Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-10-2024 11:41
Static task
static1
Behavioral task
behavioral1
Sample
Ravion.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Ravion.exe
Resource
win10v2004-20241007-en
General
-
Target
Ravion.exe
-
Size
49.7MB
-
MD5
a88316d4c2e9a42e7b301bc295781793
-
SHA1
aa0079be546b312a2dbe8b5a92666c9298474164
-
SHA256
63e5a6fedf34169383b050dc321dd9e13ef9d37938ea737e45726059e852d7a0
-
SHA512
4975426215db50165d76405843944087ce24630b89966f63f0190a0538ebea1ee4be996b29f00047b80ba767a8f6edd7e23e1e8f734e3de09b37c5d4c11011f0
-
SSDEEP
1572864:Hnx/dfByIQZBIvqA2fmb+DXz7o1Yca05xesr:HxlfB+C2fmbCo1dz5UA
Malware Config
Extracted
stealc
sneprivate5
http://5.188.87.42
-
url_path
/aa6217b8854aa121.php
Signatures
-
Detects HijackLoader (aka IDAT Loader) 2 IoCs
resource yara_rule behavioral2/files/0x000f000000023ced-60.dat family_hijackloader behavioral2/memory/2000-61-0x00000000002C0000-0x0000000000679000-memory.dmp family_hijackloader -
HijackLoader
HijackLoader is a multistage loader first seen in 2023.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 872 powershell.exe 1224 powershell.exe 2948 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 2648 Ravion.exe 2000 MWU0YjlhZT.exe -
Loads dropped DLL 5 IoCs
pid Process 2648 Ravion.exe 2648 Ravion.exe 2648 Ravion.exe 3284 explorer.exe 3284 explorer.exe -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2000 set thread context of 4540 2000 MWU0YjlhZT.exe 100 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ravion.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MWU0YjlhZT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Suspicious behavior: EnumeratesProcesses 43 IoCs
pid Process 872 powershell.exe 872 powershell.exe 1224 powershell.exe 1224 powershell.exe 2948 powershell.exe 2948 powershell.exe 2000 MWU0YjlhZT.exe 2000 MWU0YjlhZT.exe 4540 cmd.exe 4540 cmd.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 3284 explorer.exe 3284 explorer.exe 212 taskmgr.exe 212 taskmgr.exe 212 taskmgr.exe 212 taskmgr.exe 212 taskmgr.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2000 MWU0YjlhZT.exe 4540 cmd.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 2648 Ravion.exe Token: SeDebugPrivilege 872 powershell.exe Token: SeDebugPrivilege 1224 powershell.exe Token: SeDebugPrivilege 2948 powershell.exe Token: SeDebugPrivilege 2084 taskmgr.exe Token: SeSystemProfilePrivilege 2084 taskmgr.exe Token: SeCreateGlobalPrivilege 2084 taskmgr.exe Token: 33 2084 taskmgr.exe Token: SeIncBasePriorityPrivilege 2084 taskmgr.exe Token: SeDebugPrivilege 212 taskmgr.exe Token: SeSystemProfilePrivilege 212 taskmgr.exe Token: SeCreateGlobalPrivilege 212 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 212 taskmgr.exe 212 taskmgr.exe 212 taskmgr.exe 212 taskmgr.exe 212 taskmgr.exe 212 taskmgr.exe 212 taskmgr.exe 212 taskmgr.exe 212 taskmgr.exe 212 taskmgr.exe 212 taskmgr.exe 212 taskmgr.exe 212 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 2084 taskmgr.exe 212 taskmgr.exe 212 taskmgr.exe 212 taskmgr.exe 212 taskmgr.exe 212 taskmgr.exe 212 taskmgr.exe 212 taskmgr.exe 212 taskmgr.exe 212 taskmgr.exe 212 taskmgr.exe 212 taskmgr.exe 212 taskmgr.exe 212 taskmgr.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2000 MWU0YjlhZT.exe 2000 MWU0YjlhZT.exe 2000 MWU0YjlhZT.exe 2000 MWU0YjlhZT.exe 2000 MWU0YjlhZT.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2512 wrote to memory of 2648 2512 Ravion.exe 89 PID 2512 wrote to memory of 2648 2512 Ravion.exe 89 PID 2648 wrote to memory of 872 2648 Ravion.exe 93 PID 2648 wrote to memory of 872 2648 Ravion.exe 93 PID 2648 wrote to memory of 1224 2648 Ravion.exe 95 PID 2648 wrote to memory of 1224 2648 Ravion.exe 95 PID 2648 wrote to memory of 2948 2648 Ravion.exe 97 PID 2648 wrote to memory of 2948 2648 Ravion.exe 97 PID 2648 wrote to memory of 2000 2648 Ravion.exe 99 PID 2648 wrote to memory of 2000 2648 Ravion.exe 99 PID 2648 wrote to memory of 2000 2648 Ravion.exe 99 PID 2000 wrote to memory of 4540 2000 MWU0YjlhZT.exe 100 PID 2000 wrote to memory of 4540 2000 MWU0YjlhZT.exe 100 PID 2000 wrote to memory of 4540 2000 MWU0YjlhZT.exe 100 PID 2000 wrote to memory of 4540 2000 MWU0YjlhZT.exe 100 PID 4540 wrote to memory of 3284 4540 cmd.exe 103 PID 4540 wrote to memory of 3284 4540 cmd.exe 103 PID 4540 wrote to memory of 3284 4540 cmd.exe 103 PID 4540 wrote to memory of 3284 4540 cmd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ravion.exe"C:\Users\Admin\AppData\Local\Temp\Ravion.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\7z789AB9D0\Ravion.exeC:\Users\Admin\AppData\Local\Temp\7z789AB9D0\Ravion.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\3a934c9f-79d5-4be4-87ff-c9fabd2d550f'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\3a934c9f-79d5-4be4-87ff-c9fabd2d550f'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1224
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\3a934c9f-79d5-4be4-87ff-c9fabd2d550f'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-
C:\Users\Admin\AppData\Local\Temp\3a934c9f-79d5-4be4-87ff-c9fabd2d550f\MWU0YjlhZT.exe"C:\Users\Admin\AppData\Local\Temp\3a934c9f-79d5-4be4-87ff-c9fabd2d550f\MWU0YjlhZT.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3284
-
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2084
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:212
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
944B
MD5eb16a43efbdc8dbb9cc06799e80d59a0
SHA1036623e4badb3a8a7db0b2f09d586fa56d82e686
SHA2563accce99104c0b8e565e8599e5883243d20d46f00c5ad1f041bf5c56eeecf2ee
SHA5122fb8ac2484fb36e7a32a2725839cb21b6afcc0a7309d10dd820a9fc445f8895d81eeb6f13d587f8e9d0cba66b161ad357827074f8ad3f6c7a0e90cdf688379c2
-
Filesize
3.7MB
MD59272772d68254fe603ecd392d9c137d7
SHA1c9bbff0346badcddfa970078e2a38291c59938d3
SHA25694ddbe42dfa547a0ef7e14f7e21e41999f1336526f35a8b0799254786ea27048
SHA51286962ecc964941ebea84ed7bec6e3108c499a95b19145084dd1faafecb38473bbf2472a80c54661eb2600be678e1846cd5496dcfdfc4f96fffd380bd85f27dce
-
Filesize
4.7MB
MD5a7349236212b0e5cec2978f2cfa49a1a
SHA15abb08949162fd1985b89ffad40aaf5fc769017e
SHA256a05d04a270f68c8c6d6ea2d23bebf8cd1d5453b26b5442fa54965f90f1c62082
SHA512c7ff4f9146fefedc199360aa04236294349c881b3865ebc58c5646ad6b3f83fca309de1173f5ebf823a14ba65e5ada77b46f20286d1ea62c37e17adbc9a82d02
-
Filesize
1.2MB
MD51b7e26a5178d7e80ef9b5d1bf0c53763
SHA1f3cacde5660e6db3b96a19032707326434c4a1da
SHA25666e5d8d49f9645fd67c12324e0e947b8646779b502a3bc475e3a3aeb650e20bb
SHA512bee9c66dbce0e9ab4ac06b5aa3a01e4fd33475a1be74d92dc9a75c2a3ced6b441f8a76747f3cf09913e38beae055fa277c55267353cda97abd018146e7355b89
-
Filesize
1.9MB
MD59b5895322ea58963c2c26b6ad0212a14
SHA18a182cac411c051cf514b27c42e0d315bd6b55f3
SHA256c7ee407ced4846577a1e8a67ef61cc920010c4f126933774edc24f46d43714e2
SHA5120770b67b94c5063fe670e9a4d5fcd1997139da632861814d3b9a2ef4e6e0c38f0816c2e63b43e6ec17007f139a5147db0cb61c804d865a311f13364b5706c198
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1023KB
MD509e98dda2271dcc0062306dc52ec1cad
SHA1dd316a0e073596dff12f6ca5575f31088394aeb0
SHA2565a0ee1953c68970507b61888ca2189d95b1c4a64a83c0d79df2fa757a132b0c2
SHA5124260ccb760123f8bbfce23c3e92ba60781dde33f58d3f926786b318e348535c64c57ab1f31f24c7d91cd58cba8016e0652b8d8f2068c0457bab0e90c85503003