Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01/10/2024, 14:32
Behavioral task
behavioral1
Sample
acec05fb087440c24b6ac8a15051b8fc7fdfd92bdf458b165e1e19265395b595.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
acec05fb087440c24b6ac8a15051b8fc7fdfd92bdf458b165e1e19265395b595.exe
Resource
win10v2004-20240802-en
General
-
Target
acec05fb087440c24b6ac8a15051b8fc7fdfd92bdf458b165e1e19265395b595.exe
-
Size
17KB
-
MD5
af48897e401a79baf8086585c18cf8fe
-
SHA1
44e9a2699d07cbba45493000287ab5dfbe86df77
-
SHA256
acec05fb087440c24b6ac8a15051b8fc7fdfd92bdf458b165e1e19265395b595
-
SHA512
c65d348d3225e86909e33e9ef9717be72ea7f934b673f82748907f927c459c39e739dcb3ebcfc029b3fdd81d7a528cd2a025d01b28ded04a604a6375b13b8ea1
-
SSDEEP
192:NWnNnAi9HEsjSXOLqaJN5MoiwH7abHG+jR9nsVVI+2ky0C+2c:NWnJ9HaOEoiwH7ab9sVK+2ky0C+2c
Malware Config
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 1 IoCs
resource yara_rule behavioral1/files/0x000c000000012268-9.dat revengerat -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\imd.exe vbc.exe -
Executes dropped EXE 1 IoCs
pid Process 2548 IMD.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2196 acec05fb087440c24b6ac8a15051b8fc7fdfd92bdf458b165e1e19265395b595.exe Token: SeDebugPrivilege 2548 IMD.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2196 wrote to memory of 2548 2196 acec05fb087440c24b6ac8a15051b8fc7fdfd92bdf458b165e1e19265395b595.exe 30 PID 2196 wrote to memory of 2548 2196 acec05fb087440c24b6ac8a15051b8fc7fdfd92bdf458b165e1e19265395b595.exe 30 PID 2196 wrote to memory of 2548 2196 acec05fb087440c24b6ac8a15051b8fc7fdfd92bdf458b165e1e19265395b595.exe 30 PID 2548 wrote to memory of 2368 2548 IMD.exe 31 PID 2548 wrote to memory of 2368 2548 IMD.exe 31 PID 2548 wrote to memory of 2368 2548 IMD.exe 31 PID 2368 wrote to memory of 1392 2368 vbc.exe 33 PID 2368 wrote to memory of 1392 2368 vbc.exe 33 PID 2368 wrote to memory of 1392 2368 vbc.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\acec05fb087440c24b6ac8a15051b8fc7fdfd92bdf458b165e1e19265395b595.exe"C:\Users\Admin\AppData\Local\Temp\acec05fb087440c24b6ac8a15051b8fc7fdfd92bdf458b165e1e19265395b595.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\IMD.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\IMD.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vtkrsvlo.cmdline"3⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2DF4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2DF3.tmp"4⤵PID:1392
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f2b0119e4b1761418e6091ef38ddd60c
SHA1c61fd92fb50a6ba4539df646ec1a4bbd688aa7e4
SHA256908180691e2009a500cc77d9fb4a442509d5f35b0bfe5219d8d9e3443698c7e1
SHA51253f21b925688c483335b471173fba888b99f05f04908a21f29034d818d076e6401e2df5c52ee9d631520bcaff143a97f28c130138e0c6e5c11d2f3102c9749d3
-
Filesize
628B
MD5f4204a25f9fd3b86c1af2514bee21827
SHA1f8ba207bc7b2cc6b0f5f5d43284019f78ca72e68
SHA25638aa7f22bdb395980c540ec2057562e5678607f8c573c82a68c074d3445b3fc4
SHA512240a811734eecc6c48ebcbf6f39b4afc1d3398e248ba7062f2eba2b2e44a9d28a526aeef40dff833e2eaed286209668d926e50fd1b9f3b4e5bd2704c938733d3
-
Filesize
175B
MD5766a80b102cc61cdfdef05f5d41ecf49
SHA18fc5687cf17d514917cb83ecb78a319b64c2017f
SHA25670b93e450b765949ac432258843141724da8f4979079e124aa80f0f9f1e4e14e
SHA512975aead67d67998e892f7e446d3b86b014f89a0aba3aecc77d596f56eef2f45c8b7c1cc161e7a6c911b07074391a8cb74dae50d61d6dd8905866d83730a10003
-
Filesize
191B
MD525f550d9416aba558fec2adaf3245238
SHA1bb881916e40dc405f23f648b3caddcfbff5a4013
SHA256571ec01caf0c19eb4bc99bfdce03b08ca740b0d1a2f8cb1f77b0e577dd9e69fa
SHA512b0e5ba7fb74cd464cb55854329ea3ad0e5405e7d34b3cb3750d8653c48fe40e7f26b40772ddac98fffae6773d3a0d28df1b0c3a35096a9950f87eb7d0d8ee802
-
Filesize
17KB
MD5af48897e401a79baf8086585c18cf8fe
SHA144e9a2699d07cbba45493000287ab5dfbe86df77
SHA256acec05fb087440c24b6ac8a15051b8fc7fdfd92bdf458b165e1e19265395b595
SHA512c65d348d3225e86909e33e9ef9717be72ea7f934b673f82748907f927c459c39e739dcb3ebcfc029b3fdd81d7a528cd2a025d01b28ded04a604a6375b13b8ea1