Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13-03-2024 21:59
Behavioral task
behavioral1
Sample
c6f541377263694b92f3f6d72de7fb17.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c6f541377263694b92f3f6d72de7fb17.exe
Resource
win10v2004-20240226-en
General
-
Target
c6f541377263694b92f3f6d72de7fb17.exe
-
Size
56KB
-
MD5
c6f541377263694b92f3f6d72de7fb17
-
SHA1
3fa80edb1e9d07afab32c45c19a2997c154b4a55
-
SHA256
2f254906129ccf4a7f769a41252699f3865202dbd4484aac4ea957f08d3fa3d6
-
SHA512
af81cdf8d211ba33b782f48f62ae37241acc703ff522e3c9cc916fa4cbd357f6bd32896ea79a134409cd2f52df8ec73b2634ed60f728dde8c83bb6cd3a118798
-
SSDEEP
768:4OGoLGlaB2HyuJOIyVvsBWXuIsegP2j7RhgDQHorUkgZU++NNPqtUA2TVzYcHe+Z:Ioyll9OIyscX5sen7RQTYknVNPqtR+
Malware Config
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\zsvchost.exe revengerat -
Drops startup file 6 IoCs
Processes:
vbc.exezsvchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09svcchost vbc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09svcchost.exe vbc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09svcchost zsvchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09svcchost zsvchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09svcchost.lnk zsvchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09Client.URL zsvchost.exe -
Executes dropped EXE 1 IoCs
Processes:
zsvchost.exepid process 2032 zsvchost.exe -
Loads dropped DLL 2 IoCs
Processes:
c6f541377263694b92f3f6d72de7fb17.exezsvchost.exepid process 2292 c6f541377263694b92f3f6d72de7fb17.exe 2032 zsvchost.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
zsvchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Roaming\\zsvchost.exe" zsvchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
c6f541377263694b92f3f6d72de7fb17.exezsvchost.exedescription pid process Token: SeDebugPrivilege 2292 c6f541377263694b92f3f6d72de7fb17.exe Token: SeDebugPrivilege 2032 zsvchost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
c6f541377263694b92f3f6d72de7fb17.exezsvchost.exevbc.exedescription pid process target process PID 2292 wrote to memory of 2032 2292 c6f541377263694b92f3f6d72de7fb17.exe zsvchost.exe PID 2292 wrote to memory of 2032 2292 c6f541377263694b92f3f6d72de7fb17.exe zsvchost.exe PID 2292 wrote to memory of 2032 2292 c6f541377263694b92f3f6d72de7fb17.exe zsvchost.exe PID 2292 wrote to memory of 2032 2292 c6f541377263694b92f3f6d72de7fb17.exe zsvchost.exe PID 2032 wrote to memory of 1664 2032 zsvchost.exe vbc.exe PID 2032 wrote to memory of 1664 2032 zsvchost.exe vbc.exe PID 2032 wrote to memory of 1664 2032 zsvchost.exe vbc.exe PID 2032 wrote to memory of 1664 2032 zsvchost.exe vbc.exe PID 1664 wrote to memory of 1812 1664 vbc.exe cvtres.exe PID 1664 wrote to memory of 1812 1664 vbc.exe cvtres.exe PID 1664 wrote to memory of 1812 1664 vbc.exe cvtres.exe PID 1664 wrote to memory of 1812 1664 vbc.exe cvtres.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6f541377263694b92f3f6d72de7fb17.exe"C:\Users\Admin\AppData\Local\Temp\c6f541377263694b92f3f6d72de7fb17.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\zsvchost.exe"C:\Users\Admin\AppData\Roaming\zsvchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tfvt6cpb.cmdline"3⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4490.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc448F.tmp"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES4490.tmpFilesize
1KB
MD54c959e2c4f0b812236eaf9b410acc22d
SHA14bd78dd3777fd88f3e46dd805175abe0e5f094f5
SHA2561625b12ec08a35cfe00e468ae9e452f1667c5c55e62e1f85bd5aea3cd4c75d28
SHA5120ec53af70271d803dc269f53daaa556876481486cb114795eb18a55bda8a209165de17203d87fad29c4091173e09dd88b3f2ec0dc7f6c969b847c9b4e518fa81
-
C:\Users\Admin\AppData\Local\Temp\tfvt6cpb.0.vbFilesize
152B
MD55b68ebfdc7b748c3184d311b9d2cfb18
SHA126c52050e13a65bf8acdb09e96c6151f59ff1c0d
SHA25642080924e0930393b885d864c9ef9d9710ec6e134780a0355e3682099ffc1ad8
SHA51291b0171ef91c36d9a276ed199571a0d620d9a0435a8108d1fff116ba6d941f1c7cf672a9d76d66474f0868d270c3663b6502df934196981d013120705f479840
-
C:\Users\Admin\AppData\Local\Temp\tfvt6cpb.cmdlineFilesize
194B
MD54f6d62a9e8e7853c5a60ae47146cd938
SHA161a2edd915f8bf180f10f62fef1c5ea4a39a4d85
SHA256c39ebe9d4661564b5ce261b915df0a7f13653e1f7b657c13aa78d6f10049a5ca
SHA5124042c2f76f5c92af29cca56cf6b389348dab260918bf61d342fcf696fbeab7d957d51b3ee19376c2205d56427fb9a23821a16ff6bd254e48f0029b0a841baee1
-
C:\Users\Admin\AppData\Local\Temp\vbc448F.tmpFilesize
660B
MD518d32c179a2248e73714478d2dc06a39
SHA1a36e3f5259c633f740943b4c621ee7394ad035be
SHA25697405159393a506a3ed346197a0c9bb0c961d06616d79d40466f45fa2623bcc7
SHA512fd54b7cbcf6b7de721224791d795f69fd468e34d6c0dbece35ed71a3d17c4b4ca06346b83644d3d1c070df25fda1bcdcc424e3a922569b2bace8a65c5936e29e
-
\Users\Admin\AppData\Roaming\zsvchost.exeFilesize
56KB
MD5c6f541377263694b92f3f6d72de7fb17
SHA13fa80edb1e9d07afab32c45c19a2997c154b4a55
SHA2562f254906129ccf4a7f769a41252699f3865202dbd4484aac4ea957f08d3fa3d6
SHA512af81cdf8d211ba33b782f48f62ae37241acc703ff522e3c9cc916fa4cbd357f6bd32896ea79a134409cd2f52df8ec73b2634ed60f728dde8c83bb6cd3a118798
-
memory/1664-30-0x00000000002B0000-0x00000000002F0000-memory.dmpFilesize
256KB
-
memory/2032-14-0x0000000074570000-0x0000000074B1B000-memory.dmpFilesize
5.7MB
-
memory/2032-15-0x0000000074570000-0x0000000074B1B000-memory.dmpFilesize
5.7MB
-
memory/2032-16-0x0000000074570000-0x0000000074B1B000-memory.dmpFilesize
5.7MB
-
memory/2292-13-0x0000000074570000-0x0000000074B1B000-memory.dmpFilesize
5.7MB
-
memory/2292-0-0x0000000074570000-0x0000000074B1B000-memory.dmpFilesize
5.7MB
-
memory/2292-5-0x0000000000250000-0x0000000000290000-memory.dmpFilesize
256KB
-
memory/2292-4-0x0000000074570000-0x0000000074B1B000-memory.dmpFilesize
5.7MB
-
memory/2292-3-0x0000000074570000-0x0000000074B1B000-memory.dmpFilesize
5.7MB
-
memory/2292-1-0x0000000074570000-0x0000000074B1B000-memory.dmpFilesize
5.7MB
-
memory/2292-2-0x0000000000250000-0x0000000000290000-memory.dmpFilesize
256KB