Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
05-08-2024 02:08
Static task
static1
Behavioral task
behavioral1
Sample
afb30fed336e9b1e5e8ea5d941691b2a.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
afb30fed336e9b1e5e8ea5d941691b2a.exe
Resource
win10v2004-20240802-en
General
-
Target
afb30fed336e9b1e5e8ea5d941691b2a.exe
-
Size
988KB
-
MD5
afb30fed336e9b1e5e8ea5d941691b2a
-
SHA1
afeb330ea75da11608bc4f32d3490ed38cfd4c11
-
SHA256
16b4664969ce27b9914dc9d41b5baa16a341e00f442527efffd478a73a014fa1
-
SHA512
f509ae85f1e0cb7d1803f5d84f43cf58ec8363e816614b1668ae7ae5bbb86547ec507776022dcb9ba3bf776837e17e72816208bb2a8e790eef0c807131b6b27a
-
SSDEEP
24576:MAHnh+eWsN3skA4RV1Hom2KXMmHaYfNZ8tvDej5:rh+ZkldoPK8YaYlZ81q
Malware Config
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3068-27-0x00000000004F0000-0x0000000000508000-memory.dmp revengerat -
Executes dropped EXE 2 IoCs
Processes:
gons.exetemp5789e.exepid process 2676 gons.exe 3068 temp5789e.exe -
Loads dropped DLL 2 IoCs
Processes:
afb30fed336e9b1e5e8ea5d941691b2a.exepid process 2632 afb30fed336e9b1e5e8ea5d941691b2a.exe 2632 afb30fed336e9b1e5e8ea5d941691b2a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
InstallUtil.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\temp5789e.exe" InstallUtil.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
temp5789e.exeInstallUtil.exedescription pid process target process PID 3068 set thread context of 2564 3068 temp5789e.exe InstallUtil.exe PID 2564 set thread context of 2748 2564 InstallUtil.exe InstallUtil.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
afb30fed336e9b1e5e8ea5d941691b2a.exeInstallUtil.exeInstallUtil.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language afb30fed336e9b1e5e8ea5d941691b2a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 InstallUtil.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
temp5789e.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 3068 temp5789e.exe Token: SeDebugPrivilege 2564 InstallUtil.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
afb30fed336e9b1e5e8ea5d941691b2a.exepid process 2632 afb30fed336e9b1e5e8ea5d941691b2a.exe 2632 afb30fed336e9b1e5e8ea5d941691b2a.exe 2632 afb30fed336e9b1e5e8ea5d941691b2a.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
afb30fed336e9b1e5e8ea5d941691b2a.exepid process 2632 afb30fed336e9b1e5e8ea5d941691b2a.exe 2632 afb30fed336e9b1e5e8ea5d941691b2a.exe 2632 afb30fed336e9b1e5e8ea5d941691b2a.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
afb30fed336e9b1e5e8ea5d941691b2a.exetemp5789e.exeInstallUtil.exedescription pid process target process PID 2632 wrote to memory of 2676 2632 afb30fed336e9b1e5e8ea5d941691b2a.exe gons.exe PID 2632 wrote to memory of 2676 2632 afb30fed336e9b1e5e8ea5d941691b2a.exe gons.exe PID 2632 wrote to memory of 2676 2632 afb30fed336e9b1e5e8ea5d941691b2a.exe gons.exe PID 2632 wrote to memory of 2676 2632 afb30fed336e9b1e5e8ea5d941691b2a.exe gons.exe PID 2632 wrote to memory of 3068 2632 afb30fed336e9b1e5e8ea5d941691b2a.exe temp5789e.exe PID 2632 wrote to memory of 3068 2632 afb30fed336e9b1e5e8ea5d941691b2a.exe temp5789e.exe PID 2632 wrote to memory of 3068 2632 afb30fed336e9b1e5e8ea5d941691b2a.exe temp5789e.exe PID 2632 wrote to memory of 3068 2632 afb30fed336e9b1e5e8ea5d941691b2a.exe temp5789e.exe PID 3068 wrote to memory of 2564 3068 temp5789e.exe InstallUtil.exe PID 3068 wrote to memory of 2564 3068 temp5789e.exe InstallUtil.exe PID 3068 wrote to memory of 2564 3068 temp5789e.exe InstallUtil.exe PID 3068 wrote to memory of 2564 3068 temp5789e.exe InstallUtil.exe PID 3068 wrote to memory of 2564 3068 temp5789e.exe InstallUtil.exe PID 3068 wrote to memory of 2564 3068 temp5789e.exe InstallUtil.exe PID 3068 wrote to memory of 2564 3068 temp5789e.exe InstallUtil.exe PID 3068 wrote to memory of 2564 3068 temp5789e.exe InstallUtil.exe PID 3068 wrote to memory of 2564 3068 temp5789e.exe InstallUtil.exe PID 3068 wrote to memory of 2564 3068 temp5789e.exe InstallUtil.exe PID 3068 wrote to memory of 2564 3068 temp5789e.exe InstallUtil.exe PID 3068 wrote to memory of 2564 3068 temp5789e.exe InstallUtil.exe PID 2564 wrote to memory of 2748 2564 InstallUtil.exe InstallUtil.exe PID 2564 wrote to memory of 2748 2564 InstallUtil.exe InstallUtil.exe PID 2564 wrote to memory of 2748 2564 InstallUtil.exe InstallUtil.exe PID 2564 wrote to memory of 2748 2564 InstallUtil.exe InstallUtil.exe PID 2564 wrote to memory of 2748 2564 InstallUtil.exe InstallUtil.exe PID 2564 wrote to memory of 2748 2564 InstallUtil.exe InstallUtil.exe PID 2564 wrote to memory of 2748 2564 InstallUtil.exe InstallUtil.exe PID 2564 wrote to memory of 2748 2564 InstallUtil.exe InstallUtil.exe PID 2564 wrote to memory of 2748 2564 InstallUtil.exe InstallUtil.exe PID 2564 wrote to memory of 2748 2564 InstallUtil.exe InstallUtil.exe PID 2564 wrote to memory of 2748 2564 InstallUtil.exe InstallUtil.exe PID 2564 wrote to memory of 2748 2564 InstallUtil.exe InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\afb30fed336e9b1e5e8ea5d941691b2a.exe"C:\Users\Admin\AppData\Local\Temp\afb30fed336e9b1e5e8ea5d941691b2a.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Users\Admin\AppData\Roaming\Microsoft\gons.exeC:\Users\Admin\AppData\Roaming\Microsoft\gons.exe2⤵
- Executes dropped EXE
PID:2676 -
C:\Users\Admin\AppData\Roaming\Microsoft\temp5789e.exeC:\Users\Admin\AppData\Roaming\Microsoft\temp5789e.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"3⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2748
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54B
MD5feff0ef7b1806ec99a169a9c65bf7d85
SHA1506370d143d605e5a1b2f8dcb28ff3d28d7f47bf
SHA25606c3fa449cae6477b6389f6c509574ab2eb909497b857c9944e91b3c049cefdd
SHA512e0e78ece6708b4021629ccfd421b0e941bd0369e82d7f82e6e0b104aad588f65c388231531b501b7d13b7884209fe25a96c71beaacb45c60bf20af8530bc7a05
-
Filesize
93KB
MD55596954c05b7854febf8fc86258ee259
SHA10f3cbe5382fbe23d0d4d425a9343339c20fe47d0
SHA256489360ed325274a369c234b382d29a8cbeb3827cb9e305b809fc286408af87d9
SHA5129ee9ef01aa832f31e5d41f22c6623046513dfb247838b749ae65eb7a8e71ccab31c38f41c33978c33ddf203511cab454a11ff0473237344663dd20da84d69f2e
-
Filesize
591KB
MD570ba9bb9b4a4a5c81b2c17f0110cef81
SHA175ce808554c4f79cb4d603fa500d7205cadffdc8
SHA256b2a46393e1234b2408ba71a338c7665119dcf57c8a2e7c9247c69b25943d3b11
SHA512a0d824e4ca56d1ea72a1cacf51b6267a452f21ecd8e2037ee401970491fe3aed9ec56f704d862f158899c158c7c0bf48ace610be854ccd00039b8f1c25ef262f