23
Platform
win10v2004-20230915-en
Max time kernel
135s
Max time network
145s
Command Line
Signatures
RevengeRAT
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" | C:\Users\Admin\AppData\Local\Temp\explorer.exe | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe"
\??\c:\windows\system32\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\Users\Admin\AppData\Local\Temp\mand0f25.inf
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blog.geoiplookup.live | udp |
| US | 147.185.221.16:33160 | blog.geoiplookup.live | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 147.185.221.16:33160 | blog.geoiplookup.live | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 147.185.221.16:33160 | blog.geoiplookup.live | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 147.185.221.16:33160 | blog.geoiplookup.live | tcp |
| US | 147.185.221.16:33160 | blog.geoiplookup.live | tcp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
| US | 147.185.221.16:33160 | blog.geoiplookup.live | tcp |
Files
memory/4956-0-0x0000000000210000-0x0000000000236000-memory.dmp
memory/4956-1-0x0000000002290000-0x000000000229E000-memory.dmp
memory/4956-2-0x00007FF8D5460000-0x00007FF8D5F21000-memory.dmp
memory/4956-5-0x000000001AE80000-0x000000001AE90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mand0f25.inf
| MD5 | 6f1420f2133f3e08fd8cdea0e1f5fe27 |
| SHA1 | 3aa41ec75adc0cf50e001ca91bbfa7f763adf70b |
| SHA256 | aed1ac2424a255f231168bcb02f16b6ea89603e0045465c2149abcde33a06242 |
| SHA512 | d5629e9835f881cd271e88d9ec2d2c27b9d5d1b25329ade5cfb9824a6358c9e98e66f1b89ac9459b4c540c02af2728129dd8523bdf007cadf28b5fa2d199a2aa |
memory/4956-8-0x000000001AE80000-0x000000001AE90000-memory.dmp
memory/4956-9-0x000000001AE80000-0x000000001AE90000-memory.dmp
memory/4956-10-0x000000001AE60000-0x000000001AE6C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
| MD5 | a2e907bf8f4c9c90c5b270cd78d86556 |
| SHA1 | 97751aedfaae7c181482f227c3ec558f8f63503d |
| SHA256 | 5ebb3f9a174483bbd163a5bae6a49adb9f21db1ca3a7126898dfd904d27ea7e1 |
| SHA512 | 4718342f0c1a182d6c435129bca18413798384f8ba0d9a79d6453e4e1b2a3316b7f844b4b786862a20dd2d33816b162924e11b5dfdfe2df28be474d1b91b9786 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
| MD5 | a2e907bf8f4c9c90c5b270cd78d86556 |
| SHA1 | 97751aedfaae7c181482f227c3ec558f8f63503d |
| SHA256 | 5ebb3f9a174483bbd163a5bae6a49adb9f21db1ca3a7126898dfd904d27ea7e1 |
| SHA512 | 4718342f0c1a182d6c435129bca18413798384f8ba0d9a79d6453e4e1b2a3316b7f844b4b786862a20dd2d33816b162924e11b5dfdfe2df28be474d1b91b9786 |
memory/2520-14-0x00007FF8D5460000-0x00007FF8D5F21000-memory.dmp
memory/2520-15-0x0000000000CE0000-0x0000000000CEA000-memory.dmp
memory/2520-17-0x00007FF8D5460000-0x00007FF8D5F21000-memory.dmp
memory/3932-18-0x00007FF8D5460000-0x00007FF8D5F21000-memory.dmp
memory/3932-19-0x0000027AABF60000-0x0000027AABF70000-memory.dmp
memory/2392-20-0x00007FF8D5460000-0x00007FF8D5F21000-memory.dmp
memory/2392-21-0x0000028D51A70000-0x0000028D51A80000-memory.dmp
memory/3932-22-0x0000027AABF60000-0x0000027AABF70000-memory.dmp
memory/3932-24-0x0000027A938A0000-0x0000027A938C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qwyaxpbl.3fw.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2392-34-0x0000028D51A70000-0x0000028D51A80000-memory.dmp
memory/3932-45-0x0000027AABF60000-0x0000027AABF70000-memory.dmp
memory/4956-44-0x00007FF8D5460000-0x00007FF8D5F21000-memory.dmp
memory/4956-46-0x000000001AE80000-0x000000001AE90000-memory.dmp
memory/4956-47-0x000000001AE80000-0x000000001AE90000-memory.dmp
memory/764-48-0x00007FF8D5460000-0x00007FF8D5F21000-memory.dmp
memory/764-49-0x00000225135D0000-0x00000225135E0000-memory.dmp
memory/264-50-0x00007FF8D5460000-0x00007FF8D5F21000-memory.dmp
memory/264-51-0x0000027135390000-0x00000271353A0000-memory.dmp
memory/264-52-0x0000027135390000-0x00000271353A0000-memory.dmp
memory/3408-53-0x00007FF8D5460000-0x00007FF8D5F21000-memory.dmp
memory/4956-81-0x000000001AE80000-0x000000001AE90000-memory.dmp
memory/2392-82-0x0000028D51A70000-0x0000028D51A80000-memory.dmp
memory/3932-83-0x00007FF8D5460000-0x00007FF8D5F21000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e8ce785f8ccc6d202d56fefc59764945 |
| SHA1 | ca032c62ddc5e0f26d84eff9895eb87f14e15960 |
| SHA256 | d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4 |
| SHA512 | 66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f |
memory/2392-92-0x0000028D51A70000-0x0000028D51A80000-memory.dmp
memory/264-93-0x0000027135390000-0x00000271353A0000-memory.dmp
memory/3932-91-0x00007FF8D5460000-0x00007FF8D5F21000-memory.dmp
memory/764-94-0x00000225135D0000-0x00000225135E0000-memory.dmp
memory/2392-90-0x00007FF8D5460000-0x00007FF8D5F21000-memory.dmp
memory/3932-89-0x0000027AABF60000-0x0000027AABF70000-memory.dmp
memory/764-95-0x00000225135D0000-0x00000225135E0000-memory.dmp
memory/764-97-0x00000225135D0000-0x00000225135E0000-memory.dmp
memory/764-96-0x00007FF8D5460000-0x00007FF8D5F21000-memory.dmp
memory/264-98-0x00007FF8D5460000-0x00007FF8D5F21000-memory.dmp
memory/3408-99-0x00007FF8D5460000-0x00007FF8D5F21000-memory.dmp
memory/3408-100-0x000001E76F250000-0x000001E76F260000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d3e9c29fe44e90aae6ed30ccf799ca8 |
| SHA1 | c7974ef72264bbdf13a2793ccf1aed11bc565dce |
| SHA256 | 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d |
| SHA512 | 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2e907f77659a6601fcc408274894da2e |
| SHA1 | 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d |
| SHA256 | 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233 |
| SHA512 | 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2e907f77659a6601fcc408274894da2e |
| SHA1 | 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d |
| SHA256 | 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233 |
| SHA512 | 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721 |
memory/264-103-0x00007FF8D5460000-0x00007FF8D5F21000-memory.dmp
memory/764-108-0x00007FF8D5460000-0x00007FF8D5F21000-memory.dmp
memory/3408-109-0x00007FF8D5460000-0x00007FF8D5F21000-memory.dmp