e36a54a26be5b33ead87dc7f26c411894f221eb1910a9f5620e50a49bd338d96

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
22-09-2023 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a.bat
Size

77KB
MD5

cddbddadd8c188821c4e7fdd5e5595a0
SHA1

a8357376deefab4889eb4e3fb192705618396f3d
SHA256

e36a54a26be5b33ead87dc7f26c411894f221eb1910a9f5620e50a49bd338d96
SHA512

18a0414c48111e57540c4926788070b083af6de7e8463d6b3b48977e997edc231ba9d8e0753bf6c9886d78ce186dd689ab420328d52c06de30273287adbe8f65
SSDEEP

384:DzqmB+m9dm9hm9rm99m93ml5mlomlumlSmlcmlsmlkmllmlZmjDmlfmn7mlJmlTF:vjcIm8KcBn7Vl9oemQes2kfbx

Score

1^/10

Malware Config

Signatures

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2692	ipconfig.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2032	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2420	notepad.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	taskkill.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2420	2204	cmd.exe	29
PID 2204 wrote to memory of 2420	2204	cmd.exe	29
PID 2204 wrote to memory of 2420	2204	cmd.exe	29
PID 2204 wrote to memory of 2428	2204	cmd.exe	30
PID 2204 wrote to memory of 2428	2204	cmd.exe	30
PID 2204 wrote to memory of 2428	2204	cmd.exe	30
PID 2204 wrote to memory of 1992	2204	cmd.exe	31
PID 2204 wrote to memory of 1992	2204	cmd.exe	31
PID 2204 wrote to memory of 1992	2204	cmd.exe	31
PID 2204 wrote to memory of 1868	2204	cmd.exe	32
PID 2204 wrote to memory of 1868	2204	cmd.exe	32
PID 2204 wrote to memory of 1868	2204	cmd.exe	32
PID 2204 wrote to memory of 2032	2204	cmd.exe	33
PID 2204 wrote to memory of 2032	2204	cmd.exe	33
PID 2204 wrote to memory of 2032	2204	cmd.exe	33
PID 2204 wrote to memory of 2692	2204	cmd.exe	35
PID 2204 wrote to memory of 2692	2204	cmd.exe	35
PID 2204 wrote to memory of 2692	2204	cmd.exe	35
PID 2204 wrote to memory of 2708	2204	cmd.exe	36
PID 2204 wrote to memory of 2708	2204	cmd.exe	36
PID 2204 wrote to memory of 2708	2204	cmd.exe	36

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2428	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\a.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\system32\notepad.exe
  notepad "C:\Users\Admin\Desktop\how_to_recover_ur_files.txt"
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2420
- C:\Windows\system32\attrib.exe
  attrib +h C:\Users\Admin\AppData\Local\Temp\a.bat
  2⤵
  - Views/modifies file attributes
  PID:2428
- C:\Windows\system32\format.com
  format C: /Q /y
  2⤵
  PID:1992
- C:\Windows\system32\mode.com
  mode con cols=107 lines=41
  2⤵
  PID:1868
- C:\Windows\system32\taskkill.exe
  taskkill /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2032
- C:\Windows\system32\ipconfig.exe
  ipconfig
  2⤵
  - Gathers network information
  PID:2692
- C:\Windows\system32\findstr.exe
  findstr IPv4
  2⤵
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\how_to_recover_ur_files.txt

Filesize
113B

MD5
b746e614584014882296b377791ac508

SHA1
1fa84ea2a4c8f9cba4082ccce201b831757c88a0

SHA256
52ea21896de46419caa830d59491d159e8c6799fbd055e54bf44f509ba11d9c2

SHA512
bd979050d3cb84f695ff55387ff10e2592388b2e9d132c3e2dca045deefb802f6928fdaf3d97cde778d4b95d32d5acbf34c9eaa795fb9e401badf98c5e6151fe

Download Submit