Overview

overview

10

Static

static

3

21b7a4cfbf...8e.exe

windows7-x64

10

21b7a4cfbf...8e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-12-2023 00:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21b7a4cfbf3b18c1702c051c724e0e8e.exe

  • Size

    2.1MB

  • MD5

    21b7a4cfbf3b18c1702c051c724e0e8e

  • SHA1

    0e3141161e06b3599e02bf71bcb4fd34abc4e71d

  • SHA256

    2c1029c9d37fffe70cb817d24ba07e7c2c6bed1d38bebb7c3b11b55811503c9d

  • SHA512

    520ee73c961844677e1f127336334be583449625233b2a63d9b5b58b9fa27fafaeb06263ccfe8434d23f2e23b8cd2143c19b1064e3d04eec97a16f7b37eef7ad

  • SSDEEP

    49152:Q9ijgQO1PMDozYAPz2UNZJjN9IQEiXm1eCQTe:QRMDoMu28rnIQEiJbC

Score
10/10
revengeratzgratnyancatrevengepersistencerattrojan

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

dontreachme.duckdns.org:3601

Mutex

159ffe7d99124a92baa

Signatures

  • Detect ZGRat V1 34 IoCs
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\21b7a4cfbf3b18c1702c051c724e0e8e.exe
    "C:\Users\Admin\AppData\Local\Temp\21b7a4cfbf3b18c1702c051c724e0e8e.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2332
    • C:\Users\Admin\AppData\Local\Temp\Installer.exe
      "C:\Users\Admin\AppData\Local\Temp\Installer.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1468
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Tonofbfnuxml.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:1532
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Local\JavaUpdate\JavaUpdate.exe'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1168
      • C:\Users\Admin\AppData\Local\Temp\Installer.exe
        C:\Users\Admin\AppData\Local\Temp\Installer.exe
        3⤵
        • Executes dropped EXE
        PID:3484

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Installer.exe.log
    Filesize

    1KB

    MD5

    7ebe314bf617dc3e48b995a6c352740c

    SHA1

    538f643b7b30f9231a3035c448607f767527a870

    SHA256

    48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

    SHA512

    0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Installer.exe
    Filesize

    896KB

    MD5

    f91f0830351583a4cf8cd239af5fac32

    SHA1

    a17c72a53f5a03d75d785eaded34c60c30d86c00

    SHA256

    db6e965cbe9c13b0ed22846aa3f8530d4692b2a309a36f121f81af8e9bb504b0

    SHA512

    059bee6a405e4111539289ef084954ebe5b317e9949ad6d87af50e5fe909f6aa9c17406bd1efa2fecc27e4c1f914bfd4bd1d6c08e768e523170f2465611aec8d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Installer.exe
    Filesize

    894KB

    MD5

    3d0bf088d2864191683cab25795b9f27

    SHA1

    413194b137b8924ad7d0f19ca13d463d24b6397d

    SHA256

    0bf2184972305c9fba8ffa9eda712cfba94d6749b8cf01bff631c987b965a17a

    SHA512

    2f69a17eecdab04927dc27102f64693da794636fc3e7521962bc1df3ad738d81f03ad0c8402de6eb6de5e18b6bd96ad0f1b662ab300266a61fb6fc1d567162b6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Installer.exe
    Filesize

    1.1MB

    MD5

    5b174199e0a570d9b352f9170e47ceda

    SHA1

    d8c4e8477bfd4588f407abbea2365d22d7c1c8fc

    SHA256

    dea64b3d68e332bac36135e37457c6f634d6b0b8a9231ebb69a3408a0b63cead

    SHA512

    32a2146f07d3d32fb3e020fa5fe819c5ce01de6094752aaeff3e8e931850662c9869a36706e0884c41aeada65cccaaf3ed5af0b27e135f48c5486e95f61209b6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_Tonofbfnuxml.vbs
    Filesize

    149B

    MD5

    75fda8189e60e05655aea55fe68591c0

    SHA1

    de2177e12403c59f81d278497a387089ddd10d73

    SHA256

    cf8322af201e7b0f5d5b2b93c0df541c8785436ebdf04a32addc46b13caf81c5

    SHA512

    1bc581cbe6ba2f7f9a419bdb9b582ec5585d5cdfd8e245cab19c269d2bd4ecbc151cd98996b8d5f330304fda243c4a13388f1c601111dbab59fd0ad35e5ea647

    Download Submit
  • memory/1168-2425-0x0000000007400000-0x0000000007A7A000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/1168-2422-0x0000000000BE0000-0x0000000000BF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1168-2431-0x0000000007000000-0x0000000007014000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1168-2409-0x000000007FC80000-0x000000007FC90000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1168-2432-0x0000000007100000-0x000000000711A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1168-2410-0x0000000006070000-0x00000000060A2000-memory.dmp
    Filesize

    200KB

    Download
  • memory/1168-2411-0x00000000707F0000-0x000000007083C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1168-2429-0x0000000006FC0000-0x0000000006FD1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1168-2428-0x0000000007040000-0x00000000070D6000-memory.dmp
    Filesize

    600KB

    Download
  • memory/1168-2421-0x0000000006A70000-0x0000000006A8E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1168-2427-0x0000000006E30000-0x0000000006E3A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1168-2430-0x0000000006FF0000-0x0000000006FFE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1168-2426-0x0000000006DC0000-0x0000000006DDA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1168-2433-0x00000000070E0000-0x00000000070E8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1168-2423-0x0000000000BE0000-0x0000000000BF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1168-2424-0x0000000006A90000-0x0000000006B33000-memory.dmp
    Filesize

    652KB

    Download
  • memory/1168-2390-0x00000000749D0000-0x0000000075180000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1168-2391-0x0000000000BE0000-0x0000000000BF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1168-2408-0x0000000005B40000-0x0000000005B8C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1168-2407-0x0000000005A90000-0x0000000005AAE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1168-2394-0x00000000051E0000-0x0000000005202000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1168-2395-0x0000000005380000-0x00000000053E6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1168-2406-0x00000000056B0000-0x0000000005A04000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/1168-2396-0x00000000053F0000-0x0000000005456000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1168-2393-0x0000000004B30000-0x0000000005158000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/1168-2392-0x0000000000BE0000-0x0000000000BF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1168-2389-0x00000000044C0000-0x00000000044F6000-memory.dmp
    Filesize

    216KB

    Download
  • memory/1168-2436-0x00000000749D0000-0x0000000075180000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1468-71-0x0000000006870000-0x00000000068E8000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1468-77-0x0000000006870000-0x00000000068E8000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1468-61-0x0000000006870000-0x00000000068E8000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1468-59-0x0000000006870000-0x00000000068E8000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1468-57-0x0000000006870000-0x00000000068E8000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1468-55-0x0000000006870000-0x00000000068E8000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1468-53-0x0000000006870000-0x00000000068E8000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1468-49-0x0000000006870000-0x00000000068E8000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1468-47-0x0000000006870000-0x00000000068E8000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1468-45-0x0000000006870000-0x00000000068E8000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1468-43-0x0000000006870000-0x00000000068E8000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1468-41-0x0000000006870000-0x00000000068E8000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1468-39-0x0000000006870000-0x00000000068E8000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1468-37-0x0000000006870000-0x00000000068E8000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1468-35-0x0000000006870000-0x00000000068E8000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1468-33-0x0000000006870000-0x00000000068E8000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1468-699-0x00000000057B0000-0x00000000057C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1468-65-0x0000000006870000-0x00000000068E8000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1468-67-0x0000000006870000-0x00000000068E8000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1468-16-0x0000000000B30000-0x0000000000C48000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1468-17-0x00000000749D0000-0x0000000075180000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1468-2386-0x00000000749D0000-0x0000000075180000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1468-69-0x0000000006870000-0x00000000068E8000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1468-73-0x0000000006870000-0x00000000068E8000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1468-75-0x0000000006870000-0x00000000068E8000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1468-63-0x0000000006870000-0x00000000068E8000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1468-79-0x0000000006870000-0x00000000068E8000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1468-81-0x0000000006870000-0x00000000068E8000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1468-83-0x0000000006870000-0x00000000068E8000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1468-85-0x0000000006870000-0x00000000068E8000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1468-87-0x0000000006870000-0x00000000068E8000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1468-89-0x0000000006870000-0x00000000068E8000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1468-19-0x0000000005500000-0x0000000005592000-memory.dmp
    Filesize

    584KB

    Download
  • memory/1468-51-0x0000000006870000-0x00000000068E8000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1468-31-0x0000000006870000-0x00000000068E8000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1468-29-0x0000000006870000-0x00000000068E8000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1468-27-0x0000000006870000-0x00000000068E8000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1468-26-0x0000000006870000-0x00000000068E8000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1468-25-0x0000000006870000-0x00000000068EE000-memory.dmp
    Filesize

    504KB

    Download
  • memory/1468-24-0x00000000066E0000-0x000000000672A000-memory.dmp
    Filesize

    296KB

    Download
  • memory/1468-23-0x00000000057B0000-0x00000000057C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1468-22-0x00000000749D0000-0x0000000075180000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1468-21-0x00000000055B0000-0x00000000055BA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1468-20-0x00000000057B0000-0x00000000057C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1468-18-0x0000000005BC0000-0x0000000006164000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/2332-0-0x0000000000770000-0x0000000000992000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/2332-15-0x00007FFBC4850000-0x00007FFBC5311000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/2332-1-0x00007FFBC4850000-0x00007FFBC5311000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3484-2387-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3484-2388-0x00000000749D0000-0x0000000075180000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/3484-2437-0x0000000005980000-0x0000000005990000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3484-2438-0x00000000749D0000-0x0000000075180000-memory.dmp
    Filesize

    7.7MB

    Download