Overview

overview

10

Static

static

1

aa.bat

windows7-x64

10

aa.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    12-10-2023 04:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aa.bat

  • Size

    77KB

  • MD5

    da7c13ec8098e54b5b090d8d9a4a6f73

  • SHA1

    6eaff65099a89ceee06dba2a1bf46a9c0dda3a93

  • SHA256

    44a7c5d45ffcfc207f33f40bf97a48823c2d3a19c0bb9a0c54e32c0e45c0ae91

  • SHA512

    c94b108ee87002e0e595e51d8d5b74c3a74d8d5b2c02daf989b00cec4cf29545f5d7e7d2164f09c7bb443bc953bc9262e70017c0150caf20067d364ea6be0472

  • SSDEEP

    384:wzqmB+m9dm9hm9rm99m93ml5mlomlumlSmlcmlsmlkmllmlZmjDmlfmn7mlJmlTF:8jcIm8KcBn7Vl9oemQes2kfbx

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\how_to_recover_ur_files.txt

Ransom Note
Attention! Your files have been encrypted and are inaccessible. If you want to recover them, you must pay a ransom of $300 to the following bitcoin address: 3BKuiDHNSbdCdK8fHTUxCB4GRBiuKUrMzr. Failure to comply will result in permanent loss of your files. Once the payment is made, you will get a password decryption key and the files will be decrypted and restored.
Wallets

3BKuiDHNSbdCdK8fHTUxCB4GRBiuKUrMzr

Signatures

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Kills process with taskkill 1 IoCs
    evasion
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\aa.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Windows\system32\notepad.exe
      notepad "C:\Users\Admin\Desktop\how_to_recover_ur_files.txt"
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:2020
    • C:\Windows\system32\attrib.exe
      attrib +h C:\Users\Admin\AppData\Local\Temp\aa.bat
      2⤵
      • Views/modifies file attributes
      PID:1880
    • C:\Windows\system32\format.com
      format C: /Q /y
      2⤵
        PID:1732
      • C:\Windows\system32\mode.com
        mode con cols=107 lines=41
        2⤵
          PID:2168
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im explorer.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2208
        • C:\Windows\system32\ipconfig.exe
          ipconfig
          2⤵
          • Gathers network information
          PID:2600
        • C:\Windows\system32\findstr.exe
          findstr IPv4
          2⤵
            PID:2476

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\Desktop\how_to_recover_ur_files.txt
          Filesize

          369B

          MD5

          743b384f47114963d95a52f96c329c82

          SHA1

          4ead08c0b666b8ac046bef87d96dfe1e134015e4

          SHA256

          3a5bc5ffa529b066c9186003616aec8d3637238a2d06c64fecd6742ca882494e

          SHA512

          0053de4a62a491ee268029f5f390b9b13847562e9378b0db25e7ee2f5104e437498e75116d95a197de460e2f08d2e687f5d0393aee2b671d8968d85396cbf5fd

          Download Submit