35e0fe26c9de0b99229a51a16792fa7d96ff395ac49c3e019ee7fe17500ac815

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
23/09/2023, 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ip ransom.bat
Size

1KB
MD5

25f60b3ad9c9b77b45793b55966a48cb
SHA1

c48243f44a9f287e4116f182c0c7dacce1589e9d
SHA256

35e0fe26c9de0b99229a51a16792fa7d96ff395ac49c3e019ee7fe17500ac815
SHA512

16dd56982d1596deb1ec1ef0bc1bdce803f5b1eb5a237a2c99197304da914eea4678798c151da82dbdc79d632b08ef2751e6c431a97b9a50b1fbac012f2a694a

Score

1^/10

Malware Config

Signatures

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
1216	notepad.exe
2768	notepad.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 1216	2472	cmd.exe	29
PID 2472 wrote to memory of 1216	2472	cmd.exe	29
PID 2472 wrote to memory of 1216	2472	cmd.exe	29
PID 2472 wrote to memory of 604	2472	cmd.exe	30
PID 2472 wrote to memory of 604	2472	cmd.exe	30
PID 2472 wrote to memory of 604	2472	cmd.exe	30
PID 2472 wrote to memory of 1972	2472	cmd.exe	31
PID 2472 wrote to memory of 1972	2472	cmd.exe	31
PID 2472 wrote to memory of 1972	2472	cmd.exe	31
PID 2472 wrote to memory of 1892	2472	cmd.exe	32
PID 2472 wrote to memory of 1892	2472	cmd.exe	32
PID 2472 wrote to memory of 1892	2472	cmd.exe	32
PID 2472 wrote to memory of 2776	2472	cmd.exe	33
PID 2472 wrote to memory of 2776	2472	cmd.exe	33
PID 2472 wrote to memory of 2776	2472	cmd.exe	33
PID 2472 wrote to memory of 2592	2472	cmd.exe	34
PID 2472 wrote to memory of 2592	2472	cmd.exe	34
PID 2472 wrote to memory of 2592	2472	cmd.exe	34
PID 2472 wrote to memory of 2328	2472	cmd.exe	35
PID 2472 wrote to memory of 2328	2472	cmd.exe	35
PID 2472 wrote to memory of 2328	2472	cmd.exe	35
PID 2472 wrote to memory of 2644	2472	cmd.exe	36
PID 2472 wrote to memory of 2644	2472	cmd.exe	36
PID 2472 wrote to memory of 2644	2472	cmd.exe	36
PID 2472 wrote to memory of 2652	2472	cmd.exe	37
PID 2472 wrote to memory of 2652	2472	cmd.exe	37
PID 2472 wrote to memory of 2652	2472	cmd.exe	37
PID 2472 wrote to memory of 2712	2472	cmd.exe	38
PID 2472 wrote to memory of 2712	2472	cmd.exe	38
PID 2472 wrote to memory of 2712	2472	cmd.exe	38
PID 2472 wrote to memory of 2716	2472	cmd.exe	39
PID 2472 wrote to memory of 2716	2472	cmd.exe	39
PID 2472 wrote to memory of 2716	2472	cmd.exe	39
PID 2472 wrote to memory of 2768	2472	cmd.exe	41
PID 2472 wrote to memory of 2768	2472	cmd.exe	41
PID 2472 wrote to memory of 2768	2472	cmd.exe	41

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ip ransom.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Windows\system32\notepad.exe
  notepad "C:\Users\Admin\Desktop\ip_info.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1216
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt" "C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt.enc"
  2⤵
  PID:604
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility.txt" "C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility.txt.enc"
  2⤵
  PID:1972
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI7549.txt" "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI7549.txt.enc"
  2⤵
  PID:1892
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI759E.txt" "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI759E.txt.enc"
  2⤵
  PID:2776
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI7549.txt" "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI7549.txt.enc"
  2⤵
  PID:2592
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI759E.txt" "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI759E.txt.enc"
  2⤵
  PID:2328
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20230901_003426_930.txt" "C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20230901_003426_930.txt.enc"
  2⤵
  PID:2644
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20230901_003428_506.txt" "C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20230901_003428_506.txt.enc"
  2⤵
  PID:2652
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\FXSAPIDebugLogFile.txt" "C:\Users\Admin\AppData\Local\Temp\FXSAPIDebugLogFile.txt.enc"
  2⤵
  PID:2712
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20230901_003412126-MSI_netfx_Full_x64.msi.txt" "C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20230901_003412126-MSI_netfx_Full_x64.msi.txt.enc"
  2⤵
  PID:2716
- C:\Windows\system32\notepad.exe
  notepad "C:\Users\Admin\Desktop\how_to_recover_ur_files.txt"
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2768

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\how_to_recover_ur_files.txt

Filesize
458B

MD5
693a3515fa2bc416681692beeb63942c

SHA1
a2fb59a15102262b91dd725180d6373a68c8bea8

SHA256
6774c6bb7c7e1a803789c69dc4063a2917c1f9ee7dec3c2b77569f68e20c74e8

SHA512
9b42180f6e9c46469f57c8605c6623283808cf4d3c1f1755dd1db08d6c9fce7146b7122bb9149c7840c742d1cb31f8de307b60b7a763ea303dbaa1b3607c9f3c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads