Extracted

Extracted

Extracted

• • Target

    27e17bc7efc2513c75ecc1d8dac97187ca4b3f6d6aa2113e814e66ea5d2cb696.doc

  • Size

    124KB

  • MD5

    cc0f9cc1f9133b0f5dd045a34b2d7ae1

  • SHA1

    c41f1c79442c0e2b717473f9c40d395176afffdb

  • SHA256

    27e17bc7efc2513c75ecc1d8dac97187ca4b3f6d6aa2113e814e66ea5d2cb696

  • SHA512

    154c2ddc43ba72e1f166dc025e20ef5c580e1f490f1828496c1f10f8ef17b4432137740c66552d12cb647499e9ad7d5a62e5ab709ed2bcd9d08d2416b475c3da

  • SSDEEP

    1536:vkc9anle9tQVTGH7gPgP8MDw/jlQx1JE7vReOr0l77CXXNaHsdUXSIt98iuBXFtc:vVWqQVtClwH9r0l77AnsSmy/BVtqxp

  Score

  10^/10

  discoveryrevengeratnyancatrevengedefense_evasionexecutionpersistencetrojan

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application

    persistence

  • Indicator Removal: File Deletion

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion

  • Legitimate hosting services abused for malware hosting/C2

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2