Analysis Overview
SHA256
f52dd2dd58a66fb26ff986cd9bd6b033d0bca73800606ba4f6e6033fa44bf023
Threat Level: Known bad
The file Client4PM..exe was found to be: Known bad.
Malicious Activity Summary
RevengeRat Executable
Revengerat family
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of SendNotifyMessage
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-12 06:27
Signatures
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Revengerat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-12 06:27
Reported
2024-10-12 06:30
Platform
win10v2004-20241007-en
Max time kernel
202s
Max time network
202s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Client4PM..exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Users\Admin\AppData\Local\Temp\Client4PM..exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\Client4PM..exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Client4PM..exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\Client4PM..exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\Client4PM..exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion | C:\Users\Admin\AppData\Local\Temp\Client4PM..exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\Client4PM..exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate | C:\Users\Admin\AppData\Local\Temp\Client4PM..exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Client4PM..exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client4PM..exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2220 wrote to memory of 4876 | N/A | C:\Users\Admin\AppData\Local\Temp\Client4PM..exe | C:\Windows\System32\WScript.exe |
| PID 2220 wrote to memory of 4876 | N/A | C:\Users\Admin\AppData\Local\Temp\Client4PM..exe | C:\Windows\System32\WScript.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Client4PM..exe
"C:\Users\Admin\AppData\Local\Temp\Client4PM..exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\GawrHJfW.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | Pizd11337-26540.portmap.host | udp |
| DE | 193.161.193.99:26540 | Pizd11337-26540.portmap.host | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 193.161.193.99:26540 | Pizd11337-26540.portmap.host | tcp |
| DE | 193.161.193.99:26540 | Pizd11337-26540.portmap.host | tcp |
| DE | 193.161.193.99:26540 | Pizd11337-26540.portmap.host | tcp |
| DE | 193.161.193.99:26540 | Pizd11337-26540.portmap.host | tcp |
| DE | 193.161.193.99:26540 | Pizd11337-26540.portmap.host | tcp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.193.161.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| DE | 193.161.193.99:26540 | Pizd11337-26540.portmap.host | tcp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| DE | 193.161.193.99:26540 | Pizd11337-26540.portmap.host | tcp |
| DE | 193.161.193.99:26540 | Pizd11337-26540.portmap.host | tcp |
Files
memory/2220-0-0x00007FFE032A5000-0x00007FFE032A6000-memory.dmp
memory/2220-1-0x000000001C180000-0x000000001C64E000-memory.dmp
memory/2220-2-0x00007FFE02FF0000-0x00007FFE03991000-memory.dmp
memory/2220-3-0x000000001C650000-0x000000001C6F6000-memory.dmp
memory/2220-4-0x00007FFE02FF0000-0x00007FFE03991000-memory.dmp
memory/2220-5-0x000000001CDF0000-0x000000001CE52000-memory.dmp
memory/2220-6-0x00007FFE032A5000-0x00007FFE032A6000-memory.dmp
memory/2220-7-0x00007FFE02FF0000-0x00007FFE03991000-memory.dmp
memory/2220-8-0x000000001CFE0000-0x000000001D004000-memory.dmp
memory/2220-9-0x000000001D280000-0x000000001D31C000-memory.dmp
memory/2220-10-0x00000000015C0000-0x00000000015D9000-memory.dmp
memory/2220-11-0x00007FFE02FF0000-0x00007FFE03991000-memory.dmp
memory/2220-12-0x00007FFE02FF0000-0x00007FFE03991000-memory.dmp
memory/2220-13-0x00000000013F0000-0x000000000140E000-memory.dmp
memory/2220-14-0x0000000001520000-0x0000000001536000-memory.dmp
memory/2220-15-0x0000000001690000-0x000000000169C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GawrHJfW.vbs
| MD5 | 502b0b2bd2887a2a1dbd470b8ee92d9c |
| SHA1 | 7a3907f54b2f8b57be6072d28aff3f6174f8f010 |
| SHA256 | a31b7d0b86764919634b44f2ceca8dda07981aa6a2a9a3f7050cf95e7b480807 |
| SHA512 | bba93f39efab99a6aeedaa12a9c654477cd34204df1424222fe819ff82eb36511b7dccfc01b7b687e21cca101a37d88ef143d6aaf658e6a25b959cf5d3d5191e |
memory/2220-20-0x00007FFE02FF0000-0x00007FFE03991000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-12 06:27
Reported
2024-10-12 06:30
Platform
win10-20240404-en
Max time kernel
213s
Max time network
204s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\4183903823\2290032291.pri | C:\Windows\System32\Taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\1601268389\715946058.pri | C:\Windows\System32\Taskmgr.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\Taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\Taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\System32\Taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Users\Admin\AppData\Local\Temp\Client4PM..exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\Client4PM..exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Client4PM..exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client4PM..exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\System32\Taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4944 wrote to memory of 4876 | N/A | C:\Users\Admin\AppData\Local\Temp\Client4PM..exe | C:\Windows\System32\Taskmgr.exe |
| PID 4944 wrote to memory of 4876 | N/A | C:\Users\Admin\AppData\Local\Temp\Client4PM..exe | C:\Windows\System32\Taskmgr.exe |
| PID 4944 wrote to memory of 1948 | N/A | C:\Users\Admin\AppData\Local\Temp\Client4PM..exe | C:\Windows\System32\WScript.exe |
| PID 4944 wrote to memory of 1948 | N/A | C:\Users\Admin\AppData\Local\Temp\Client4PM..exe | C:\Windows\System32\WScript.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Client4PM..exe
"C:\Users\Admin\AppData\Local\Temp\Client4PM..exe"
C:\Windows\System32\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\atnxDpn.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | Pizd11337-26540.portmap.host | udp |
| DE | 193.161.193.99:26540 | Pizd11337-26540.portmap.host | tcp |
| DE | 193.161.193.99:26540 | Pizd11337-26540.portmap.host | tcp |
| DE | 193.161.193.99:26540 | Pizd11337-26540.portmap.host | tcp |
| DE | 193.161.193.99:26540 | Pizd11337-26540.portmap.host | tcp |
| DE | 193.161.193.99:26540 | Pizd11337-26540.portmap.host | tcp |
| DE | 193.161.193.99:26540 | Pizd11337-26540.portmap.host | tcp |
| DE | 193.161.193.99:26540 | Pizd11337-26540.portmap.host | tcp |
| DE | 193.161.193.99:26540 | Pizd11337-26540.portmap.host | tcp |
| US | 8.8.8.8:53 | 99.193.161.193.in-addr.arpa | udp |
| DE | 193.161.193.99:26540 | Pizd11337-26540.portmap.host | tcp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.110.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
Files
memory/4944-0-0x00007FFEEB715000-0x00007FFEEB716000-memory.dmp
memory/4944-1-0x000000001C370000-0x000000001C83E000-memory.dmp
memory/4944-2-0x00007FFEEB460000-0x00007FFEEBE00000-memory.dmp
memory/4944-3-0x000000001BD90000-0x000000001BE36000-memory.dmp
memory/4944-4-0x000000001D010000-0x000000001D072000-memory.dmp
memory/4944-5-0x00007FFEEB460000-0x00007FFEEBE00000-memory.dmp
memory/4944-6-0x00007FFEEB715000-0x00007FFEEB716000-memory.dmp
memory/4944-7-0x00007FFEEB460000-0x00007FFEEBE00000-memory.dmp
memory/4944-8-0x00007FFEEB460000-0x00007FFEEBE00000-memory.dmp
memory/4944-9-0x000000001D190000-0x000000001D1A6000-memory.dmp
memory/4944-10-0x000000001DD50000-0x000000001DDEC000-memory.dmp
memory/4944-11-0x00007FFEEB460000-0x00007FFEEBE00000-memory.dmp
memory/4944-12-0x00007FFEEB460000-0x00007FFEEBE00000-memory.dmp
memory/4944-21-0x0000000001510000-0x000000000151C000-memory.dmp
memory/4944-26-0x00007FFEEB460000-0x00007FFEEBE00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\atnxDpn.vbs
| MD5 | 502b0b2bd2887a2a1dbd470b8ee92d9c |
| SHA1 | 7a3907f54b2f8b57be6072d28aff3f6174f8f010 |
| SHA256 | a31b7d0b86764919634b44f2ceca8dda07981aa6a2a9a3f7050cf95e7b480807 |
| SHA512 | bba93f39efab99a6aeedaa12a9c654477cd34204df1424222fe819ff82eb36511b7dccfc01b7b687e21cca101a37d88ef143d6aaf658e6a25b959cf5d3d5191e |