02065326c23d7dbb2e4d2ba63e4b428ac397d0814f04ea64515f4cf2e5818487 | Triage

Analysis

max time kernel
140s
max time network
141s
platform
windows7_x64
resource
win7-en
submitted
10-09-2021 18:51

Sharing

Report Analysis Logs

General

Target

core.bat
Size

222B
MD5

c1432ae7a15e7d43e44abeaa97bcc77d
SHA1

e348e5f29ed0d16511680f7b57a3b4feaf920026
SHA256

6422c2bff92af11fc31c710ca2e8bbe74a41b9e3db9103c64dd6e55baa0899f2
SHA512

cd73eac203805d233cac32e52aef6261611fa2c662346e3f83b4bc2b57d371ad9f81aee2a31531f3901a9eda03a32fb6a671d9c64b084e966de9cd5cb3ffd3cc

Score

5^/10

Malware Config

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

1228 rundll32.exe
332 rundll32.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

532 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exerundll32.exe

pid process

1228 rundll32.exe
1228 rundll32.exe
332 rundll32.exe
332 rundll32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	1420	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1420	AUDIODG.EXE
Token: 33	1420	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1420	AUDIODG.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 736 wrote to memory of 1228	736	cmd.exe	rundll32.exe
PID 736 wrote to memory of 1228	736	cmd.exe	rundll32.exe
PID 736 wrote to memory of 1228	736	cmd.exe	rundll32.exe
PID 736 wrote to memory of 332	736	cmd.exe	rundll32.exe
PID 736 wrote to memory of 332	736	cmd.exe	rundll32.exe
PID 736 wrote to memory of 332	736	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\core.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vessel-64.dat,DllMain /i="license.dat"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1228

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vessel-64.dat,update /i="license.dat"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:332

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1608

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x57c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\core.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:532

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/332-54-0x0000000000000000-mapping.dmp

Download
memory/1228-53-0x0000000000000000-mapping.dmp

Download
memory/1608-55-0x000007FEFC1D1000-0x000007FEFC1D3000-memory.dmp

Filesize
8KB

Download