Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
19-03-2024 23:15
General
-
Target
d7520f1f5438e4e82c1234fbcb10c6dc.js
-
Size
32KB
-
MD5
d7520f1f5438e4e82c1234fbcb10c6dc
-
SHA1
3519cb4f9c82611a9a40e3d15b3fb5432bad023e
-
SHA256
1572fa79a4de01323cc1f469d514d9711b3f88f47eedf6af7041f595d23f0c6a
-
SHA512
2f7069d30f6d6e078510f7052370eeb0b13a13bc46c1482a213dcb224d1996ea2243b8a52962b4d1617f7359ebfd9e832d33762f61cfab92476ea82120bacfa3
-
SSDEEP
768:PhbHMfBd7PENmw5hWh70OyDbod+wvlJKAiv6AGi0/ZWThQ:5HMfzemquy3od+wvlJKAi9Gi0B2Q
Malware Config
Extracted
revengerat
Office
workwinrarhost.ddns.com.br:333
office.minhaempresa.tv:333
RV_MUTEX-ViGGjjtnxDpnFw
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 1 IoCs
-
Blocklisted process makes network request 19 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\d7520f1f5438e4e82c1234fbcb10c6dc.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\d7520f1f5438e4e82c1234fbcb10c6dc.js',[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\d7520f1f5438e4e82c1234fbcb10c6dc.js'))"2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'KeyName').KeyName;[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
53KB
MD5a26df49623eff12a70a93f649776dab7
SHA1efb53bd0df3ac34bd119adf8788127ad57e53803
SHA2564ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5umq0dan.0mc.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/2272-28-0x000001DDEBE70000-0x000001DDEBEE6000-memory.dmpFilesize
472KB
-
memory/2272-37-0x00007FFC87130000-0x00007FFC87BF1000-memory.dmpFilesize
10.8MB
-
memory/2272-36-0x000001DDE9850000-0x000001DDE9860000-memory.dmpFilesize
64KB
-
memory/2272-35-0x000001DDE9850000-0x000001DDE9860000-memory.dmpFilesize
64KB
-
memory/2272-23-0x000001DDE9850000-0x000001DDE9860000-memory.dmpFilesize
64KB
-
memory/2272-22-0x000001DDE9850000-0x000001DDE9860000-memory.dmpFilesize
64KB
-
memory/2272-24-0x00007FFC87130000-0x00007FFC87BF1000-memory.dmpFilesize
10.8MB
-
memory/2272-9-0x000001DDEB9D0000-0x000001DDEB9F2000-memory.dmpFilesize
136KB
-
memory/4600-25-0x000001B054300000-0x000001B054344000-memory.dmpFilesize
272KB
-
memory/4600-27-0x000001B053F40000-0x000001B053F4A000-memory.dmpFilesize
40KB
-
memory/4600-32-0x00007FFC87130000-0x00007FFC87BF1000-memory.dmpFilesize
10.8MB
-
memory/4600-33-0x000001B039780000-0x000001B039790000-memory.dmpFilesize
64KB
-
memory/4600-34-0x000001B039780000-0x000001B039790000-memory.dmpFilesize
64KB
-
memory/4600-20-0x000001B039780000-0x000001B039790000-memory.dmpFilesize
64KB
-
memory/4600-21-0x000001B039780000-0x000001B039790000-memory.dmpFilesize
64KB
-
memory/4600-19-0x00007FFC87130000-0x00007FFC87BF1000-memory.dmpFilesize
10.8MB