Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    91s
  • max time network
    92s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/01/2025, 03:14 UTC

General

  • Target

    1375655bd05aff5b2bbd1a741c8eb5be506146c4da7943a45266a085df5a99bdN.exe

  • Size

    598KB

  • MD5

    287bedc379d15fa5527af96200525f20

  • SHA1

    855d53d8545887da4346d13428952068923e5ee8

  • SHA256

    1375655bd05aff5b2bbd1a741c8eb5be506146c4da7943a45266a085df5a99bd

  • SHA512

    26dbf13fbe409464bfcb4cec76e20593d9900f3d00eb5ccd31721672857a9617d1dcc683e8250ca93c136068788d68569576f3efe208aa9fa1d6bf1752cb3385

  • SSDEEP

    6144:/KWlw1DxDfASIAfCEv2YUMNJlaJuNlK17Y4c83fhysVufBn597NX2d:/7lw1Dx75zfXeYU43fiysgfBnnl2d

Malware Config

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

  • Revengerat family
  • RevengeRat Executable 1 IoCs
  • Executes dropped EXE 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1375655bd05aff5b2bbd1a741c8eb5be506146c4da7943a45266a085df5a99bdN.exe
    "C:\Users\Admin\AppData\Local\Temp\1375655bd05aff5b2bbd1a741c8eb5be506146c4da7943a45266a085df5a99bdN.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:880
    • C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe
      C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe -install -54413975 -chipde -430aeeef76954f49858f7a0a01823f4b - -BLUB2 -wlwjgmemctmpzmas -327826
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3596

Network

  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    85.49.80.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    85.49.80.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    71.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    244.160.67.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    244.160.67.23.in-addr.arpa
    IN PTR
    Response
    244.160.67.23.in-addr.arpa
    IN PTR
    a23-67-160-244deploystaticakamaitechnologiescom
  • flag-us
    DNS
    thinklabs-ltd.de
    ocs_v71a.exe
    Remote address:
    8.8.8.8:53
    Request
    thinklabs-ltd.de
    IN A
    Response
    thinklabs-ltd.de
    IN A
    176.9.175.237
  • flag-de
    GET
    http://thinklabs-ltd.de/geoip.php
    ocs_v71a.exe
    Remote address:
    176.9.175.237:80
    Request
    GET /geoip.php HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0; DSde) Gecko/20100101 Firefox/23.0
    Host: thinklabs-ltd.de
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Fri, 24 Jan 2025 03:14:54 GMT
    Server: Apache
    Vary: Accept-Encoding
    Content-Length: 2
    Keep-Alive: timeout=5, max=1500
    Connection: Keep-Alive
    Content-Type: text/html
  • flag-us
    DNS
    bin.download-sponsor.de
    ocs_v71a.exe
    Remote address:
    8.8.8.8:53
    Request
    bin.download-sponsor.de
    IN A
    Response
    bin.download-sponsor.de
    IN A
    176.9.175.234
  • flag-us
    DNS
    237.175.9.176.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.175.9.176.in-addr.arpa
    IN PTR
    Response
    237.175.9.176.in-addr.arpa
    IN PTR
    www1thinklabs-clusterde
  • flag-us
    DNS
    234.175.9.176.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    234.175.9.176.in-addr.arpa
    IN PTR
    Response
    234.175.9.176.in-addr.arpa
    IN PTR
    web1thinklabs-clusterde
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 176.9.175.237:80
    http://thinklabs-ltd.de/geoip.php
    http
    ocs_v71a.exe
    397 B
    330 B
    5
    3

    HTTP Request

    GET http://thinklabs-ltd.de/geoip.php

    HTTP Response

    200
  • 176.9.175.234:443
    bin.download-sponsor.de
    https
    ocs_v71a.exe
    443 B
    172 B
    5
    4
  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    85.49.80.91.in-addr.arpa
    dns
    70 B
    145 B
    1
    1

    DNS Request

    85.49.80.91.in-addr.arpa

  • 8.8.8.8:53
    71.31.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    71.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    244.160.67.23.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    244.160.67.23.in-addr.arpa

  • 8.8.8.8:53
    thinklabs-ltd.de
    dns
    ocs_v71a.exe
    62 B
    78 B
    1
    1

    DNS Request

    thinklabs-ltd.de

    DNS Response

    176.9.175.237

  • 8.8.8.8:53
    bin.download-sponsor.de
    dns
    ocs_v71a.exe
    69 B
    85 B
    1
    1

    DNS Request

    bin.download-sponsor.de

    DNS Response

    176.9.175.234

  • 8.8.8.8:53
    237.175.9.176.in-addr.arpa
    dns
    72 B
    111 B
    1
    1

    DNS Request

    237.175.9.176.in-addr.arpa

  • 8.8.8.8:53
    234.175.9.176.in-addr.arpa
    dns
    72 B
    111 B
    1
    1

    DNS Request

    234.175.9.176.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    19.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe

    Filesize

    288KB

    MD5

    317ec5f92cfbf04a53e8125b66b3b4af

    SHA1

    16068b8977b4dc562ae782d91bc009472667e331

    SHA256

    7612ef3877c3e4e305a6c22941141601b489a73bc088622a40ebd93bee25bae5

    SHA512

    ed772da641a5c128677c4c285c648c1d8e539c34522b95c14f614797bb0d188571c7c257441d45598809aa3f8b4690bd53230282726e077c86c8d9fe71c1db65

  • C:\Users\Admin\AppData\Local\Temp\OCS\wlwjgmemctmpzmas.dat

    Filesize

    83B

    MD5

    468c49f0da97193fc2f7abe8ce012bb9

    SHA1

    160439a0e50457eee54188694355798a196471bb

    SHA256

    3e249e6840c35982e5b1104920c4ee49c9a9b31694a253dffa8088d8105f603d

    SHA512

    93e87c24a15f4c4a3e84794578d6af195c8c4960dd2332261db8bb6893939c62d4d12193e03df302b01ed7cd2dbf5c21b832582bdbefe087ef4b879172e41776

  • memory/3596-11-0x000000001C010000-0x000000001C0B6000-memory.dmp

    Filesize

    664KB

  • memory/3596-18-0x00007FFA368C0000-0x00007FFA37261000-memory.dmp

    Filesize

    9.6MB

  • memory/3596-9-0x00007FFA368C0000-0x00007FFA37261000-memory.dmp

    Filesize

    9.6MB

  • memory/3596-12-0x000000001C160000-0x000000001C1FC000-memory.dmp

    Filesize

    624KB

  • memory/3596-14-0x00007FFA368C0000-0x00007FFA37261000-memory.dmp

    Filesize

    9.6MB

  • memory/3596-13-0x0000000000F00000-0x0000000000F08000-memory.dmp

    Filesize

    32KB

  • memory/3596-8-0x00007FFA36B75000-0x00007FFA36B76000-memory.dmp

    Filesize

    4KB

  • memory/3596-16-0x00007FFA368C0000-0x00007FFA37261000-memory.dmp

    Filesize

    9.6MB

  • memory/3596-17-0x00007FFA368C0000-0x00007FFA37261000-memory.dmp

    Filesize

    9.6MB

  • memory/3596-10-0x000000001BB40000-0x000000001C00E000-memory.dmp

    Filesize

    4.8MB

  • memory/3596-19-0x00007FFA368C0000-0x00007FFA37261000-memory.dmp

    Filesize

    9.6MB

  • memory/3596-20-0x00007FFA368C0000-0x00007FFA37261000-memory.dmp

    Filesize

    9.6MB

  • memory/3596-21-0x00007FFA368C0000-0x00007FFA37261000-memory.dmp

    Filesize

    9.6MB

  • memory/3596-22-0x00007FFA36B75000-0x00007FFA36B76000-memory.dmp

    Filesize

    4KB

  • memory/3596-23-0x00007FFA368C0000-0x00007FFA37261000-memory.dmp

    Filesize

    9.6MB

  • memory/3596-24-0x00007FFA368C0000-0x00007FFA37261000-memory.dmp

    Filesize

    9.6MB

  • memory/3596-26-0x00007FFA368C0000-0x00007FFA37261000-memory.dmp

    Filesize

    9.6MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.