Analysis
-
max time kernel
141s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
10-01-2024 19:16
General
-
Target
36c1d1f6b1379323dbce4fd7c1877451.exe
-
Size
374KB
-
MD5
36c1d1f6b1379323dbce4fd7c1877451
-
SHA1
28f2fe2d0d3e503a21eb38e0f1689892c2ef6564
-
SHA256
b56c7eb4bc0fb792543e4e52056922151cb34a96d948c0ae576f995916ab846c
-
SHA512
a535626e5d4564401f17fa8dfe14bb3e2e116feb1cf7bc1f0d543b72d23f59631c08fa8201df616f8fc5b11d76b9b29dd3d46f7b60fdcfd22fd5cf616007173a
-
SSDEEP
6144:ZOOAs8obIAPF2iJ6s2509pQOO5tgWJ1IS+aBkDKuBZ:oC8obIAPsiJ6sF98gWJ1R+aiGaZ
Malware Config
Extracted
revengerat
NyanCatRevenge
dontreachme.duckdns.org:3602
774d753e6b8d42
Signatures
-
Detect ZGRat V1 34 IoCs
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\36c1d1f6b1379323dbce4fd7c1877451.exe"C:\Users\Admin\AppData\Local\Temp\36c1d1f6b1379323dbce4fd7c1877451.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Ytdjnmbey.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Local\JavaUpdate\JavaUpdate.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5; Remove-Item -Path "C:\Users\Admin\AppData\Local\Temp\36c1d1f6b1379323dbce4fd7c1877451.exe" -Force2⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeC:\Users\Admin\AppData\Local\Temp\InstallUtil.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_Ytdjnmbey.vbsFilesize
149B
MD575fda8189e60e05655aea55fe68591c0
SHA1de2177e12403c59f81d278497a387089ddd10d73
SHA256cf8322af201e7b0f5d5b2b93c0df541c8785436ebdf04a32addc46b13caf81c5
SHA5121bc581cbe6ba2f7f9a419bdb9b582ec5585d5cdfd8e245cab19c269d2bd4ecbc151cd98996b8d5f330304fda243c4a13388f1c601111dbab59fd0ad35e5ea647
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y3XUGEPDTDAKUR3EUWDI.tempFilesize
7KB
MD5895d98b28162963662853c0ca59bf340
SHA1e54ee0eff869500c93232fc6b7456e2eb80835fe
SHA25639a9af818e7b2103fd8b02c2bccb424335ce639d358b026ac886ff276b8e68b1
SHA512dbe9c5f049e4e7c5f19a9686576cacc3deae29270e8fa60aee9d2431a7725b8ed05d323fcc91e84a8f11db9b6a1fa6af19455518b7f7d80535b3ad05b2b530bd
-
\Users\Admin\AppData\Local\Temp\InstallUtil.exeFilesize
40KB
MD591c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
memory/1112-2590-0x0000000004A60000-0x0000000004AA0000-memory.dmpFilesize
256KB
-
memory/1112-2589-0x0000000074CA0000-0x000000007538E000-memory.dmpFilesize
6.9MB
-
memory/1112-2586-0x0000000004A60000-0x0000000004AA0000-memory.dmpFilesize
256KB
-
memory/1112-2573-0x0000000074CA0000-0x000000007538E000-memory.dmpFilesize
6.9MB
-
memory/1112-2569-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/1204-21-0x0000000005080000-0x0000000005102000-memory.dmpFilesize
520KB
-
memory/1204-61-0x0000000005080000-0x0000000005102000-memory.dmpFilesize
520KB
-
memory/1204-13-0x0000000005080000-0x0000000005102000-memory.dmpFilesize
520KB
-
memory/1204-15-0x0000000005080000-0x0000000005102000-memory.dmpFilesize
520KB
-
memory/1204-17-0x0000000005080000-0x0000000005102000-memory.dmpFilesize
520KB
-
memory/1204-19-0x0000000005080000-0x0000000005102000-memory.dmpFilesize
520KB
-
memory/1204-0-0x0000000000290000-0x00000000002F2000-memory.dmpFilesize
392KB
-
memory/1204-23-0x0000000005080000-0x0000000005102000-memory.dmpFilesize
520KB
-
memory/1204-25-0x0000000005080000-0x0000000005102000-memory.dmpFilesize
520KB
-
memory/1204-27-0x0000000005080000-0x0000000005102000-memory.dmpFilesize
520KB
-
memory/1204-29-0x0000000005080000-0x0000000005102000-memory.dmpFilesize
520KB
-
memory/1204-31-0x0000000005080000-0x0000000005102000-memory.dmpFilesize
520KB
-
memory/1204-33-0x0000000005080000-0x0000000005102000-memory.dmpFilesize
520KB
-
memory/1204-35-0x0000000005080000-0x0000000005102000-memory.dmpFilesize
520KB
-
memory/1204-37-0x0000000005080000-0x0000000005102000-memory.dmpFilesize
520KB
-
memory/1204-39-0x0000000005080000-0x0000000005102000-memory.dmpFilesize
520KB
-
memory/1204-41-0x0000000005080000-0x0000000005102000-memory.dmpFilesize
520KB
-
memory/1204-43-0x0000000005080000-0x0000000005102000-memory.dmpFilesize
520KB
-
memory/1204-45-0x0000000005080000-0x0000000005102000-memory.dmpFilesize
520KB
-
memory/1204-47-0x0000000005080000-0x0000000005102000-memory.dmpFilesize
520KB
-
memory/1204-51-0x0000000005080000-0x0000000005102000-memory.dmpFilesize
520KB
-
memory/1204-49-0x0000000005080000-0x0000000005102000-memory.dmpFilesize
520KB
-
memory/1204-53-0x0000000005080000-0x0000000005102000-memory.dmpFilesize
520KB
-
memory/1204-55-0x0000000005080000-0x0000000005102000-memory.dmpFilesize
520KB
-
memory/1204-57-0x0000000005080000-0x0000000005102000-memory.dmpFilesize
520KB
-
memory/1204-11-0x0000000005080000-0x0000000005102000-memory.dmpFilesize
520KB
-
memory/1204-59-0x0000000005080000-0x0000000005102000-memory.dmpFilesize
520KB
-
memory/1204-63-0x0000000005080000-0x0000000005102000-memory.dmpFilesize
520KB
-
memory/1204-65-0x0000000005080000-0x0000000005102000-memory.dmpFilesize
520KB
-
memory/1204-67-0x0000000005080000-0x0000000005102000-memory.dmpFilesize
520KB
-
memory/1204-69-0x0000000005080000-0x0000000005102000-memory.dmpFilesize
520KB
-
memory/1204-770-0x0000000004A10000-0x0000000004A50000-memory.dmpFilesize
256KB
-
memory/1204-9-0x0000000005080000-0x0000000005102000-memory.dmpFilesize
520KB
-
memory/1204-7-0x0000000005080000-0x0000000005102000-memory.dmpFilesize
520KB
-
memory/1204-6-0x0000000005080000-0x0000000005102000-memory.dmpFilesize
520KB
-
memory/1204-2570-0x0000000074CA0000-0x000000007538E000-memory.dmpFilesize
6.9MB
-
memory/1204-5-0x0000000074CA0000-0x000000007538E000-memory.dmpFilesize
6.9MB
-
memory/1204-4-0x0000000005080000-0x0000000005108000-memory.dmpFilesize
544KB
-
memory/1204-1-0x0000000074CA0000-0x000000007538E000-memory.dmpFilesize
6.9MB
-
memory/1204-2-0x0000000004A10000-0x0000000004A50000-memory.dmpFilesize
256KB
-
memory/1204-3-0x00000000008E0000-0x0000000000932000-memory.dmpFilesize
328KB
-
memory/1504-2582-0x0000000071020000-0x00000000715CB000-memory.dmpFilesize
5.7MB
-
memory/1504-2585-0x0000000001D50000-0x0000000001D90000-memory.dmpFilesize
256KB
-
memory/1504-2583-0x0000000001D50000-0x0000000001D90000-memory.dmpFilesize
256KB
-
memory/1504-2587-0x0000000071020000-0x00000000715CB000-memory.dmpFilesize
5.7MB
-
memory/1504-2579-0x0000000071020000-0x00000000715CB000-memory.dmpFilesize
5.7MB
-
memory/2248-2584-0x0000000002680000-0x00000000026C0000-memory.dmpFilesize
256KB
-
memory/2248-2581-0x0000000002680000-0x00000000026C0000-memory.dmpFilesize
256KB
-
memory/2248-2588-0x0000000071020000-0x00000000715CB000-memory.dmpFilesize
5.7MB
-
memory/2248-2580-0x0000000071020000-0x00000000715CB000-memory.dmpFilesize
5.7MB