Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
24/01/2025, 09:36
Static task
static1
Behavioral task
behavioral1
Sample
21955da530ea83552c8e93381f4660d9a0fab2443d996d2bc1bbfbad96a8331bN.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
21955da530ea83552c8e93381f4660d9a0fab2443d996d2bc1bbfbad96a8331bN.exe
Resource
win10v2004-20241007-en
General
-
Target
21955da530ea83552c8e93381f4660d9a0fab2443d996d2bc1bbfbad96a8331bN.exe
-
Size
614KB
-
MD5
af1725436c92f3309d72a7f98d6b0e70
-
SHA1
e3fb24728cf935bd4c6488087dd2a29e94f2eded
-
SHA256
21955da530ea83552c8e93381f4660d9a0fab2443d996d2bc1bbfbad96a8331b
-
SHA512
d521a25a408af2c74cb097566a47a4f2f224054ef63d4cab0e2264641727928cb18daf8bbf237b9200d2dcc08d3f2809a23bddddbf05705813bab00c0ed7d696
-
SSDEEP
12288:i7lw1DxbpefX4qkkn9wifVzo6mj+ysgfBnnl2F:i7m1DLqkknljmj+ysgpnncF
Malware Config
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Revengerat family
-
RevengeRat Executable 1 IoCs
resource yara_rule behavioral1/files/0x0007000000016d2a-5.dat revengerat -
Executes dropped EXE 1 IoCs
pid Process 2508 ocs_v71b.exe -
Loads dropped DLL 2 IoCs
pid Process 2928 21955da530ea83552c8e93381f4660d9a0fab2443d996d2bc1bbfbad96a8331bN.exe 2928 21955da530ea83552c8e93381f4660d9a0fab2443d996d2bc1bbfbad96a8331bN.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 21955da530ea83552c8e93381f4660d9a0fab2443d996d2bc1bbfbad96a8331bN.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2928 21955da530ea83552c8e93381f4660d9a0fab2443d996d2bc1bbfbad96a8331bN.exe 2508 ocs_v71b.exe 2508 ocs_v71b.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2928 wrote to memory of 2508 2928 21955da530ea83552c8e93381f4660d9a0fab2443d996d2bc1bbfbad96a8331bN.exe 30 PID 2928 wrote to memory of 2508 2928 21955da530ea83552c8e93381f4660d9a0fab2443d996d2bc1bbfbad96a8331bN.exe 30 PID 2928 wrote to memory of 2508 2928 21955da530ea83552c8e93381f4660d9a0fab2443d996d2bc1bbfbad96a8331bN.exe 30 PID 2928 wrote to memory of 2508 2928 21955da530ea83552c8e93381f4660d9a0fab2443d996d2bc1bbfbad96a8331bN.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\21955da530ea83552c8e93381f4660d9a0fab2443d996d2bc1bbfbad96a8331bN.exe"C:\Users\Admin\AppData\Local\Temp\21955da530ea83552c8e93381f4660d9a0fab2443d996d2bc1bbfbad96a8331bN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71b.exeC:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71b.exe -install -54415075 -chipde -3f4cad91c7dd4d608a78e35bdc824fa7 - -BLUB1 -spekkblwmvlbksub -9179182⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2508
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57B
MD5017065f3405d83ac248980ccc95e39a8
SHA193a512b36433730d3fe0438d2aef202f6ab7a325
SHA25634f706d612784e29f64e1d3039a7f03415363ac57fa2c21922b77c5a71a64e9c
SHA512e58b450720759ca0245200f342ab171d8f5e9e235cf9ee19cfc40b544a3351b4427046843bbcf8385d687145528e2f920acb00d08624f6c993c697d7ee4fbac1
-
Filesize
304KB
MD57b3b5db5fdd271811f9f22d52ee36e9d
SHA1dae3b80a567aa739fa54d4c896a2cfe0f9718180
SHA256c5e83f41df5b4158994a29122874c3ff26d5e5877eb9a1dc109693d8ea41cea2
SHA51291ae6be31c599344f44fc5decd2d51f7ff2e86da53089c8f5a821c71853c0603e613c2455eedbf55970bda34e2f74547105b27d53dfdf5c47b81e648cdc3ced2