Overview

overview

10

Static

static

Article.bat

windows10-1703-x64

3

Article.bat

windows10-2004-x64

10

doc.lnk

windows10-1703-x64

3

doc.lnk

windows10-2004-x64

10

storage.dll

windows10-1703-x64

10

storage.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    51s
  • max time network
    64s
  • platform
    windows10-1703_x64
  • resource
    win10-20220901-en
  • resource tags

    arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
  • submitted
    19-01-2023 16:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Article.bat

  • Size

    2KB

  • MD5

    1125f24c48e34f0bc7544ad81f890504

  • SHA1

    c155043c586f26f2c778725e410a69127e5e3ee4

  • SHA256

    cccb4f9ab30b6a7f63f1934b99dde29905b3ea4138e5701ea3d349ef83115de8

  • SHA512

    50d6e6c3b473ca7aa397cc73c47ad930be66a1fc9f305db6a64542b8b58944b35546628447fe91fc5b0852fd63d65ad17d36899d0acf2a0e06639f7a36f2e07c

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Article.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3504
    • C:\Windows\system32\xcopy.exe
      xcopy /h /y storage.dll C:\ProgramData
      2⤵
        PID:4872
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /K copy /y /b C:\Windows\System32\rundll32.exe C:\ProgramData\KIH0o7s0zWO1hL.exe
        2⤵
          PID:4924
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:4516

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads