e36a54a26be5b33ead87dc7f26c411894f221eb1910a9f5620e50a49bd338d96

Analysis

max time kernel
100s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
22/09/2023, 04:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a.bat
Size

77KB
MD5

cddbddadd8c188821c4e7fdd5e5595a0
SHA1

a8357376deefab4889eb4e3fb192705618396f3d
SHA256

e36a54a26be5b33ead87dc7f26c411894f221eb1910a9f5620e50a49bd338d96
SHA512

18a0414c48111e57540c4926788070b083af6de7e8463d6b3b48977e997edc231ba9d8e0753bf6c9886d78ce186dd689ab420328d52c06de30273287adbe8f65
SSDEEP

384:DzqmB+m9dm9hm9rm99m93ml5mlomlumlSmlcmlsmlkmllmlZmjDmlfmn7mlJmlTF:vjcIm8KcBn7Vl9oemQes2kfbx

Score

1^/10

Malware Config

Signatures

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1144	ipconfig.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1856	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4988	notepad.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1856	taskkill.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 4988	1688	cmd.exe	83
PID 1688 wrote to memory of 4988	1688	cmd.exe	83
PID 1688 wrote to memory of 3568	1688	cmd.exe	84
PID 1688 wrote to memory of 3568	1688	cmd.exe	84
PID 1688 wrote to memory of 2968	1688	cmd.exe	85
PID 1688 wrote to memory of 2968	1688	cmd.exe	85
PID 1688 wrote to memory of 3832	1688	cmd.exe	88
PID 1688 wrote to memory of 3832	1688	cmd.exe	88
PID 1688 wrote to memory of 1856	1688	cmd.exe	89
PID 1688 wrote to memory of 1856	1688	cmd.exe	89
PID 1688 wrote to memory of 1144	1688	cmd.exe	91
PID 1688 wrote to memory of 1144	1688	cmd.exe	91
PID 1688 wrote to memory of 4316	1688	cmd.exe	92
PID 1688 wrote to memory of 4316	1688	cmd.exe	92

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3568	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\system32\notepad.exe
  notepad "C:\Users\Admin\Desktop\how_to_recover_ur_files.txt"
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4988
- C:\Windows\system32\attrib.exe
  attrib +h C:\Users\Admin\AppData\Local\Temp\a.bat
  2⤵
  - Views/modifies file attributes
  PID:3568
- C:\Windows\system32\format.com
  format C: /Q /y
  2⤵
  PID:2968
- C:\Windows\system32\mode.com
  mode con cols=107 lines=41
  2⤵
  PID:3832
- C:\Windows\system32\taskkill.exe
  taskkill /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1856
- C:\Windows\system32\ipconfig.exe
  ipconfig
  2⤵
  - Gathers network information
  PID:1144
- C:\Windows\system32\findstr.exe
  findstr IPv4
  2⤵
  PID:4316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\how_to_recover_ur_files.txt

Filesize
113B

MD5
b746e614584014882296b377791ac508

SHA1
1fa84ea2a4c8f9cba4082ccce201b831757c88a0

SHA256
52ea21896de46419caa830d59491d159e8c6799fbd055e54bf44f509ba11d9c2

SHA512
bd979050d3cb84f695ff55387ff10e2592388b2e9d132c3e2dca045deefb802f6928fdaf3d97cde778d4b95d32d5acbf34c9eaa795fb9e401badf98c5e6151fe

Download Submit