Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24/01/2025, 11:31
Static task
static1
Behavioral task
behavioral1
Sample
1640f175d3a8a8dbec898eac431c6a51602f7e13a1a8a071cdccc33654ba17bcN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
1640f175d3a8a8dbec898eac431c6a51602f7e13a1a8a071cdccc33654ba17bcN.exe
Resource
win10v2004-20241007-en
General
-
Target
1640f175d3a8a8dbec898eac431c6a51602f7e13a1a8a071cdccc33654ba17bcN.exe
-
Size
604KB
-
MD5
f422cfe5d03f240cca5fa7c1c4a81bb0
-
SHA1
4d0e221eb3d4af3f60501372e17654de8b996b44
-
SHA256
1640f175d3a8a8dbec898eac431c6a51602f7e13a1a8a071cdccc33654ba17bc
-
SHA512
8c95ac8c0cb9c372f3a4a5372b69c237748ecb1fe68497060369f8615f6a1cf872cdbb4346284dce9b0b53401dce157ce768e069eb752515b9a9fcbca6e79f01
-
SSDEEP
6144:KKWlw1DxX+p9fCEc2PI4Saq9JNl6zBY4o83fqysVufBn597NX2+U:K7lw1Dxup9fXHPIz3vtysgfBnnl2+U
Malware Config
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Revengerat family
-
RevengeRat Executable 1 IoCs
resource yara_rule behavioral2/files/0x000a000000023b85-6.dat revengerat -
Executes dropped EXE 1 IoCs
pid Process 4140 ocs_v71.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1640f175d3a8a8dbec898eac431c6a51602f7e13a1a8a071cdccc33654ba17bcN.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4140 ocs_v71.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4764 1640f175d3a8a8dbec898eac431c6a51602f7e13a1a8a071cdccc33654ba17bcN.exe 4140 ocs_v71.exe 4140 ocs_v71.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4764 wrote to memory of 4140 4764 1640f175d3a8a8dbec898eac431c6a51602f7e13a1a8a071cdccc33654ba17bcN.exe 84 PID 4764 wrote to memory of 4140 4764 1640f175d3a8a8dbec898eac431c6a51602f7e13a1a8a071cdccc33654ba17bcN.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\1640f175d3a8a8dbec898eac431c6a51602f7e13a1a8a071cdccc33654ba17bcN.exe"C:\Users\Admin\AppData\Local\Temp\1640f175d3a8a8dbec898eac431c6a51602f7e13a1a8a071cdccc33654ba17bcN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71.exeC:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71.exe -install -54434257 -chipde -db7e868a8e924e148253e3e54abccf71 - -ChromeBundle -ahllnbnfjeegnfxv -1969842⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4140
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
83B
MD5f85b6bb7cc677a28453727156d890f57
SHA17d2475f72ba4de1f72aa8ec5b7fb3c1c605eacd7
SHA256414112a99f57371139fe2d858b30ec8fb427d4295974adac48719d34313e39f7
SHA5123c3daa09b3261aea5ff3e508e5cd811f5956b0cb50946b6015328d6b98011a363766e331d7ae4200c53848f20d08122d0abaa51a5b1ae0c63c93dbac707d5638
-
Filesize
292KB
MD5ad68076fb58a634cba05c9396b0f20af
SHA1dabc08bdf0203f5946101a0eea51d494e87f67b9
SHA256dc712ebab17c0bf8d73a1c5b5b3b053fd1e665a2d6ad21eb5a9b34da6e844a5a
SHA512be7f294cd4835353ab121a2de655f4a99718096f078713bd1bc8c2d2a847937bafe6853b13bb7c41178f1b33aeacf3af3d13b80f1494cca4489472458a1b63ba