Malware Analysis Report

2025-01-18 04:54

Sample ID 241029-qnsa1swblp
Target 1730208185981162f0ff5b68b4d0ac7ca5d90fc05eb58d07e41b2c2b83b4b4bff49be540b5107.dat-decod
SHA256 5b0441fbb03237c5c83f302dc8e58e451b5e6ff9476ffb57102069161d391a8e
Tags
nyancatrevenge revengerat discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b0441fbb03237c5c83f302dc8e58e451b5e6ff9476ffb57102069161d391a8e

Threat Level: Known bad

The file 1730208185981162f0ff5b68b4d0ac7ca5d90fc05eb58d07e41b2c2b83b4b4bff49be540b5107.dat-decod was found to be: Known bad.

Malicious Activity Summary

nyancatrevenge revengerat discovery

Revengerat family

Deletes itself

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-29 13:24

Signatures

Revengerat family

revengerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-29 13:24

Reported

2024-10-29 13:27

Platform

win7-20241010-en

Max time kernel

15s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1730208185981162f0ff5b68b4d0ac7ca5d90fc05eb58d07e41b2c2b83b4b4bff49be540b5107.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1730208185981162f0ff5b68b4d0ac7ca5d90fc05eb58d07e41b2c2b83b4b4bff49be540b5107.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1730208185981162f0ff5b68b4d0ac7ca5d90fc05eb58d07e41b2c2b83b4b4bff49be540b5107.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Users\Admin\AppData\Local\Temp\1730208185981162f0ff5b68b4d0ac7ca5d90fc05eb58d07e41b2c2b83b4b4bff49be540b5107.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1730208185981162f0ff5b68b4d0ac7ca5d90fc05eb58d07e41b2c2b83b4b4bff49be540b5107.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1730208185981162f0ff5b68b4d0ac7ca5d90fc05eb58d07e41b2c2b83b4b4bff49be540b5107.exe

"C:\Users\Admin\AppData\Local\Temp\1730208185981162f0ff5b68b4d0ac7ca5d90fc05eb58d07e41b2c2b83b4b4bff49be540b5107.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\oMSltdcK.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 marcelotatuape.ddns.net udp
BR 177.52.84.20:333 marcelotatuape.ddns.net tcp

Files

memory/1820-0-0x00000000749F1000-0x00000000749F2000-memory.dmp

memory/1820-1-0x00000000749F0000-0x0000000074F9B000-memory.dmp

memory/1820-2-0x00000000749F0000-0x0000000074F9B000-memory.dmp

memory/1820-3-0x00000000749F0000-0x0000000074F9B000-memory.dmp

memory/1820-4-0x00000000749F0000-0x0000000074F9B000-memory.dmp

memory/1820-9-0x00000000749F0000-0x0000000074F9B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oMSltdcK.vbs

MD5 31a75ca170a32d45aa26b386c0d66a64
SHA1 08ea112bfbe3e06559c197a7295d125944e83821
SHA256 a83ead314c5c0562c785ae7fd96184d9ade1c1bc35511857644e3333a7dd5ad7
SHA512 2361d26b74053396a1d9dbfd480915256cecc0ce0472fc78e3c4104a99174ff453e059a92b381304fb2a8c0298812bdef2222ef55c616f4dbe25862241f1415f

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-29 13:24

Reported

2024-10-29 13:27

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1730208185981162f0ff5b68b4d0ac7ca5d90fc05eb58d07e41b2c2b83b4b4bff49be540b5107.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1730208185981162f0ff5b68b4d0ac7ca5d90fc05eb58d07e41b2c2b83b4b4bff49be540b5107.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Users\Admin\AppData\Local\Temp\1730208185981162f0ff5b68b4d0ac7ca5d90fc05eb58d07e41b2c2b83b4b4bff49be540b5107.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1730208185981162f0ff5b68b4d0ac7ca5d90fc05eb58d07e41b2c2b83b4b4bff49be540b5107.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1730208185981162f0ff5b68b4d0ac7ca5d90fc05eb58d07e41b2c2b83b4b4bff49be540b5107.exe

"C:\Users\Admin\AppData\Local\Temp\1730208185981162f0ff5b68b4d0ac7ca5d90fc05eb58d07e41b2c2b83b4b4bff49be540b5107.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 marcelotatuape.ddns.net udp
BR 177.52.84.20:333 marcelotatuape.ddns.net tcp
US 8.8.8.8:53 20.84.52.177.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/4372-0-0x0000000074EA2000-0x0000000074EA3000-memory.dmp

memory/4372-1-0x0000000074EA0000-0x0000000075451000-memory.dmp

memory/4372-2-0x0000000074EA2000-0x0000000074EA3000-memory.dmp

memory/4372-3-0x0000000074EA0000-0x0000000075451000-memory.dmp