Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
27-03-2024 11:29
General
-
Target
e18ec27f09521152664d6a5aad14f03e.exe
-
Size
173KB
-
MD5
e18ec27f09521152664d6a5aad14f03e
-
SHA1
747bbc767b7a4aedc13a6b2d2f0a8a63363fc91c
-
SHA256
1ee3e5b5f7b2deb6182a591e94890786e404054e536dc468960d941c733d1e00
-
SHA512
3180a6de45526927ea7099b52a7c191ac1e4e6bff1fb55f1e03f7369ef6a316ff7a93ee533aa587c0ecb03e3f604e449ae8fd8547bd99aff7ea8382e98d4138b
-
SSDEEP
3072:YWzzzZKkF8xgsfifWFDZxbvPtj006jxyLNPs4EzhiXJbH5HGWSu9igjc:FDQg8uFUlxbvVjqjNuJbH5Hyn
Score
10/10
Malware Config
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 1 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 14 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 54 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e18ec27f09521152664d6a5aad14f03e.exe"C:\Users\Admin\AppData\Local\Temp\e18ec27f09521152664d6a5aad14f03e.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKEY_CURRENT_USER\Software\Classes\mscfile\Shell\Open\command /t REG_SZ /f /d "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Classes\mscfile\Shell\Open\command /t REG_SZ /f /d "3⤵
- Modifies registry class
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /t REG_SZ /f /d "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /t REG_SZ /f /d "3⤵
- Modifies registry class
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG delete HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /f /v DelegateExecute2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG delete HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /f /v DelegateExecute3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKEY_CURRENT_USER\Software\Classes\mscfile\Shell\Open\command /t REG_SZ /f /d "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Classes\mscfile\Shell\Open\command /t REG_SZ /f /d "4⤵
- Modifies registry class
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /t REG_SZ /f /d "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /t REG_SZ /f /d "4⤵
- Modifies registry class
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG delete HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /f /v DelegateExecute3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG delete HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /f /v DelegateExecute4⤵
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /create /tn WindowsUpdateIt /tr "\"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe\" " /sc minute /f3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2668 -s 13523⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {2BE5B4C3-D01A-4C86-86B7-51DE164312F9} S-1-5-21-778096762-2241304387-192235952-1000:AYFLYVMK\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exeFilesize
173KB
MD5e18ec27f09521152664d6a5aad14f03e
SHA1747bbc767b7a4aedc13a6b2d2f0a8a63363fc91c
SHA2561ee3e5b5f7b2deb6182a591e94890786e404054e536dc468960d941c733d1e00
SHA5123180a6de45526927ea7099b52a7c191ac1e4e6bff1fb55f1e03f7369ef6a316ff7a93ee533aa587c0ecb03e3f604e449ae8fd8547bd99aff7ea8382e98d4138b
-
memory/1332-58-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmpFilesize
9.9MB
-
memory/1332-59-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmpFilesize
9.9MB
-
memory/2208-0-0x0000000000840000-0x0000000000872000-memory.dmpFilesize
200KB
-
memory/2208-1-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmpFilesize
9.9MB
-
memory/2208-2-0x00000000021A0000-0x0000000002220000-memory.dmpFilesize
512KB
-
memory/2208-3-0x00000000001E0000-0x00000000001F0000-memory.dmpFilesize
64KB
-
memory/2208-4-0x00000000001F0000-0x0000000000206000-memory.dmpFilesize
88KB
-
memory/2208-5-0x0000000000200000-0x000000000020C000-memory.dmpFilesize
48KB
-
memory/2208-10-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmpFilesize
9.9MB
-
memory/2444-34-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmpFilesize
9.9MB
-
memory/2444-38-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmpFilesize
9.9MB
-
memory/2668-28-0x000000001B0F0000-0x000000001B170000-memory.dmpFilesize
512KB
-
memory/2668-35-0x000000001B0F0000-0x000000001B170000-memory.dmpFilesize
512KB
-
memory/2668-16-0x000000001B0F0000-0x000000001B170000-memory.dmpFilesize
512KB
-
memory/2668-17-0x000000001B0F0000-0x000000001B170000-memory.dmpFilesize
512KB
-
memory/2668-18-0x000000001B0F0000-0x000000001B170000-memory.dmpFilesize
512KB
-
memory/2668-19-0x000000001B0F0000-0x000000001B170000-memory.dmpFilesize
512KB
-
memory/2668-20-0x000000001B0F0000-0x000000001B170000-memory.dmpFilesize
512KB
-
memory/2668-21-0x000000001B0F0000-0x000000001B170000-memory.dmpFilesize
512KB
-
memory/2668-22-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmpFilesize
9.9MB
-
memory/2668-23-0x000000001B0F0000-0x000000001B170000-memory.dmpFilesize
512KB
-
memory/2668-24-0x000000001B0F0000-0x000000001B170000-memory.dmpFilesize
512KB
-
memory/2668-25-0x000000001B0F0000-0x000000001B170000-memory.dmpFilesize
512KB
-
memory/2668-26-0x000000001B0F0000-0x000000001B170000-memory.dmpFilesize
512KB
-
memory/2668-27-0x000000001B0F0000-0x000000001B170000-memory.dmpFilesize
512KB
-
memory/2668-12-0x0000000000800000-0x0000000000832000-memory.dmpFilesize
200KB
-
memory/2668-29-0x000000001B0F0000-0x000000001B170000-memory.dmpFilesize
512KB
-
memory/2668-30-0x000000001B0F0000-0x000000001B170000-memory.dmpFilesize
512KB
-
memory/2668-31-0x000000001B0F0000-0x000000001B170000-memory.dmpFilesize
512KB
-
memory/2668-32-0x000000001B0F0000-0x000000001B170000-memory.dmpFilesize
512KB
-
memory/2668-14-0x000000001B0F0000-0x000000001B170000-memory.dmpFilesize
512KB
-
memory/2668-36-0x000000001B7C0000-0x000000001B8C0000-memory.dmpFilesize
1024KB
-
memory/2668-37-0x000000001B0F0000-0x000000001B170000-memory.dmpFilesize
512KB
-
memory/2668-40-0x000000001B7C0000-0x000000001B8C0000-memory.dmpFilesize
1024KB
-
memory/2668-39-0x000000001B0F0000-0x000000001B170000-memory.dmpFilesize
512KB
-
memory/2668-41-0x000000001B0F0000-0x000000001B170000-memory.dmpFilesize
512KB
-
memory/2668-42-0x000000001B7C0000-0x000000001B8C0000-memory.dmpFilesize
1024KB
-
memory/2668-43-0x000000001B0F0000-0x000000001B170000-memory.dmpFilesize
512KB
-
memory/2668-44-0x000000001B7C0000-0x000000001B8C0000-memory.dmpFilesize
1024KB
-
memory/2668-45-0x000000001B0F0000-0x000000001B170000-memory.dmpFilesize
512KB
-
memory/2668-46-0x000000001B7C0000-0x000000001B8C0000-memory.dmpFilesize
1024KB
-
memory/2668-47-0x000000001B0F0000-0x000000001B170000-memory.dmpFilesize
512KB
-
memory/2668-48-0x000000001B0F0000-0x000000001B170000-memory.dmpFilesize
512KB
-
memory/2668-49-0x000000001B0F0000-0x000000001B170000-memory.dmpFilesize
512KB
-
memory/2668-50-0x000000001B7C0000-0x000000001B8C0000-memory.dmpFilesize
1024KB
-
memory/2668-51-0x000000001B7C0000-0x000000001B8C0000-memory.dmpFilesize
1024KB
-
memory/2668-52-0x000000001B7C0000-0x000000001B8C0000-memory.dmpFilesize
1024KB
-
memory/2668-13-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmpFilesize
9.9MB
-
memory/2880-55-0x000000001AE80000-0x000000001AF00000-memory.dmpFilesize
512KB
-
memory/2880-54-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmpFilesize
9.9MB
-
memory/2880-56-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmpFilesize
9.9MB