e51b9adf091ae6350a1f9de6c8ae852f69af7c66c1cb4c20957bf4d3590ffe25

Analysis

max time kernel
93s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2023, 20:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Michikow Ransomware.bat
Size

2KB
MD5

fc682b60d081940dc6d71587f6e92db9
SHA1

8a4034bb5c515dfcc48bfb3b0dc592b5e5277fb8
SHA256

e51b9adf091ae6350a1f9de6c8ae852f69af7c66c1cb4c20957bf4d3590ffe25
SHA512

4ae9d4f146613a236c3e0822912da757d5497588aadd29515a9228f02b1dbb68db7de8af629d72447fa219ac37b25410e8efffc77a7ba426e3d0141b3dcf2815

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	cmd.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
668	PING.EXE
228	PING.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 800	2520	cmd.exe	85
PID 2520 wrote to memory of 800	2520	cmd.exe	85
PID 2520 wrote to memory of 668	2520	cmd.exe	86
PID 2520 wrote to memory of 668	2520	cmd.exe	86
PID 2520 wrote to memory of 212	2520	cmd.exe	87
PID 2520 wrote to memory of 212	2520	cmd.exe	87
PID 2520 wrote to memory of 228	2520	cmd.exe	88
PID 2520 wrote to memory of 228	2520	cmd.exe	88

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Michikow Ransomware.bat"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\system32\mode.com
  MODE CON: COLS=70 LINES=20
  2⤵
  PID:800
- C:\Windows\system32\PING.EXE
  ping localhost -n 5
  2⤵
  - Runs ping.exe
  PID:668
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00000.vbs"
  2⤵
  PID:212
- C:\Windows\system32\PING.EXE
  ping localhost -n 5
  2⤵
  - Runs ping.exe
  PID:228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\00000.vbs

Filesize
59B

MD5
39803af07227b69d6990d70e85b1faaf

SHA1
17facd6b84b7e0b36a67e93b59b4cde51580f758

SHA256
09b124c1b3194d9aaba231fadb1efd5dd683ae0e5f7e98c76c1bd4f3ca0e839b

SHA512
afd57ae3b2a83282a974d128d9f201f2fc6b0a439f27ca4c5d7b12b05af830d0918e0f0b9e54786954114bb453f76cecda0bac30b011ab71bb815755cd23ef35

Download Submit