Analysis
-
max time kernel
122s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-04-2024 09:33
Static task
static1
Behavioral task
behavioral1
Sample
17d0b9ac75dfd038ac11c64940a5a6cb.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
17d0b9ac75dfd038ac11c64940a5a6cb.exe
Resource
win10v2004-20240412-en
General
-
Target
17d0b9ac75dfd038ac11c64940a5a6cb.exe
-
Size
397KB
-
MD5
17d0b9ac75dfd038ac11c64940a5a6cb
-
SHA1
fdf4a6d488ba2220c808a8e233ea0e219273c3b2
-
SHA256
c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5
-
SHA512
0ffb63b421da1daa0ca2098ea35b6e5be5b8613b9b4855b723b2c6032bcf644f7d00ddb35ab1af443c5f765fa10c61cb5c28fe81734ea4e582b51ed56c1afecd
-
SSDEEP
6144:/IWyveo8OzcrumMozCE6+bIPEMMjAtUO3nDv4abP212gG7EXoiToLa:/IpvZDoruYeE6+EsPjA4a7mJWEZga
Malware Config
Extracted
revengerat
NyanCatRevenge
alice2019.myftp.biz:7777
a915f6c5466a49
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1944 svchost.exe -
Loads dropped DLL 6 IoCs
Processes:
cmd.exeWerFault.exepid process 2628 cmd.exe 1696 WerFault.exe 1696 WerFault.exe 1696 WerFault.exe 1696 WerFault.exe 1696 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
17d0b9ac75dfd038ac11c64940a5a6cb.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" 17d0b9ac75dfd038ac11c64940a5a6cb.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 1944 set thread context of 2364 1944 svchost.exe regasm.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
regasm.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 regasm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString regasm.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2424 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
17d0b9ac75dfd038ac11c64940a5a6cb.exesvchost.exepid process 1048 17d0b9ac75dfd038ac11c64940a5a6cb.exe 1048 17d0b9ac75dfd038ac11c64940a5a6cb.exe 1048 17d0b9ac75dfd038ac11c64940a5a6cb.exe 1944 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
17d0b9ac75dfd038ac11c64940a5a6cb.exesvchost.exedescription pid process Token: SeDebugPrivilege 1048 17d0b9ac75dfd038ac11c64940a5a6cb.exe Token: SeDebugPrivilege 1944 svchost.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
17d0b9ac75dfd038ac11c64940a5a6cb.execmd.execmd.exesvchost.exedescription pid process target process PID 1048 wrote to memory of 2524 1048 17d0b9ac75dfd038ac11c64940a5a6cb.exe cmd.exe PID 1048 wrote to memory of 2524 1048 17d0b9ac75dfd038ac11c64940a5a6cb.exe cmd.exe PID 1048 wrote to memory of 2524 1048 17d0b9ac75dfd038ac11c64940a5a6cb.exe cmd.exe PID 1048 wrote to memory of 2628 1048 17d0b9ac75dfd038ac11c64940a5a6cb.exe cmd.exe PID 1048 wrote to memory of 2628 1048 17d0b9ac75dfd038ac11c64940a5a6cb.exe cmd.exe PID 1048 wrote to memory of 2628 1048 17d0b9ac75dfd038ac11c64940a5a6cb.exe cmd.exe PID 2524 wrote to memory of 2548 2524 cmd.exe schtasks.exe PID 2524 wrote to memory of 2548 2524 cmd.exe schtasks.exe PID 2524 wrote to memory of 2548 2524 cmd.exe schtasks.exe PID 2628 wrote to memory of 2424 2628 cmd.exe timeout.exe PID 2628 wrote to memory of 2424 2628 cmd.exe timeout.exe PID 2628 wrote to memory of 2424 2628 cmd.exe timeout.exe PID 2628 wrote to memory of 1944 2628 cmd.exe svchost.exe PID 2628 wrote to memory of 1944 2628 cmd.exe svchost.exe PID 2628 wrote to memory of 1944 2628 cmd.exe svchost.exe PID 1944 wrote to memory of 2364 1944 svchost.exe regasm.exe PID 1944 wrote to memory of 2364 1944 svchost.exe regasm.exe PID 1944 wrote to memory of 2364 1944 svchost.exe regasm.exe PID 1944 wrote to memory of 2364 1944 svchost.exe regasm.exe PID 1944 wrote to memory of 2364 1944 svchost.exe regasm.exe PID 1944 wrote to memory of 2364 1944 svchost.exe regasm.exe PID 1944 wrote to memory of 2364 1944 svchost.exe regasm.exe PID 1944 wrote to memory of 2364 1944 svchost.exe regasm.exe PID 1944 wrote to memory of 2364 1944 svchost.exe regasm.exe PID 1944 wrote to memory of 2364 1944 svchost.exe regasm.exe PID 1944 wrote to memory of 2364 1944 svchost.exe regasm.exe PID 1944 wrote to memory of 2364 1944 svchost.exe regasm.exe PID 1944 wrote to memory of 1696 1944 svchost.exe WerFault.exe PID 1944 wrote to memory of 1696 1944 svchost.exe WerFault.exe PID 1944 wrote to memory of 1696 1944 svchost.exe WerFault.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\17d0b9ac75dfd038ac11c64940a5a6cb.exe"C:\Users\Admin\AppData\Local\Temp\17d0b9ac75dfd038ac11c64940a5a6cb.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp472E.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"4⤵
- Checks processor information in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1944 -s 6724⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp472E.tmp.batFilesize
151B
MD58762053af8ddfddd0bce6475655c0b51
SHA14f06654cc574c62bf0a03a38ab183b47748dc181
SHA256cc7b1ee4acc0d5ebe7f012212a4afb55a22391bc42a64707095da5ed02511231
SHA512035a2dba45892442614eee7a9349a3ccdf6c9a00e9ef5da16c5e248b48d8be61383cfd78d54f8e5cca416f80a7b9b60d65791005dafb8e912b567f8c7b6b3fe1
-
\Users\Admin\AppData\Roaming\svchost.exeFilesize
397KB
MD517d0b9ac75dfd038ac11c64940a5a6cb
SHA1fdf4a6d488ba2220c808a8e233ea0e219273c3b2
SHA256c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5
SHA5120ffb63b421da1daa0ca2098ea35b6e5be5b8613b9b4855b723b2c6032bcf644f7d00ddb35ab1af443c5f765fa10c61cb5c28fe81734ea4e582b51ed56c1afecd
-
memory/1048-1-0x000007FEF5E60000-0x000007FEF684C000-memory.dmpFilesize
9.9MB
-
memory/1048-2-0x000000001AD00000-0x000000001AD80000-memory.dmpFilesize
512KB
-
memory/1048-3-0x00000000006A0000-0x0000000000700000-memory.dmpFilesize
384KB
-
memory/1048-12-0x000007FEF5E60000-0x000007FEF684C000-memory.dmpFilesize
9.9MB
-
memory/1048-0-0x0000000000DA0000-0x0000000000DAC000-memory.dmpFilesize
48KB
-
memory/1944-40-0x000007FEF5470000-0x000007FEF5E5C000-memory.dmpFilesize
9.9MB
-
memory/1944-18-0x0000000001330000-0x000000000133C000-memory.dmpFilesize
48KB
-
memory/1944-19-0x000007FEF5470000-0x000007FEF5E5C000-memory.dmpFilesize
9.9MB
-
memory/1944-20-0x0000000001290000-0x0000000001310000-memory.dmpFilesize
512KB
-
memory/1944-41-0x0000000001290000-0x0000000001310000-memory.dmpFilesize
512KB
-
memory/2364-21-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2364-27-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2364-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2364-30-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2364-32-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2364-34-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2364-25-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2364-23-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB