Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13-03-2024 21:59
Behavioral task
behavioral1
Sample
c6f541377263694b92f3f6d72de7fb17.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c6f541377263694b92f3f6d72de7fb17.exe
Resource
win10v2004-20240226-en
General
-
Target
c6f541377263694b92f3f6d72de7fb17.exe
-
Size
56KB
-
MD5
c6f541377263694b92f3f6d72de7fb17
-
SHA1
3fa80edb1e9d07afab32c45c19a2997c154b4a55
-
SHA256
2f254906129ccf4a7f769a41252699f3865202dbd4484aac4ea957f08d3fa3d6
-
SHA512
af81cdf8d211ba33b782f48f62ae37241acc703ff522e3c9cc916fa4cbd357f6bd32896ea79a134409cd2f52df8ec73b2634ed60f728dde8c83bb6cd3a118798
-
SSDEEP
768:4OGoLGlaB2HyuJOIyVvsBWXuIsegP2j7RhgDQHorUkgZU++NNPqtUA2TVzYcHe+Z:Ioyll9OIyscX5sen7RQTYknVNPqtR+
Malware Config
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\zsvchost.exe revengerat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c6f541377263694b92f3f6d72de7fb17.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation c6f541377263694b92f3f6d72de7fb17.exe -
Drops startup file 6 IoCs
Processes:
zsvchost.exevbc.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09svcchost zsvchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09svcchost zsvchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09svcchost.lnk zsvchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09Client.URL zsvchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09svcchost vbc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09svcchost.exe vbc.exe -
Executes dropped EXE 1 IoCs
Processes:
zsvchost.exepid process 4676 zsvchost.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
zsvchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Roaming\\zsvchost.exe" zsvchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
c6f541377263694b92f3f6d72de7fb17.exezsvchost.exedescription pid process Token: SeDebugPrivilege 1000 c6f541377263694b92f3f6d72de7fb17.exe Token: SeDebugPrivilege 4676 zsvchost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
c6f541377263694b92f3f6d72de7fb17.exezsvchost.exevbc.exedescription pid process target process PID 1000 wrote to memory of 4676 1000 c6f541377263694b92f3f6d72de7fb17.exe zsvchost.exe PID 1000 wrote to memory of 4676 1000 c6f541377263694b92f3f6d72de7fb17.exe zsvchost.exe PID 1000 wrote to memory of 4676 1000 c6f541377263694b92f3f6d72de7fb17.exe zsvchost.exe PID 4676 wrote to memory of 2320 4676 zsvchost.exe vbc.exe PID 4676 wrote to memory of 2320 4676 zsvchost.exe vbc.exe PID 4676 wrote to memory of 2320 4676 zsvchost.exe vbc.exe PID 2320 wrote to memory of 5040 2320 vbc.exe cvtres.exe PID 2320 wrote to memory of 5040 2320 vbc.exe cvtres.exe PID 2320 wrote to memory of 5040 2320 vbc.exe cvtres.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6f541377263694b92f3f6d72de7fb17.exe"C:\Users\Admin\AppData\Local\Temp\c6f541377263694b92f3f6d72de7fb17.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\zsvchost.exe"C:\Users\Admin\AppData\Roaming\zsvchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gaxaszel.cmdline"3⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FA2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB53DD25A86EC445F8321F47F673D3B17.TMP"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES4FA2.tmpFilesize
1KB
MD58f0d5a06d5e8dcb8501d9432cd26fd8c
SHA166d9926a2418ee6a90e45d31ba9bc576c5c2447c
SHA2566983bc3c356d860891e9217327c238f9863285d365b709f64879cca57b95ea8f
SHA5129cd1b3da1f25cd1883d5f2ca06d153e426968d4803292f0cc16e47dbd13ede6df239dd2b30d3395caf916dfb70e3d06c88539350d7a4e2aa9144fe440d841c3d
-
C:\Users\Admin\AppData\Local\Temp\gaxaszel.0.vbFilesize
152B
MD55b68ebfdc7b748c3184d311b9d2cfb18
SHA126c52050e13a65bf8acdb09e96c6151f59ff1c0d
SHA25642080924e0930393b885d864c9ef9d9710ec6e134780a0355e3682099ffc1ad8
SHA51291b0171ef91c36d9a276ed199571a0d620d9a0435a8108d1fff116ba6d941f1c7cf672a9d76d66474f0868d270c3663b6502df934196981d013120705f479840
-
C:\Users\Admin\AppData\Local\Temp\gaxaszel.cmdlineFilesize
194B
MD5210bd127268325ed2829ee5e71016a98
SHA1533be3796d7974a3b660e0a73c10c19801200986
SHA25627e27faea031109d375f26a448bd204669bd605cbeec17c5c69ab0cfd74d85ca
SHA512d2112b9b75bd1d7ba3ed53669232d09264acf138029ed0b54bd884ded8dc0c1254571246bad186637f4e16245f7bddcbe9f742d8880e78cdcc3ba8d4371a4d6f
-
C:\Users\Admin\AppData\Local\Temp\vbcB53DD25A86EC445F8321F47F673D3B17.TMPFilesize
660B
MD518d32c179a2248e73714478d2dc06a39
SHA1a36e3f5259c633f740943b4c621ee7394ad035be
SHA25697405159393a506a3ed346197a0c9bb0c961d06616d79d40466f45fa2623bcc7
SHA512fd54b7cbcf6b7de721224791d795f69fd468e34d6c0dbece35ed71a3d17c4b4ca06346b83644d3d1c070df25fda1bcdcc424e3a922569b2bace8a65c5936e29e
-
C:\Users\Admin\AppData\Roaming\zsvchost.exeFilesize
56KB
MD5c6f541377263694b92f3f6d72de7fb17
SHA13fa80edb1e9d07afab32c45c19a2997c154b4a55
SHA2562f254906129ccf4a7f769a41252699f3865202dbd4484aac4ea957f08d3fa3d6
SHA512af81cdf8d211ba33b782f48f62ae37241acc703ff522e3c9cc916fa4cbd357f6bd32896ea79a134409cd2f52df8ec73b2634ed60f728dde8c83bb6cd3a118798
-
memory/1000-1-0x0000000000B00000-0x0000000000B10000-memory.dmpFilesize
64KB
-
memory/1000-2-0x0000000074E30000-0x00000000753E1000-memory.dmpFilesize
5.7MB
-
memory/1000-3-0x0000000074E30000-0x00000000753E1000-memory.dmpFilesize
5.7MB
-
memory/1000-14-0x0000000074E30000-0x00000000753E1000-memory.dmpFilesize
5.7MB
-
memory/1000-0-0x0000000074E30000-0x00000000753E1000-memory.dmpFilesize
5.7MB
-
memory/2320-30-0x00000000022A0000-0x00000000022B0000-memory.dmpFilesize
64KB
-
memory/4676-15-0x0000000000A90000-0x0000000000AA0000-memory.dmpFilesize
64KB
-
memory/4676-17-0x0000000074E30000-0x00000000753E1000-memory.dmpFilesize
5.7MB
-
memory/4676-16-0x0000000074E30000-0x00000000753E1000-memory.dmpFilesize
5.7MB
-
memory/4676-13-0x0000000074E30000-0x00000000753E1000-memory.dmpFilesize
5.7MB