Analysis Overview
SHA256
5b0441fbb03237c5c83f302dc8e58e451b5e6ff9476ffb57102069161d391a8e
Threat Level: Known bad
The file 1730208185981162f0ff5b68b4d0ac7ca5d90fc05eb58d07e41b2c2b83b4b4bff49be540b5107.dat-decod was found to be: Known bad.
Malicious Activity Summary
Revengerat family
Deletes itself
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-29 13:24
Signatures
Revengerat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-29 13:24
Reported
2024-10-29 13:27
Platform
win7-20241010-en
Max time kernel
15s
Max time network
19s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1730208185981162f0ff5b68b4d0ac7ca5d90fc05eb58d07e41b2c2b83b4b4bff49be540b5107.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1730208185981162f0ff5b68b4d0ac7ca5d90fc05eb58d07e41b2c2b83b4b4bff49be540b5107.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Users\Admin\AppData\Local\Temp\1730208185981162f0ff5b68b4d0ac7ca5d90fc05eb58d07e41b2c2b83b4b4bff49be540b5107.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1730208185981162f0ff5b68b4d0ac7ca5d90fc05eb58d07e41b2c2b83b4b4bff49be540b5107.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1820 wrote to memory of 2748 | N/A | C:\Users\Admin\AppData\Local\Temp\1730208185981162f0ff5b68b4d0ac7ca5d90fc05eb58d07e41b2c2b83b4b4bff49be540b5107.exe | C:\Windows\SysWOW64\WScript.exe |
| PID 1820 wrote to memory of 2748 | N/A | C:\Users\Admin\AppData\Local\Temp\1730208185981162f0ff5b68b4d0ac7ca5d90fc05eb58d07e41b2c2b83b4b4bff49be540b5107.exe | C:\Windows\SysWOW64\WScript.exe |
| PID 1820 wrote to memory of 2748 | N/A | C:\Users\Admin\AppData\Local\Temp\1730208185981162f0ff5b68b4d0ac7ca5d90fc05eb58d07e41b2c2b83b4b4bff49be540b5107.exe | C:\Windows\SysWOW64\WScript.exe |
| PID 1820 wrote to memory of 2748 | N/A | C:\Users\Admin\AppData\Local\Temp\1730208185981162f0ff5b68b4d0ac7ca5d90fc05eb58d07e41b2c2b83b4b4bff49be540b5107.exe | C:\Windows\SysWOW64\WScript.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1730208185981162f0ff5b68b4d0ac7ca5d90fc05eb58d07e41b2c2b83b4b4bff49be540b5107.exe
"C:\Users\Admin\AppData\Local\Temp\1730208185981162f0ff5b68b4d0ac7ca5d90fc05eb58d07e41b2c2b83b4b4bff49be540b5107.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\oMSltdcK.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | marcelotatuape.ddns.net | udp |
| BR | 177.52.84.20:333 | marcelotatuape.ddns.net | tcp |
Files
memory/1820-0-0x00000000749F1000-0x00000000749F2000-memory.dmp
memory/1820-1-0x00000000749F0000-0x0000000074F9B000-memory.dmp
memory/1820-2-0x00000000749F0000-0x0000000074F9B000-memory.dmp
memory/1820-3-0x00000000749F0000-0x0000000074F9B000-memory.dmp
memory/1820-4-0x00000000749F0000-0x0000000074F9B000-memory.dmp
memory/1820-9-0x00000000749F0000-0x0000000074F9B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oMSltdcK.vbs
| MD5 | 31a75ca170a32d45aa26b386c0d66a64 |
| SHA1 | 08ea112bfbe3e06559c197a7295d125944e83821 |
| SHA256 | a83ead314c5c0562c785ae7fd96184d9ade1c1bc35511857644e3333a7dd5ad7 |
| SHA512 | 2361d26b74053396a1d9dbfd480915256cecc0ce0472fc78e3c4104a99174ff453e059a92b381304fb2a8c0298812bdef2222ef55c616f4dbe25862241f1415f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-29 13:24
Reported
2024-10-29 13:27
Platform
win10v2004-20241007-en
Max time kernel
133s
Max time network
149s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1730208185981162f0ff5b68b4d0ac7ca5d90fc05eb58d07e41b2c2b83b4b4bff49be540b5107.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Users\Admin\AppData\Local\Temp\1730208185981162f0ff5b68b4d0ac7ca5d90fc05eb58d07e41b2c2b83b4b4bff49be540b5107.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1730208185981162f0ff5b68b4d0ac7ca5d90fc05eb58d07e41b2c2b83b4b4bff49be540b5107.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1730208185981162f0ff5b68b4d0ac7ca5d90fc05eb58d07e41b2c2b83b4b4bff49be540b5107.exe
"C:\Users\Admin\AppData\Local\Temp\1730208185981162f0ff5b68b4d0ac7ca5d90fc05eb58d07e41b2c2b83b4b4bff49be540b5107.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | marcelotatuape.ddns.net | udp |
| BR | 177.52.84.20:333 | marcelotatuape.ddns.net | tcp |
| US | 8.8.8.8:53 | 20.84.52.177.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/4372-0-0x0000000074EA2000-0x0000000074EA3000-memory.dmp
memory/4372-1-0x0000000074EA0000-0x0000000075451000-memory.dmp
memory/4372-2-0x0000000074EA2000-0x0000000074EA3000-memory.dmp
memory/4372-3-0x0000000074EA0000-0x0000000075451000-memory.dmp