Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28-09-2024 07:08

General

  • Target

    3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe

  • Size

    1.4MB

  • MD5

    5673c04d81969a6603184069b6846213

  • SHA1

    49fdd9c69f1c281d94486029dfaa5108dfc168bf

  • SHA256

    3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446

  • SHA512

    c381630f7c9c72ca538679bef37b9e966ec2f906bd5eb36a42069e3742ddd57bd958d867ede257edc3244e40fa3a6c65c10cddd07dddfd89cc2085eef13291cb

  • SSDEEP

    24576:rq5TfcdHj4fmb9Ve9u2qTPIMeYyBMLlQjzCEzKJ9TtLzCwn1jAh0zQJ9TtDRli:rUTsamC9uxKjY5x1jAF5i

Malware Config

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

  • RevengeRat Executable 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe
    "C:\Users\Admin\AppData\Local\Temp\3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2704
    • C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe
      "C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe" -install -54417509 -chipderedesign -a80c61fa351a416282afb39d6c109d6c - -BLUB2 -wvpwxeqguvmlogsw -2704
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2732
  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\RegisterShow.docx"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1056
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2564
    • C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2416
      • C:\Program Files\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1156
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1156 CREDAT:275457 /prefetch:2
          3⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2408
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Documents\UnregisterNew.docx"
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2028

    Network

    • flag-us
      DNS
      api.chip-secured-download.de
      dmr_72.exe
      Remote address:
      8.8.8.8:53
      Request
      api.chip-secured-download.de
      IN A
      Response
      api.chip-secured-download.de
      IN A
      116.203.169.158
    • flag-de
      GET
      http://api.chip-secured-download.de/geoip/geoip.php?ip=38392e31322e3137302e323037&givezip=true
      dmr_72.exe
      Remote address:
      116.203.169.158:80
      Request
      GET /geoip/geoip.php?ip=38392e31322e3137302e323037&givezip=true HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0; DSde) Gecko/20100101 Firefox/23.0
      Host: api.chip-secured-download.de
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Server: nginx/1.10.3
      Date: Sat, 28 Sep 2024 07:09:03 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      X-Powered-By: PHP/7.1.21
      Cache-Control: private, must-revalidate
      pragma: no-cache
      expires: -1
    • flag-de
      GET
      http://api.chip-secured-download.de/dotnet/com
      dmr_72.exe
      Remote address:
      116.203.169.158:80
      Request
      GET /dotnet/com HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0; DSde) Gecko/20100101 Firefox/23.0
      Host: api.chip-secured-download.de
      Response
      HTTP/1.1 200 OK
      Server: nginx/1.10.3
      Date: Sat, 28 Sep 2024 07:09:03 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      X-Powered-By: PHP/7.1.21
      Cache-Control: private, must-revalidate
      pragma: no-cache
      expires: -1
    • flag-us
      DNS
      ocs1.chdi-server.de
      dmr_72.exe
      Remote address:
      8.8.8.8:53
      Request
      ocs1.chdi-server.de
      IN A
      Response
      ocs1.chdi-server.de
      IN A
      116.203.169.152
    • 116.203.169.158:80
      http://api.chip-secured-download.de/dotnet/com
      http
      dmr_72.exe
      654 B
      746 B
      6
      4

      HTTP Request

      GET http://api.chip-secured-download.de/geoip/geoip.php?ip=38392e31322e3137302e323037&givezip=true

      HTTP Response

      200

      HTTP Request

      GET http://api.chip-secured-download.de/dotnet/com

      HTTP Response

      200
    • 116.203.169.152:80
      ocs1.chdi-server.de
      http
      dmr_72.exe
      536 B
      273 B
      6
      4
    • 8.8.8.8:53
      api.chip-secured-download.de
      dns
      dmr_72.exe
      74 B
      90 B
      1
      1

      DNS Request

      api.chip-secured-download.de

      DNS Response

      116.203.169.158

    • 8.8.8.8:53
      ocs1.chdi-server.de
      dns
      dmr_72.exe
      65 B
      81 B
      1
      1

      DNS Request

      ocs1.chdi-server.de

      DNS Response

      116.203.169.152

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      e45bbe4b10c8bdbb2dd316281ca8fcd1

      SHA1

      4c0876350931a2799b8b791037834dc0c41a6f6e

      SHA256

      a98c642a97738e39a80cc6f630088c7d2281e2dd1a4c73c79b7009256f524b82

      SHA512

      7e583ebebe07bc288f836310ad78819fce665048a3e54592c732896b32ba043c506348b4431c45c19e666a2e2a67fb7f7780184838ba74177c03707e35106156

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      ba44a2d9b1b8bcf7e7df9acb3a643b29

      SHA1

      ad83bead91a7b36b2781273f266e329cd543a7a3

      SHA256

      ac61489ef7ee880b4c18638eafd24527a65c74f6ac04799be754fcff0b6252b0

      SHA512

      fb5b6c2342f5268e8dfbeefe26cb7fee40e94fa62cef6bfc7cfb28c8bd30654b77b37169ebc46e401e41d9e9e9b1efe217d0d1483e95094c36eef71eb0df3964

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      65a599e54c38a40ea7f7bb341eedd50f

      SHA1

      7c58c2c69a8f9b99ca9d5dae48635d7ef985a1e6

      SHA256

      c5029db27c3fb781de7720d539a9dba86851a6efdc92803670fd569913120fbe

      SHA512

      cd47c119a6c95506c127d4720a6fef7b2da820187e75f02fdde1b6cf36e1abd8849b854fd0b4ad7ed0327c5172ed086fc910890885a99aff2058596f58c0557c

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      f3d1f49c388ed4074dfee104980f4ba1

      SHA1

      3a9a572f0811e3b0e574681330282651b451f2ea

      SHA256

      ca99402ddd508b7d98d49cf9a6ab97bff82e3010daedb49ab3b0ad76b7333d1d

      SHA512

      17dd83478b01e29eba12f61f2e34c3a5411b031ca64f16873a11c5196d265561204d102dbcdd1c1e03613e00a6db845c8fc29b548806bbab749d69f0fd0fdfe3

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      a8150f28527e69fe16b15e9149b4e909

      SHA1

      a24ab80111456e96333c8e5683761339000d8e96

      SHA256

      01b695bb535f56afbdcee21335895ce036d764363b6aeea4cd405865ba74b6a4

      SHA512

      4358c96046b07a89b0b8d93c45ee93a4cb97d6866f28995a5527be0542f55fd8c4c4af25f4650582b244793bc8bcc85e94aa90622d19eefb65bc4d1144970c31

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      3740fa884d9129b1837f52ce17a54bbc

      SHA1

      2cebfbcc2ef66f586260a051e2c7faa726301677

      SHA256

      63cbc32098d38959bb64cd0ae6467522458fcc36f7ecbdced29031582f11b5d5

      SHA512

      959b9e9b05cfdc26d2e307601300bffb9e2450b29a0d462a929b19299512695e04428da86d3b36125a2b68387c263ec36f2ebf796cde2fa94d2adbe1dba17a2d

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      137f0c120b93c0d9af8146af1d81a155

      SHA1

      1b14f8bd2b61605cad2b08fe8c7f73c86fc13200

      SHA256

      4049bcb3831c57818074a84dd67872a38841ff4f18adb35c651b4a9e08525b73

      SHA512

      8405b296707909f4a7d8dcaf9ca6d550696a88c1dc240b07ccd29bc17d575d3a149ea368a2839ef164dd8d9d23ef32b18691cc422c9e64b7a5dfef3f611bbb38

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      20d3e7112b5b78aae7e55fa4b001698c

      SHA1

      694c0463df0b226cea82409440c79d5c33d3c4c4

      SHA256

      3d13277f9498ec0dbcf2322ab6a809d82d33679815cd0cb47089fcda18b4ea4b

      SHA512

      f0ccafdbc3e19659026270fbf9f7576d41a8063130b89e1ee48ed5272ea458d5e04851098248d1c2865fae46cd9c43e46559ec5350c937a47d0a96e350d8a633

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      fd2398c2c89e5c0b820558c6243e6f7d

      SHA1

      0da63a80b6f9f68a04397ddc0db9cd1b72baa15a

      SHA256

      3be4103d758a09c2ba69e3f4ab7aa4804234cf1fa690cb4641291f61048ad720

      SHA512

      2ffa34d562f82319ed32ae40d58ef069f905cd560da09e89effc7dda78637c4ac7adb1b1941dbec5d552aeef68e0e880c06974e9f73628023c95dcbba796179c

    • C:\Users\Admin\AppData\Local\Temp\Cab5988.tmp

      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    • C:\Users\Admin\AppData\Local\Temp\DMR\wvpwxeqguvmlogsw.dat

      Filesize

      161B

      MD5

      c800879c1c73dbbb198fc42669646aa7

      SHA1

      ab63307099961d43ebb2b64809b7f39d030bab7b

      SHA256

      4c4dd62b579e43dc1c4cf859299df3023409492281f173bc5c3d2cc00bb782d7

      SHA512

      0bc20e0c61f46a6c8eb0d8c276edc1f1901ac2f2800199d78490ba0b3c096e4cbf08a175ee19f663d7c13d56e7b6852f32478ea6c85f7829f6fd2880023213df

    • C:\Users\Admin\AppData\Local\Temp\Tar5A47.tmp

      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

      Filesize

      215B

      MD5

      786b0d46cd75bb6196f32227121a3b06

      SHA1

      f79ab932645766280747258b3838ceccd2743b9e

      SHA256

      63d2f6f655b06ce41c426d0309fe4e8f585b3f9354bd82cfd128ece938c94592

      SHA512

      118587f28a7d5e6946044f0f2d6c44d579c226e2bc7791be6d43dff229051f80f680ab4d735a1e7cd75f50f9c024062d775756f1466be06aee7a45f799070e49

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      19KB

      MD5

      63a97cdf4a888281d89e2b0256a1fa88

      SHA1

      5fa1cef5a92fea71e6306c2f9eb792ad899747ba

      SHA256

      488df63195657f65385c2c462dbd9e2e2300821da209b4dcc8ae0ff3264869cf

      SHA512

      e620707fddc39df5cae760227c6dadcc8880668323659df78c5cb12b62f9889db36820512d3e1c019b861e923c3cc9a9768077d04b7bea38170beac10ae5ea08

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • \Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe

      Filesize

      508KB

      MD5

      da9e9a98a7cf8da14f9e3c9973328fb7

      SHA1

      42e37cbfa37877d247ebd37d9553cb6224d6bee6

      SHA256

      c1116053bbac19ab273dc120c2984c235d116cdcc9e3ac437951b55465fd7063

      SHA512

      ce98f1984a3db301df7c1078dc6014fc1a03a1643c5635ef59775ee8019fbae4e07c16e99ec3d1998f45947d57493ada96e5116c359a590b14573833eec17343

    • memory/1056-68-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1056-33-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2028-503-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2704-0-0x0000000000170000-0x000000000046D000-memory.dmp

      Filesize

      3.0MB

    • memory/2704-25-0x0000000000170000-0x000000000046D000-memory.dmp

      Filesize

      3.0MB

    • memory/2732-22-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

      Filesize

      9.9MB

    • memory/2732-32-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

      Filesize

      9.9MB

    • memory/2732-31-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

      Filesize

      9.9MB

    • memory/2732-30-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

      Filesize

      9.9MB

    • memory/2732-29-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

      Filesize

      9.9MB

    • memory/2732-28-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

      Filesize

      9.9MB

    • memory/2732-27-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

      Filesize

      9.9MB

    • memory/2732-26-0x000007FEF5E93000-0x000007FEF5E94000-memory.dmp

      Filesize

      4KB

    • memory/2732-23-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

      Filesize

      9.9MB

    • memory/2732-21-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

      Filesize

      9.9MB

    • memory/2732-20-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

      Filesize

      9.9MB

    • memory/2732-19-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

      Filesize

      9.9MB

    • memory/2732-17-0x0000000000250000-0x00000000002D4000-memory.dmp

      Filesize

      528KB

    • memory/2732-16-0x000007FEF5E93000-0x000007FEF5E94000-memory.dmp

      Filesize

      4KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.