Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
15s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
24/01/2025, 03:17
Static task
static1
Behavioral task
behavioral1
Sample
156c1abd39f045e2c45d64bafd00b6acb64841f9a975045c5b13f905d08c0755.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
156c1abd39f045e2c45d64bafd00b6acb64841f9a975045c5b13f905d08c0755.exe
Resource
win10v2004-20241007-en
General
-
Target
156c1abd39f045e2c45d64bafd00b6acb64841f9a975045c5b13f905d08c0755.exe
-
Size
598KB
-
MD5
d9fbfc2935082465f64f882603a48917
-
SHA1
e6d8a73d5cf363ef7b0c6d070466bdfeb308ad1b
-
SHA256
156c1abd39f045e2c45d64bafd00b6acb64841f9a975045c5b13f905d08c0755
-
SHA512
49852e44ededd9abd16aebe6af288f5d0e3752d190dbc43732e78cd79e9a9725965d4d25b582e3e99c75ee122842c9ceb3d1e5dfe9926788d3ce8ff521cc6ef9
-
SSDEEP
6144:rKWlw1DxDFASIAfCEv2YUMNJlaJuNlK17Y4c83fhysVufBn597NX2v:r7lw1Dx55zfXeYU43fiysgfBnnl2v
Malware Config
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Revengerat family
-
RevengeRat Executable 1 IoCs
resource yara_rule behavioral1/files/0x0007000000016cab-11.dat revengerat -
Executes dropped EXE 1 IoCs
pid Process 804 ocs_v71a.exe -
Loads dropped DLL 2 IoCs
pid Process 1952 156c1abd39f045e2c45d64bafd00b6acb64841f9a975045c5b13f905d08c0755.exe 1952 156c1abd39f045e2c45d64bafd00b6acb64841f9a975045c5b13f905d08c0755.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 156c1abd39f045e2c45d64bafd00b6acb64841f9a975045c5b13f905d08c0755.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1952 156c1abd39f045e2c45d64bafd00b6acb64841f9a975045c5b13f905d08c0755.exe 804 ocs_v71a.exe 804 ocs_v71a.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1952 wrote to memory of 804 1952 156c1abd39f045e2c45d64bafd00b6acb64841f9a975045c5b13f905d08c0755.exe 30 PID 1952 wrote to memory of 804 1952 156c1abd39f045e2c45d64bafd00b6acb64841f9a975045c5b13f905d08c0755.exe 30 PID 1952 wrote to memory of 804 1952 156c1abd39f045e2c45d64bafd00b6acb64841f9a975045c5b13f905d08c0755.exe 30 PID 1952 wrote to memory of 804 1952 156c1abd39f045e2c45d64bafd00b6acb64841f9a975045c5b13f905d08c0755.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\156c1abd39f045e2c45d64bafd00b6acb64841f9a975045c5b13f905d08c0755.exe"C:\Users\Admin\AppData\Local\Temp\156c1abd39f045e2c45d64bafd00b6acb64841f9a975045c5b13f905d08c0755.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exeC:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe -install -54426511 -chipde -6cdf23fe36b2464db9c423d5f453514c - -BLUB1 -ktardiessweddmsw -9178462⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:804
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
83B
MD53b21d4cd921a9239441586d7cec32701
SHA1d307f2b4cba818f9bdf3e2ffa92c7c2864d038a8
SHA256cc22be80fd6abf3aa97cf26110adbac424c15add06131dc06c0b12b3ac1a4e04
SHA512bb91a5eebf43bc71ca7cf6ec5366c69ce4f0df098403abd8da4113489d0911fb25bb3e20aadb2d480dce2f78cc51745d9b705aac71202e11b5f0604f551157c3
-
Filesize
288KB
MD5317ec5f92cfbf04a53e8125b66b3b4af
SHA116068b8977b4dc562ae782d91bc009472667e331
SHA2567612ef3877c3e4e305a6c22941141601b489a73bc088622a40ebd93bee25bae5
SHA512ed772da641a5c128677c4c285c648c1d8e539c34522b95c14f614797bb0d188571c7c257441d45598809aa3f8b4690bd53230282726e077c86c8d9fe71c1db65