Analysis
-
max time kernel
153s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2024 01:56
Static task
static1
Behavioral task
behavioral1
Sample
c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5.exe
Resource
win10v2004-20240412-en
General
-
Target
c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5.exe
-
Size
397KB
-
MD5
17d0b9ac75dfd038ac11c64940a5a6cb
-
SHA1
fdf4a6d488ba2220c808a8e233ea0e219273c3b2
-
SHA256
c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5
-
SHA512
0ffb63b421da1daa0ca2098ea35b6e5be5b8613b9b4855b723b2c6032bcf644f7d00ddb35ab1af443c5f765fa10c61cb5c28fe81734ea4e582b51ed56c1afecd
-
SSDEEP
6144:/IWyveo8OzcrumMozCE6+bIPEMMjAtUO3nDv4abP212gG7EXoiToLa:/IpvZDoruYeE6+EsPjA4a7mJWEZga
Malware Config
Extracted
revengerat
NyanCatRevenge
alice2019.myftp.biz:7777
a915f6c5466a49
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Detects executables packed with or use KoiVM 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2300-5-0x0000027BFD660000-0x0000027BFD6C0000-memory.dmp INDICATOR_EXE_Packed_KoiVM -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2408 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 2408 set thread context of 3260 2408 svchost.exe regasm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
regasm.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 regasm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString regasm.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1972 timeout.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5.exesvchost.exepid process 2300 c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5.exe 2300 c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5.exe 2300 c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5.exe 2300 c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5.exe 2300 c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5.exe 2300 c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5.exe 2300 c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5.exe 2300 c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5.exe 2300 c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5.exe 2300 c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5.exe 2300 c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5.exe 2300 c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5.exe 2300 c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5.exe 2300 c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5.exe 2300 c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5.exe 2300 c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5.exe 2300 c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5.exe 2300 c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5.exe 2300 c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5.exe 2300 c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5.exe 2300 c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5.exe 2300 c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5.exe 2300 c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5.exe 2408 svchost.exe 2408 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5.exesvchost.exedescription pid process Token: SeDebugPrivilege 2300 c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5.exe Token: SeDebugPrivilege 2408 svchost.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5.execmd.execmd.exesvchost.exedescription pid process target process PID 2300 wrote to memory of 4076 2300 c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5.exe cmd.exe PID 2300 wrote to memory of 4076 2300 c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5.exe cmd.exe PID 2300 wrote to memory of 4748 2300 c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5.exe cmd.exe PID 2300 wrote to memory of 4748 2300 c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5.exe cmd.exe PID 4748 wrote to memory of 1972 4748 cmd.exe timeout.exe PID 4748 wrote to memory of 1972 4748 cmd.exe timeout.exe PID 4076 wrote to memory of 3356 4076 cmd.exe schtasks.exe PID 4076 wrote to memory of 3356 4076 cmd.exe schtasks.exe PID 4748 wrote to memory of 2408 4748 cmd.exe svchost.exe PID 4748 wrote to memory of 2408 4748 cmd.exe svchost.exe PID 2408 wrote to memory of 3260 2408 svchost.exe regasm.exe PID 2408 wrote to memory of 3260 2408 svchost.exe regasm.exe PID 2408 wrote to memory of 3260 2408 svchost.exe regasm.exe PID 2408 wrote to memory of 3260 2408 svchost.exe regasm.exe PID 2408 wrote to memory of 3260 2408 svchost.exe regasm.exe PID 2408 wrote to memory of 3260 2408 svchost.exe regasm.exe PID 2408 wrote to memory of 3260 2408 svchost.exe regasm.exe PID 2408 wrote to memory of 3260 2408 svchost.exe regasm.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5.exe"C:\Users\Admin\AppData\Local\Temp\c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6DD8.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"4⤵
- Checks processor information in registry
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6DD8.tmp.batFilesize
151B
MD51d31d563d9f94ed00d7589e000b589f5
SHA1e11c296f9b91e2b87d12e90920bf66465c6d0dcc
SHA256a05345af3bbd48da4b83f31d127e378ca2b424c7ba97c1d8b22809f7215c5081
SHA512437a7fd654114c7712f7d5f5618c828b1c8ebc730080eb100405b5b1a25512bcccc6ce5fab2b93baf30b6875d9d65c19fdf06f9525996ece33b826ecc70c83a3
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
397KB
MD517d0b9ac75dfd038ac11c64940a5a6cb
SHA1fdf4a6d488ba2220c808a8e233ea0e219273c3b2
SHA256c994b9d016129f8a1e36b1e1f3288ef1385c6453497fc50cf129195e9769b8a5
SHA5120ffb63b421da1daa0ca2098ea35b6e5be5b8613b9b4855b723b2c6032bcf644f7d00ddb35ab1af443c5f765fa10c61cb5c28fe81734ea4e582b51ed56c1afecd
-
memory/2300-1-0x0000027BFDDC0000-0x0000027BFDE36000-memory.dmpFilesize
472KB
-
memory/2300-3-0x0000027BFDF50000-0x0000027BFDF60000-memory.dmpFilesize
64KB
-
memory/2300-2-0x00007FF9DD320000-0x00007FF9DDDE1000-memory.dmpFilesize
10.8MB
-
memory/2300-4-0x0000027BFD500000-0x0000027BFD51E000-memory.dmpFilesize
120KB
-
memory/2300-5-0x0000027BFD660000-0x0000027BFD6C0000-memory.dmpFilesize
384KB
-
memory/2300-10-0x00007FF9DD320000-0x00007FF9DDDE1000-memory.dmpFilesize
10.8MB
-
memory/2300-0-0x0000027BFB970000-0x0000027BFB97C000-memory.dmpFilesize
48KB
-
memory/2408-19-0x00007FF9DD270000-0x00007FF9DDD31000-memory.dmpFilesize
10.8MB
-
memory/2408-15-0x00007FF9DD270000-0x00007FF9DDD31000-memory.dmpFilesize
10.8MB
-
memory/3260-16-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/3260-18-0x0000000005D50000-0x00000000062F4000-memory.dmpFilesize
5.6MB
-
memory/3260-17-0x0000000074D20000-0x00000000754D0000-memory.dmpFilesize
7.7MB
-
memory/3260-20-0x00000000058D0000-0x00000000058E0000-memory.dmpFilesize
64KB
-
memory/3260-21-0x0000000005C80000-0x0000000005D1C000-memory.dmpFilesize
624KB
-
memory/3260-22-0x0000000006300000-0x0000000006366000-memory.dmpFilesize
408KB
-
memory/3260-23-0x0000000074D20000-0x00000000754D0000-memory.dmpFilesize
7.7MB
-
memory/3260-24-0x00000000058D0000-0x00000000058E0000-memory.dmpFilesize
64KB
-
memory/3260-25-0x00000000013E0000-0x00000000013F6000-memory.dmpFilesize
88KB
-
memory/3260-26-0x00000000067A0000-0x0000000006832000-memory.dmpFilesize
584KB