Overview

overview

10

Static

static

1

watch.html

windows11-21h2-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    watch

  • Size

    820KB

  • Sample

    240515-dvzbpafa98

  • MD5

    ae01a80cc311b19895b3fa3302418b7c

  • SHA1

    da2b3ae5b9bc8ceea1dc2ab4c18b2cabde02ff13

  • SHA256

    bcd3fdb333a10f5dfbabec9da44c37f5e980e8257e06e591f1be7d9ac46a41ab

  • SHA512

    7c6b98bc9d7e160852243e0565d25b73ac4836124ff686e16bbe3e1cb9b837dd099be8ddc158bf33cbb8c3e2b200215727d79141bb669d1ad2fb8bfcaee57383

  • SSDEEP

    12288:p/pypgpDpEpDpBpJpWp0pSsTEhIi8Dquqm75duRsQoJ:pj2Li8/

Score
10/10
revengeratbootkitdefense_evasionevasionexecutionimpactpersistenceransomwarestealertrojan

Malware Config

Targets

    • Target

      watch

    • Size

      820KB

    • MD5

      ae01a80cc311b19895b3fa3302418b7c

    • SHA1

      da2b3ae5b9bc8ceea1dc2ab4c18b2cabde02ff13

    • SHA256

      bcd3fdb333a10f5dfbabec9da44c37f5e980e8257e06e591f1be7d9ac46a41ab

    • SHA512

      7c6b98bc9d7e160852243e0565d25b73ac4836124ff686e16bbe3e1cb9b837dd099be8ddc158bf33cbb8c3e2b200215727d79141bb669d1ad2fb8bfcaee57383

    • SSDEEP

      12288:p/pypgpDpEpDpBpJpWp0pSsTEhIi8Dquqm75duRsQoJ:pj2Li8/

    Score
    10/10
    revengeratbootkitdefense_evasionevasionexecutionimpactpersistenceransomwarestealertrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

      trojanrevengerat

    • UAC bypass

      evasiontrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • RevengeRat Executable

      stealer

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Disables use of System Restore points

      evasion

    • Modifies Windows Firewall

      evasion

    • Sets file execution options in registry

      persistence

    • Drops startup file

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Scheduled Task/Job

1
T1053

Scripting

1
T1064

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

3
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

2
T1562.001

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

5
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Scripting

1
T1064

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

3
T1490

Tasks