63e5a6fedf34169383b050dc321dd9e13ef9d37938ea737e45726059e852d7a0

General

Target

Ravion.exe
Size

49.7MB
MD5

a88316d4c2e9a42e7b301bc295781793
SHA1

aa0079be546b312a2dbe8b5a92666c9298474164
SHA256

63e5a6fedf34169383b050dc321dd9e13ef9d37938ea737e45726059e852d7a0
SHA512

4975426215db50165d76405843944087ce24630b89966f63f0190a0538ebea1ee4be996b29f00047b80ba767a8f6edd7e23e1e8f734e3de09b37c5d4c11011f0
SSDEEP

1572864:Hnx/dfByIQZBIvqA2fmb+DXz7o1Yca05xesr:HxlfB+C2fmbCo1dz5UA

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Ravion.exe

pid process

1980 Ravion.exe
1204
Loads dropped DLL 5 IoCs

Processes:

Ravion.exeRavion.exe

pid process

2012 Ravion.exe
1980 Ravion.exe
1980 Ravion.exe
1980 Ravion.exe
1204
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

Ravion.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ravion.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Ravion.exe

description pid process

Token: SeDebugPrivilege 1980 Ravion.exe

pid	process
1980	Ravion.exe
1204

pid	process
2012	Ravion.exe
1980	Ravion.exe
1980	Ravion.exe
1980	Ravion.exe
1204

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ravion.exe

description	pid	process
Token: SeDebugPrivilege	1980	Ravion.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Ravion.exe

description	pid	process	target process
PID 2012 wrote to memory of 1980	2012	Ravion.exe	Ravion.exe
PID 2012 wrote to memory of 1980	2012	Ravion.exe	Ravion.exe
PID 2012 wrote to memory of 1980	2012	Ravion.exe	Ravion.exe
PID 2012 wrote to memory of 1980	2012	Ravion.exe	Ravion.exe

C:\Users\Admin\AppData\Local\Temp\Ravion.exe
"C:\Users\Admin\AppData\Local\Temp\Ravion.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\7z6A34E7DC\Ravion.exe
  C:\Users\Admin\AppData\Local\Temp\7z6A34E7DC\Ravion.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\7z6A34E7DC\D3DCompiler_47_cor3.dll

Filesize
4.7MB

MD5
a7349236212b0e5cec2978f2cfa49a1a

SHA1
5abb08949162fd1985b89ffad40aaf5fc769017e

SHA256
a05d04a270f68c8c6d6ea2d23bebf8cd1d5453b26b5442fa54965f90f1c62082

SHA512
c7ff4f9146fefedc199360aa04236294349c881b3865ebc58c5646ad6b3f83fca309de1173f5ebf823a14ba65e5ada77b46f20286d1ea62c37e17adbc9a82d02

Download Submit
\Users\Admin\AppData\Local\Temp\7z6A34E7DC\PresentationNative_cor3.dll

Filesize
1.2MB

MD5
1b7e26a5178d7e80ef9b5d1bf0c53763

SHA1
f3cacde5660e6db3b96a19032707326434c4a1da

SHA256
66e5d8d49f9645fd67c12324e0e947b8646779b502a3bc475e3a3aeb650e20bb

SHA512
bee9c66dbce0e9ab4ac06b5aa3a01e4fd33475a1be74d92dc9a75c2a3ced6b441f8a76747f3cf09913e38beae055fa277c55267353cda97abd018146e7355b89

Download Submit
\Users\Admin\AppData\Local\Temp\7z6A34E7DC\wpfgfx_cor3.dll

Filesize
1.9MB

MD5
9b5895322ea58963c2c26b6ad0212a14

SHA1
8a182cac411c051cf514b27c42e0d315bd6b55f3

SHA256
c7ee407ced4846577a1e8a67ef61cc920010c4f126933774edc24f46d43714e2

SHA512
0770b67b94c5063fe670e9a4d5fcd1997139da632861814d3b9a2ef4e6e0c38f0816c2e63b43e6ec17007f139a5147db0cb61c804d865a311f13364b5706c198

Download Submit
memory/1980-49-0x00000000084C0000-0x0000000008CF0000-memory.dmp

Filesize
8.2MB

Download
memory/1980-45-0x0000000002100000-0x0000000002140000-memory.dmp

Filesize
256KB

Download
memory/1980-37-0x0000000001D90000-0x0000000001DD0000-memory.dmp

Filesize
256KB

Download
memory/1980-16-0x0000000003550000-0x00000000041E0000-memory.dmp

Filesize
12.6MB

Download
memory/1980-29-0x0000000006E50000-0x0000000006FB0000-memory.dmp

Filesize
1.4MB

Download
memory/1980-73-0x0000000004AE0000-0x0000000004B00000-memory.dmp

Filesize
128KB

Download
memory/1980-69-0x00000000047A0000-0x00000000047C0000-memory.dmp

Filesize
128KB

Download
memory/1980-65-0x0000000004760000-0x0000000004780000-memory.dmp

Filesize
128KB

Download
memory/1980-61-0x0000000002020000-0x0000000002030000-memory.dmp

Filesize
64KB

Download
memory/1980-57-0x00000000026D0000-0x00000000026F0000-memory.dmp

Filesize
128KB

Download
memory/1980-53-0x00000000022D0000-0x0000000002350000-memory.dmp

Filesize
512KB

Download
memory/1980-25-0x0000000006C20000-0x0000000006E50000-memory.dmp

Filesize
2.2MB

Download
memory/1980-41-0x0000000001DD0000-0x0000000001E20000-memory.dmp

Filesize
320KB

Download
memory/1980-77-0x0000000008D20000-0x0000000008D40000-memory.dmp

Filesize
128KB

Download
memory/1980-33-0x00000000072C0000-0x00000000074C0000-memory.dmp

Filesize
2.0MB

Download
memory/1980-23-0x0000000005A80000-0x00000000069E0000-memory.dmp

Filesize
15.4MB

Download
memory/1980-20-0x000000013F7FD000-0x000000013F7FE000-memory.dmp

Filesize
4KB

Download
memory/1980-168-0x000000000B130000-0x000000000B13A000-memory.dmp

Filesize
40KB

Download
memory/1980-167-0x000000000B130000-0x000000000B13A000-memory.dmp

Filesize
40KB

Download
memory/1980-179-0x000000013F7FD000-0x000000013F7FE000-memory.dmp

Filesize
4KB

Download
memory/1980-180-0x000000000B130000-0x000000000B13A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing