Overview

overview

10

Static

static

1

Ravion.exe

windows7-x64

7

Ravion.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-10-2024 11:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ravion.exe

  • Size

    49.7MB

  • MD5

    a88316d4c2e9a42e7b301bc295781793

  • SHA1

    aa0079be546b312a2dbe8b5a92666c9298474164

  • SHA256

    63e5a6fedf34169383b050dc321dd9e13ef9d37938ea737e45726059e852d7a0

  • SHA512

    4975426215db50165d76405843944087ce24630b89966f63f0190a0538ebea1ee4be996b29f00047b80ba767a8f6edd7e23e1e8f734e3de09b37c5d4c11011f0

  • SSDEEP

    1572864:Hnx/dfByIQZBIvqA2fmb+DXz7o1Yca05xesr:HxlfB+C2fmbCo1dz5UA

Score
10/10
hijackloaderstealcsneprivate5credential_accessdiscoveryexecutionloaderspywarestealer

Malware Config

Extracted

Family

stealc

Botnet

sneprivate5

C2

http://5.188.87.42

Attributes
  • url_path

    /aa6217b8854aa121.php

Signatures

  • Detects HijackLoader (aka IDAT Loader) 2 IoCs
  • HijackLoader

    HijackLoader is a multistage loader first seen in 2023.

    loaderhijackloader
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ravion.exe
    "C:\Users\Admin\AppData\Local\Temp\Ravion.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2512
    • C:\Users\Admin\AppData\Local\Temp\7z789AB9D0\Ravion.exe
      C:\Users\Admin\AppData\Local\Temp\7z789AB9D0\Ravion.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2648
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\3a934c9f-79d5-4be4-87ff-c9fabd2d550f'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:872
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\3a934c9f-79d5-4be4-87ff-c9fabd2d550f'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1224
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\3a934c9f-79d5-4be4-87ff-c9fabd2d550f'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2948
      • C:\Users\Admin\AppData\Local\Temp\3a934c9f-79d5-4be4-87ff-c9fabd2d550f\MWU0YjlhZT.exe
        "C:\Users\Admin\AppData\Local\Temp\3a934c9f-79d5-4be4-87ff-c9fabd2d550f\MWU0YjlhZT.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2000
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\SysWOW64\cmd.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:4540
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            5⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            PID:3284
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2084
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:212

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\mozglue.dll
    Filesize

    593KB

    MD5

    c8fd9be83bc728cc04beffafc2907fe9

    SHA1

    95ab9f701e0024cedfbd312bcfe4e726744c4f2e

    SHA256

    ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

    SHA512

    fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

    Download Submit

  • C:\ProgramData\nss3.dll
    Filesize

    2.0MB

    MD5

    1cc453cdf74f31e4d913ff9c10acdde2

    SHA1

    6e85eae544d6e965f15fa5c39700fa7202f3aafe

    SHA256

    ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

    SHA512

    dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

    Download Submit

  • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
    Filesize

    64KB

    MD5

    d2fb266b97caff2086bf0fa74eddb6b2

    SHA1

    2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

    SHA256

    b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

    SHA512

    c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

    Download Submit

  • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
    Filesize

    4B

    MD5

    f49655f856acb8884cc0ace29216f511

    SHA1

    cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

    SHA256

    7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

    SHA512

    599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

    Download Submit

  • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
    Filesize

    944B

    MD5

    6bd369f7c74a28194c991ed1404da30f

    SHA1

    0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

    SHA256

    878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

    SHA512

    8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    6d42b6da621e8df5674e26b799c8e2aa

    SHA1

    ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

    SHA256

    5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

    SHA512

    53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    eb16a43efbdc8dbb9cc06799e80d59a0

    SHA1

    036623e4badb3a8a7db0b2f09d586fa56d82e686

    SHA256

    3accce99104c0b8e565e8599e5883243d20d46f00c5ad1f041bf5c56eeecf2ee

    SHA512

    2fb8ac2484fb36e7a32a2725839cb21b6afcc0a7309d10dd820a9fc445f8895d81eeb6f13d587f8e9d0cba66b161ad357827074f8ad3f6c7a0e90cdf688379c2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3a934c9f-79d5-4be4-87ff-c9fabd2d550f\MWU0YjlhZT.exe
    Filesize

    3.7MB

    MD5

    9272772d68254fe603ecd392d9c137d7

    SHA1

    c9bbff0346badcddfa970078e2a38291c59938d3

    SHA256

    94ddbe42dfa547a0ef7e14f7e21e41999f1336526f35a8b0799254786ea27048

    SHA512

    86962ecc964941ebea84ed7bec6e3108c499a95b19145084dd1faafecb38473bbf2472a80c54661eb2600be678e1846cd5496dcfdfc4f96fffd380bd85f27dce

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7z789AB9D0\D3DCompiler_47_cor3.dll
    Filesize

    4.7MB

    MD5

    a7349236212b0e5cec2978f2cfa49a1a

    SHA1

    5abb08949162fd1985b89ffad40aaf5fc769017e

    SHA256

    a05d04a270f68c8c6d6ea2d23bebf8cd1d5453b26b5442fa54965f90f1c62082

    SHA512

    c7ff4f9146fefedc199360aa04236294349c881b3865ebc58c5646ad6b3f83fca309de1173f5ebf823a14ba65e5ada77b46f20286d1ea62c37e17adbc9a82d02

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7z789AB9D0\PresentationNative_cor3.dll
    Filesize

    1.2MB

    MD5

    1b7e26a5178d7e80ef9b5d1bf0c53763

    SHA1

    f3cacde5660e6db3b96a19032707326434c4a1da

    SHA256

    66e5d8d49f9645fd67c12324e0e947b8646779b502a3bc475e3a3aeb650e20bb

    SHA512

    bee9c66dbce0e9ab4ac06b5aa3a01e4fd33475a1be74d92dc9a75c2a3ced6b441f8a76747f3cf09913e38beae055fa277c55267353cda97abd018146e7355b89

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7z789AB9D0\wpfgfx_cor3.dll
    Filesize

    1.9MB

    MD5

    9b5895322ea58963c2c26b6ad0212a14

    SHA1

    8a182cac411c051cf514b27c42e0d315bd6b55f3

    SHA256

    c7ee407ced4846577a1e8a67ef61cc920010c4f126933774edc24f46d43714e2

    SHA512

    0770b67b94c5063fe670e9a4d5fcd1997139da632861814d3b9a2ef4e6e0c38f0816c2e63b43e6ec17007f139a5147db0cb61c804d865a311f13364b5706c198

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nnxov024.od4.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\bfefab2a
    Filesize

    1023KB

    MD5

    09e98dda2271dcc0062306dc52ec1cad

    SHA1

    dd316a0e073596dff12f6ca5575f31088394aeb0

    SHA256

    5a0ee1953c68970507b61888ca2189d95b1c4a64a83c0d79df2fa757a132b0c2

    SHA512

    4260ccb760123f8bbfce23c3e92ba60781dde33f58d3f926786b318e348535c64c57ab1f31f24c7d91cd58cba8016e0652b8d8f2068c0457bab0e90c85503003

    Download Submit

  • memory/212-164-0x000001C0AA020000-0x000001C0AA021000-memory.dmp

    Filesize

    4KB

    Download

  • memory/212-157-0x000001C0AA020000-0x000001C0AA021000-memory.dmp

    Filesize

    4KB

    Download

  • memory/212-165-0x000001C0AA020000-0x000001C0AA021000-memory.dmp

    Filesize

    4KB

    Download

  • memory/212-167-0x000001C0AA020000-0x000001C0AA021000-memory.dmp

    Filesize

    4KB

    Download

  • memory/212-168-0x000001C0AA020000-0x000001C0AA021000-memory.dmp

    Filesize

    4KB

    Download

  • memory/212-166-0x000001C0AA020000-0x000001C0AA021000-memory.dmp

    Filesize

    4KB

    Download

  • memory/212-156-0x000001C0AA020000-0x000001C0AA021000-memory.dmp

    Filesize

    4KB

    Download

  • memory/212-163-0x000001C0AA020000-0x000001C0AA021000-memory.dmp

    Filesize

    4KB

    Download

  • memory/212-158-0x000001C0AA020000-0x000001C0AA021000-memory.dmp

    Filesize

    4KB

    Download

  • memory/872-21-0x0000012F73FC0000-0x0000012F73FE2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2000-64-0x0000000074460000-0x00000000745DB000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2000-63-0x00007FFB79BB0000-0x00007FFB79DA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2000-62-0x0000000074460000-0x00000000745DB000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2000-61-0x00000000002C0000-0x0000000000679000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2084-76-0x0000028445B70000-0x0000028445B71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2084-80-0x0000028445B70000-0x0000028445B71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2084-70-0x0000028445B70000-0x0000028445B71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2084-69-0x0000028445B70000-0x0000028445B71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2084-68-0x0000028445B70000-0x0000028445B71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2084-79-0x0000028445B70000-0x0000028445B71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2084-78-0x0000028445B70000-0x0000028445B71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2084-77-0x0000028445B70000-0x0000028445B71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2084-74-0x0000028445B70000-0x0000028445B71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2084-75-0x0000028445B70000-0x0000028445B71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3284-83-0x0000000000800000-0x0000000000A62000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3284-155-0x0000000000800000-0x0000000000A62000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3284-89-0x0000000061E00000-0x0000000061EF3000-memory.dmp

    Filesize

    972KB

    Download

  • memory/3284-84-0x00007FFB79BB0000-0x00007FFB79DA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3284-85-0x0000000000800000-0x0000000000A62000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3284-131-0x0000000000800000-0x0000000000A62000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/4540-81-0x0000000074460000-0x00000000745DB000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4540-67-0x00007FFB79BB0000-0x00007FFB79DA5000-memory.dmp

    Filesize

    2.0MB

    Download