Analysis
-
max time kernel
122s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-04-2024 09:31
Static task
static1
Behavioral task
behavioral1
Sample
17d0b9ac75dfd038ac11c64940a5a6cb.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
17d0b9ac75dfd038ac11c64940a5a6cb.exe
Resource
win10v2004-20240412-en
General
-
Target
17d0b9ac75dfd038ac11c64940a5a6cb.exe
-
Size
397KB
-
MD5
17d0b9ac75dfd038ac11c64940a5a6cb
-
SHA1
fdf4a6d488ba2220c808a8e233ea0e219273c3b2
-
SHA256
c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5
-
SHA512
0ffb63b421da1daa0ca2098ea35b6e5be5b8613b9b4855b723b2c6032bcf644f7d00ddb35ab1af443c5f765fa10c61cb5c28fe81734ea4e582b51ed56c1afecd
-
SSDEEP
6144:/IWyveo8OzcrumMozCE6+bIPEMMjAtUO3nDv4abP212gG7EXoiToLa:/IpvZDoruYeE6+EsPjA4a7mJWEZga
Malware Config
Extracted
revengerat
NyanCatRevenge
alice2019.myftp.biz:7777
a915f6c5466a49
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2380 svchost.exe -
Loads dropped DLL 6 IoCs
Processes:
cmd.exeWerFault.exepid process 2488 cmd.exe 3036 WerFault.exe 3036 WerFault.exe 3036 WerFault.exe 3036 WerFault.exe 3036 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
17d0b9ac75dfd038ac11c64940a5a6cb.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" 17d0b9ac75dfd038ac11c64940a5a6cb.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 2380 set thread context of 2384 2380 svchost.exe CasPol.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
CasPol.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 CasPol.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString CasPol.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2052 timeout.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
17d0b9ac75dfd038ac11c64940a5a6cb.exesvchost.exepid process 2256 17d0b9ac75dfd038ac11c64940a5a6cb.exe 2256 17d0b9ac75dfd038ac11c64940a5a6cb.exe 2256 17d0b9ac75dfd038ac11c64940a5a6cb.exe 2256 17d0b9ac75dfd038ac11c64940a5a6cb.exe 2380 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
17d0b9ac75dfd038ac11c64940a5a6cb.exesvchost.exedescription pid process Token: SeDebugPrivilege 2256 17d0b9ac75dfd038ac11c64940a5a6cb.exe Token: SeDebugPrivilege 2380 svchost.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
17d0b9ac75dfd038ac11c64940a5a6cb.execmd.execmd.exesvchost.exedescription pid process target process PID 2256 wrote to memory of 2600 2256 17d0b9ac75dfd038ac11c64940a5a6cb.exe cmd.exe PID 2256 wrote to memory of 2600 2256 17d0b9ac75dfd038ac11c64940a5a6cb.exe cmd.exe PID 2256 wrote to memory of 2600 2256 17d0b9ac75dfd038ac11c64940a5a6cb.exe cmd.exe PID 2256 wrote to memory of 2488 2256 17d0b9ac75dfd038ac11c64940a5a6cb.exe cmd.exe PID 2256 wrote to memory of 2488 2256 17d0b9ac75dfd038ac11c64940a5a6cb.exe cmd.exe PID 2256 wrote to memory of 2488 2256 17d0b9ac75dfd038ac11c64940a5a6cb.exe cmd.exe PID 2600 wrote to memory of 2736 2600 cmd.exe schtasks.exe PID 2600 wrote to memory of 2736 2600 cmd.exe schtasks.exe PID 2600 wrote to memory of 2736 2600 cmd.exe schtasks.exe PID 2488 wrote to memory of 2052 2488 cmd.exe timeout.exe PID 2488 wrote to memory of 2052 2488 cmd.exe timeout.exe PID 2488 wrote to memory of 2052 2488 cmd.exe timeout.exe PID 2488 wrote to memory of 2380 2488 cmd.exe svchost.exe PID 2488 wrote to memory of 2380 2488 cmd.exe svchost.exe PID 2488 wrote to memory of 2380 2488 cmd.exe svchost.exe PID 2380 wrote to memory of 2384 2380 svchost.exe CasPol.exe PID 2380 wrote to memory of 2384 2380 svchost.exe CasPol.exe PID 2380 wrote to memory of 2384 2380 svchost.exe CasPol.exe PID 2380 wrote to memory of 2384 2380 svchost.exe CasPol.exe PID 2380 wrote to memory of 2384 2380 svchost.exe CasPol.exe PID 2380 wrote to memory of 2384 2380 svchost.exe CasPol.exe PID 2380 wrote to memory of 2384 2380 svchost.exe CasPol.exe PID 2380 wrote to memory of 2384 2380 svchost.exe CasPol.exe PID 2380 wrote to memory of 2384 2380 svchost.exe CasPol.exe PID 2380 wrote to memory of 3036 2380 svchost.exe WerFault.exe PID 2380 wrote to memory of 3036 2380 svchost.exe WerFault.exe PID 2380 wrote to memory of 3036 2380 svchost.exe WerFault.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\17d0b9ac75dfd038ac11c64940a5a6cb.exe"C:\Users\Admin\AppData\Local\Temp\17d0b9ac75dfd038ac11c64940a5a6cb.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp167D.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"4⤵
- Checks processor information in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2380 -s 6684⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp167D.tmp.batFilesize
151B
MD5179c3e44eb084882c885edce623e6102
SHA14734fb8a07318778506e636732ae6d59d206fc7f
SHA2569cd684d1d39be7989eb8559cee302b46a6bdb2c1b1eb82e1693891a095b1344d
SHA5127ead6bfabf4fde8d3c00b2c2e7b1dc64716d4097fb05f7cc3e5ced5c00f15fdc039a8d64f402a06d0df57900b6466b132184693de48e308c7d914dd015acf6d9
-
\Users\Admin\AppData\Roaming\svchost.exeFilesize
397KB
MD517d0b9ac75dfd038ac11c64940a5a6cb
SHA1fdf4a6d488ba2220c808a8e233ea0e219273c3b2
SHA256c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5
SHA5120ffb63b421da1daa0ca2098ea35b6e5be5b8613b9b4855b723b2c6032bcf644f7d00ddb35ab1af443c5f765fa10c61cb5c28fe81734ea4e582b51ed56c1afecd
-
memory/2256-0-0x00000000008B0000-0x00000000008BC000-memory.dmpFilesize
48KB
-
memory/2256-1-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmpFilesize
9.9MB
-
memory/2256-2-0x00000000007F0000-0x0000000000870000-memory.dmpFilesize
512KB
-
memory/2256-3-0x000000001A750000-0x000000001A7B0000-memory.dmpFilesize
384KB
-
memory/2256-12-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmpFilesize
9.9MB
-
memory/2380-18-0x00000000012C0000-0x00000000012CC000-memory.dmpFilesize
48KB
-
memory/2380-19-0x000007FEF4DE0000-0x000007FEF57CC000-memory.dmpFilesize
9.9MB
-
memory/2380-20-0x000000001B3F0000-0x000000001B470000-memory.dmpFilesize
512KB
-
memory/2380-43-0x000000001B3F0000-0x000000001B470000-memory.dmpFilesize
512KB
-
memory/2380-42-0x000007FEF4DE0000-0x000007FEF57CC000-memory.dmpFilesize
9.9MB
-
memory/2384-25-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2384-27-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2384-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2384-30-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2384-34-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2384-32-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2384-40-0x00000000744D0000-0x0000000074BBE000-memory.dmpFilesize
6.9MB
-
memory/2384-41-0x0000000004B30000-0x0000000004B70000-memory.dmpFilesize
256KB
-
memory/2384-23-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2384-21-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2384-44-0x00000000744D0000-0x0000000074BBE000-memory.dmpFilesize
6.9MB
-
memory/2384-45-0x0000000004B30000-0x0000000004B70000-memory.dmpFilesize
256KB