Analysis Overview
SHA256
1e76f1954d14aff43291a7079962d0ad3856657537a9595ba190d5c61abfc93c
Threat Level: Known bad
The file 1e76f1954d14aff43291a7079962d0ad3856657537a9595ba190d5c61abfc93c.exe was found to be: Known bad.
Malicious Activity Summary
RevengeRAT
Checks computer location settings
Drops startup file
Loads dropped DLL
Executes dropped EXE
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-26 01:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-26 01:52
Reported
2024-07-26 01:54
Platform
win10v2004-20240709-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
RevengeRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1e76f1954d14aff43291a7079962d0ad3856657537a9595ba190d5c61abfc93c.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSCollect.exe | C:\Users\Admin\Documents\WSCollect.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSCollect.exe | C:\Users\Admin\Documents\WSCollect.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\WSCollect.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\WSCollect.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3908 set thread context of 4880 | N/A | C:\Users\Admin\AppData\Local\Temp\1e76f1954d14aff43291a7079962d0ad3856657537a9595ba190d5c61abfc93c.exe | C:\Users\Admin\AppData\Local\Temp\1e76f1954d14aff43291a7079962d0ad3856657537a9595ba190d5c61abfc93c.exe |
| PID 4528 set thread context of 3104 | N/A | C:\Users\Admin\Documents\WSCollect.exe | C:\Users\Admin\Documents\WSCollect.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\WSCollect.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\WSCollect.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1e76f1954d14aff43291a7079962d0ad3856657537a9595ba190d5c61abfc93c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1e76f1954d14aff43291a7079962d0ad3856657537a9595ba190d5c61abfc93c.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1e76f1954d14aff43291a7079962d0ad3856657537a9595ba190d5c61abfc93c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\WSCollect.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1e76f1954d14aff43291a7079962d0ad3856657537a9595ba190d5c61abfc93c.exe
"C:\Users\Admin\AppData\Local\Temp\1e76f1954d14aff43291a7079962d0ad3856657537a9595ba190d5c61abfc93c.exe"
C:\Users\Admin\AppData\Local\Temp\1e76f1954d14aff43291a7079962d0ad3856657537a9595ba190d5c61abfc93c.exe
"C:\Users\Admin\AppData\Local\Temp\1e76f1954d14aff43291a7079962d0ad3856657537a9595ba190d5c61abfc93c.exe"
C:\Users\Admin\Documents\WSCollect.exe
"C:\Users\Admin\Documents\WSCollect.exe"
C:\Users\Admin\Documents\WSCollect.exe
"C:\Users\Admin\Documents\WSCollect.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | karmina113.sytes.net | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | karmina117.sytes.net | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | karmina118.sytes.net | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | karmina119.sytes.net | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nibiru3.duckdns.org | udp |
| ES | 82.130.171.45:3333 | nibiru3.duckdns.org | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nibiru4.duckdns.org | udp |
| ES | 82.130.171.45:3333 | nibiru4.duckdns.org | tcp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | karmina113.sytes.net | udp |
| US | 8.8.8.8:53 | karmina117.sytes.net | udp |
| US | 8.8.8.8:53 | karmina118.sytes.net | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | karmina119.sytes.net | udp |
| ES | 82.130.171.45:3333 | nibiru4.duckdns.org | tcp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| ES | 82.130.171.45:3333 | nibiru4.duckdns.org | tcp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nibiru5.duckdns.org | udp |
| FR | 95.210.188.80:3333 | nibiru5.duckdns.org | tcp |
| US | 8.8.8.8:53 | nibiru6.duckdns.org | udp |
| US | 8.8.8.8:53 | karmina113.sytes.net | udp |
| US | 8.8.8.8:53 | karmina117.sytes.net | udp |
| US | 8.8.8.8:53 | karmina118.sytes.net | udp |
| US | 8.8.8.8:53 | karmina119.sytes.net | udp |
| US | 8.8.8.8:53 | nibiru3.duckdns.org | udp |
| ES | 82.130.171.45:3333 | nibiru3.duckdns.org | tcp |
| US | 8.8.8.8:53 | 214.143.182.52.in-addr.arpa | udp |
Files
memory/3908-0-0x0000000075402000-0x0000000075403000-memory.dmp
memory/3908-1-0x0000000075400000-0x00000000759B1000-memory.dmp
memory/3908-2-0x0000000075400000-0x00000000759B1000-memory.dmp
memory/4880-3-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\1e76f1954d14aff43291a7079962d0ad3856657537a9595ba190d5c61abfc93c.exe.log
| MD5 | a5dcc7c9c08af7dddd82be5b036a4416 |
| SHA1 | 4f998ca1526d199e355ffb435bae111a2779b994 |
| SHA256 | e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5 |
| SHA512 | 56035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a |
memory/3908-6-0x0000000075400000-0x00000000759B1000-memory.dmp
memory/4880-7-0x0000000075400000-0x00000000759B1000-memory.dmp
memory/4880-8-0x0000000075400000-0x00000000759B1000-memory.dmp
memory/4880-9-0x0000000075400000-0x00000000759B1000-memory.dmp
memory/4880-10-0x0000000075400000-0x00000000759B1000-memory.dmp
C:\Users\Admin\Documents\WSCollect.exe
| MD5 | e769b63b22a914d5fe9722716257e3b6 |
| SHA1 | d69e65bcb3959724ccf02e6f1d2319163c2593f1 |
| SHA256 | 1e76f1954d14aff43291a7079962d0ad3856657537a9595ba190d5c61abfc93c |
| SHA512 | e901dfc8ede587b76997c5e98b576d12c5762176fc23501f404c195732a36d532b9fea97a79b68005150ca444d9cb1d8ecc5386698f3f4e8d6038d62bd773182 |
memory/4880-24-0x0000000075400000-0x00000000759B1000-memory.dmp
memory/4528-29-0x0000000075400000-0x00000000759B1000-memory.dmp
memory/4528-31-0x0000000075400000-0x00000000759B1000-memory.dmp
memory/3104-32-0x0000000075400000-0x00000000759B1000-memory.dmp
memory/4528-28-0x0000000075400000-0x00000000759B1000-memory.dmp
memory/3104-33-0x0000000075400000-0x00000000759B1000-memory.dmp
memory/3104-34-0x0000000075400000-0x00000000759B1000-memory.dmp
memory/4528-35-0x0000000075400000-0x00000000759B1000-memory.dmp
memory/3104-36-0x0000000075400000-0x00000000759B1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-26 01:52
Reported
2024-07-26 01:54
Platform
win7-20240705-en
Max time kernel
138s
Max time network
149s
Command Line
Signatures
RevengeRAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSCollect.exe | C:\Users\Admin\Documents\WSCollect.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSCollect.exe | C:\Users\Admin\Documents\WSCollect.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\WSCollect.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\WSCollect.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1e76f1954d14aff43291a7079962d0ad3856657537a9595ba190d5c61abfc93c.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\WSCollect.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 448 set thread context of 832 | N/A | C:\Users\Admin\AppData\Local\Temp\1e76f1954d14aff43291a7079962d0ad3856657537a9595ba190d5c61abfc93c.exe | C:\Users\Admin\AppData\Local\Temp\1e76f1954d14aff43291a7079962d0ad3856657537a9595ba190d5c61abfc93c.exe |
| PID 2948 set thread context of 884 | N/A | C:\Users\Admin\Documents\WSCollect.exe | C:\Users\Admin\Documents\WSCollect.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\WSCollect.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1e76f1954d14aff43291a7079962d0ad3856657537a9595ba190d5c61abfc93c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1e76f1954d14aff43291a7079962d0ad3856657537a9595ba190d5c61abfc93c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\WSCollect.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1e76f1954d14aff43291a7079962d0ad3856657537a9595ba190d5c61abfc93c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\WSCollect.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1e76f1954d14aff43291a7079962d0ad3856657537a9595ba190d5c61abfc93c.exe
"C:\Users\Admin\AppData\Local\Temp\1e76f1954d14aff43291a7079962d0ad3856657537a9595ba190d5c61abfc93c.exe"
C:\Users\Admin\AppData\Local\Temp\1e76f1954d14aff43291a7079962d0ad3856657537a9595ba190d5c61abfc93c.exe
"C:\Users\Admin\AppData\Local\Temp\1e76f1954d14aff43291a7079962d0ad3856657537a9595ba190d5c61abfc93c.exe"
C:\Users\Admin\Documents\WSCollect.exe
"C:\Users\Admin\Documents\WSCollect.exe"
C:\Users\Admin\Documents\WSCollect.exe
"C:\Users\Admin\Documents\WSCollect.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | karmina113.sytes.net | udp |
| US | 8.8.8.8:53 | karmina117.sytes.net | udp |
| US | 8.8.8.8:53 | karmina118.sytes.net | udp |
| US | 8.8.8.8:53 | karmina119.sytes.net | udp |
| US | 8.8.8.8:53 | nibiru3.duckdns.org | udp |
| ES | 82.130.171.45:3333 | nibiru3.duckdns.org | tcp |
| ES | 82.130.171.45:3333 | nibiru3.duckdns.org | tcp |
| US | 8.8.8.8:53 | nibiru4.duckdns.org | udp |
| ES | 82.130.171.45:3333 | nibiru4.duckdns.org | tcp |
| US | 8.8.8.8:53 | nibiru5.duckdns.org | udp |
| FR | 95.210.188.80:3333 | nibiru5.duckdns.org | tcp |
| US | 8.8.8.8:53 | nibiru6.duckdns.org | udp |
| US | 8.8.8.8:53 | nibiru3.duckdns.org | udp |
| ES | 82.130.171.45:3333 | nibiru3.duckdns.org | tcp |
Files
memory/448-0-0x0000000074951000-0x0000000074952000-memory.dmp
memory/448-1-0x0000000074950000-0x0000000074EFB000-memory.dmp
memory/832-2-0x0000000000080000-0x0000000000098000-memory.dmp
memory/832-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/832-8-0x0000000000080000-0x0000000000098000-memory.dmp
memory/832-6-0x0000000000080000-0x0000000000098000-memory.dmp
memory/832-4-0x0000000000080000-0x0000000000098000-memory.dmp
memory/832-20-0x0000000000080000-0x0000000000098000-memory.dmp
memory/832-17-0x0000000000080000-0x0000000000098000-memory.dmp
memory/832-13-0x0000000000080000-0x0000000000098000-memory.dmp
memory/832-12-0x0000000000080000-0x0000000000098000-memory.dmp
memory/832-22-0x0000000074950000-0x0000000074EFB000-memory.dmp
memory/448-21-0x0000000074950000-0x0000000074EFB000-memory.dmp
memory/832-23-0x0000000074950000-0x0000000074EFB000-memory.dmp
C:\Users\Admin\Documents\WSCollect.exe
| MD5 | e769b63b22a914d5fe9722716257e3b6 |
| SHA1 | d69e65bcb3959724ccf02e6f1d2319163c2593f1 |
| SHA256 | 1e76f1954d14aff43291a7079962d0ad3856657537a9595ba190d5c61abfc93c |
| SHA512 | e901dfc8ede587b76997c5e98b576d12c5762176fc23501f404c195732a36d532b9fea97a79b68005150ca444d9cb1d8ecc5386698f3f4e8d6038d62bd773182 |
memory/2948-32-0x0000000074950000-0x0000000074EFB000-memory.dmp
memory/832-31-0x0000000074950000-0x0000000074EFB000-memory.dmp
memory/2948-45-0x0000000074950000-0x0000000074EFB000-memory.dmp
memory/2948-48-0x0000000074950000-0x0000000074EFB000-memory.dmp
memory/884-47-0x0000000000400000-0x0000000000418000-memory.dmp
memory/884-46-0x0000000000400000-0x0000000000418000-memory.dmp
memory/884-42-0x000000007EFDE000-0x000000007EFDF000-memory.dmp