Analysis
-
max time kernel
140s -
max time network
141s -
platform
windows7_x64 -
resource
win7-en -
submitted
10-09-2021 18:51
Static task
static1
Behavioral task
behavioral1
Sample
core.bat
Resource
win7-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
core.bat
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
vessel-64.dat.dll
Resource
win7-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
vessel-64.dat.dll
Resource
win10-en
windows10_x64
0 signatures
0 seconds
General
-
Target
core.bat
-
Size
222B
-
MD5
c1432ae7a15e7d43e44abeaa97bcc77d
-
SHA1
e348e5f29ed0d16511680f7b57a3b4feaf920026
-
SHA256
6422c2bff92af11fc31c710ca2e8bbe74a41b9e3db9103c64dd6e55baa0899f2
-
SHA512
cd73eac203805d233cac32e52aef6261611fa2c662346e3f83b4bc2b57d371ad9f81aee2a31531f3901a9eda03a32fb6a671d9c64b084e966de9cd5cb3ffd3cc
Score
5/10
Malware Config
Signatures
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
rundll32.exerundll32.exepid process 1228 rundll32.exe 332 rundll32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 532 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exerundll32.exepid process 1228 rundll32.exe 1228 rundll32.exe 332 rundll32.exe 332 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 1420 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1420 AUDIODG.EXE Token: 33 1420 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1420 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exedescription pid process target process PID 736 wrote to memory of 1228 736 cmd.exe rundll32.exe PID 736 wrote to memory of 1228 736 cmd.exe rundll32.exe PID 736 wrote to memory of 1228 736 cmd.exe rundll32.exe PID 736 wrote to memory of 332 736 cmd.exe rundll32.exe PID 736 wrote to memory of 332 736 cmd.exe rundll32.exe PID 736 wrote to memory of 332 736 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\core.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\vessel-64.dat,DllMain /i="license.dat"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\vessel-64.dat,update /i="license.dat"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x57c1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\core.bat1⤵
- Opens file in notepad (likely ransom note)