1478f31605971c97463ad3ec0dbfdc8b3e89303a68cd8daafaafbd0958509cbc

Analysis

max time kernel
142s
max time network
135s
platform
windows10-1703_x64
resource
win10-20231023-en
resource tags

arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system
submitted
23/10/2023, 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batchuscation.bat
Size

7.8MB
MD5

3f6bca5829569d15999fc56694a875e3
SHA1

baae70425126595a9fd7b3a5d804da1600903792
SHA256

1478f31605971c97463ad3ec0dbfdc8b3e89303a68cd8daafaafbd0958509cbc
SHA512

947cd42b07ca7794def3d5ed48dcd8c59d7681dc53434821f572fc89ef9fd9cb7b5d6160175d1d3e0772eb7412fd10a07e028e2c5fb5254315cbdbf5dfb0c201
SSDEEP

3072:tms6cy9/ODeCk2o638fu2BK5YWLfZHNi3eVNEegtPHLWjCSDaZQwgs7tg1gQ7pSm:p

Score

1^/10

Malware Config

Signatures

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2440	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 2064	4124	cmd.exe	72
PID 4124 wrote to memory of 2064	4124	cmd.exe	72
PID 4124 wrote to memory of 1876	4124	cmd.exe	73
PID 4124 wrote to memory of 1876	4124	cmd.exe	73
PID 4124 wrote to memory of 596	4124	cmd.exe	74
PID 4124 wrote to memory of 596	4124	cmd.exe	74
PID 4124 wrote to memory of 3600	4124	cmd.exe	75
PID 4124 wrote to memory of 3600	4124	cmd.exe	75
PID 4124 wrote to memory of 5076	4124	cmd.exe	76
PID 4124 wrote to memory of 5076	4124	cmd.exe	76
PID 4124 wrote to memory of 3512	4124	cmd.exe	77
PID 4124 wrote to memory of 3512	4124	cmd.exe	77
PID 4124 wrote to memory of 2672	4124	cmd.exe	78
PID 4124 wrote to memory of 2672	4124	cmd.exe	78
PID 4124 wrote to memory of 1676	4124	cmd.exe	79
PID 4124 wrote to memory of 1676	4124	cmd.exe	79
PID 4124 wrote to memory of 3852	4124	cmd.exe	80
PID 4124 wrote to memory of 3852	4124	cmd.exe	80
PID 4124 wrote to memory of 3824	4124	cmd.exe	81
PID 4124 wrote to memory of 3824	4124	cmd.exe	81
PID 4124 wrote to memory of 4900	4124	cmd.exe	82
PID 4124 wrote to memory of 4900	4124	cmd.exe	82
PID 4124 wrote to memory of 1128	4124	cmd.exe	83
PID 4124 wrote to memory of 1128	4124	cmd.exe	83
PID 4124 wrote to memory of 4796	4124	cmd.exe	84
PID 4124 wrote to memory of 4796	4124	cmd.exe	84
PID 4124 wrote to memory of 4232	4124	cmd.exe	85
PID 4124 wrote to memory of 4232	4124	cmd.exe	85
PID 4124 wrote to memory of 2436	4124	cmd.exe	86
PID 4124 wrote to memory of 2436	4124	cmd.exe	86
PID 4124 wrote to memory of 1588	4124	cmd.exe	87
PID 4124 wrote to memory of 1588	4124	cmd.exe	87
PID 4124 wrote to memory of 3660	4124	cmd.exe	88
PID 4124 wrote to memory of 3660	4124	cmd.exe	88
PID 4124 wrote to memory of 364	4124	cmd.exe	89
PID 4124 wrote to memory of 364	4124	cmd.exe	89
PID 4124 wrote to memory of 2448	4124	cmd.exe	90
PID 4124 wrote to memory of 2448	4124	cmd.exe	90
PID 4124 wrote to memory of 4576	4124	cmd.exe	91
PID 4124 wrote to memory of 4576	4124	cmd.exe	91
PID 4124 wrote to memory of 4024	4124	cmd.exe	92
PID 4124 wrote to memory of 4024	4124	cmd.exe	92
PID 4124 wrote to memory of 520	4124	cmd.exe	93
PID 4124 wrote to memory of 520	4124	cmd.exe	93
PID 4124 wrote to memory of 4520	4124	cmd.exe	94
PID 4124 wrote to memory of 4520	4124	cmd.exe	94
PID 4124 wrote to memory of 2948	4124	cmd.exe	95
PID 4124 wrote to memory of 2948	4124	cmd.exe	95
PID 4124 wrote to memory of 3700	4124	cmd.exe	96
PID 4124 wrote to memory of 3700	4124	cmd.exe	96
PID 4124 wrote to memory of 3828	4124	cmd.exe	97
PID 4124 wrote to memory of 3828	4124	cmd.exe	97
PID 4124 wrote to memory of 4208	4124	cmd.exe	98
PID 4124 wrote to memory of 4208	4124	cmd.exe	98
PID 4124 wrote to memory of 3832	4124	cmd.exe	99
PID 4124 wrote to memory of 3832	4124	cmd.exe	99
PID 4124 wrote to memory of 4656	4124	cmd.exe	100
PID 4124 wrote to memory of 4656	4124	cmd.exe	100
PID 4124 wrote to memory of 2316	4124	cmd.exe	101
PID 4124 wrote to memory of 2316	4124	cmd.exe	101
PID 4124 wrote to memory of 4512	4124	cmd.exe	102
PID 4124 wrote to memory of 4512	4124	cmd.exe	102
PID 4124 wrote to memory of 3364	4124	cmd.exe	103
PID 4124 wrote to memory of 3364	4124	cmd.exe	103

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\batchuscation.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Windows\system32\cmd.exe
  cmd /c exit 97
  2⤵
  PID:2064
- C:\Windows\system32\cmd.exe
  cmd /c exit 98
  2⤵
  PID:1876
- C:\Windows\system32\cmd.exe
  cmd /c exit 99
  2⤵
  PID:596
- C:\Windows\system32\cmd.exe
  cmd /c exit 100
  2⤵
  PID:3600
- C:\Windows\system32\cmd.exe
  cmd /c exit 101
  2⤵
  PID:5076
- C:\Windows\system32\cmd.exe
  cmd /c exit 102
  2⤵
  PID:3512
- C:\Windows\system32\cmd.exe
  cmd /c exit 103
  2⤵
  PID:2672
- C:\Windows\system32\cmd.exe
  cmd /c exit 104
  2⤵
  PID:1676
- C:\Windows\system32\cmd.exe
  cmd /c exit 105
  2⤵
  PID:3852
- C:\Windows\system32\cmd.exe
  cmd /c exit 106
  2⤵
  PID:3824
- C:\Windows\system32\cmd.exe
  cmd /c exit 107
  2⤵
  PID:4900
- C:\Windows\system32\cmd.exe
  cmd /c exit 108
  2⤵
  PID:1128
- C:\Windows\system32\cmd.exe
  cmd /c exit 109
  2⤵
  PID:4796
- C:\Windows\system32\cmd.exe
  cmd /c exit 110
  2⤵
  PID:4232
- C:\Windows\system32\cmd.exe
  cmd /c exit 111
  2⤵
  PID:2436
- C:\Windows\system32\cmd.exe
  cmd /c exit 112
  2⤵
  PID:1588
- C:\Windows\system32\cmd.exe
  cmd /c exit 113
  2⤵
  PID:3660
- C:\Windows\system32\cmd.exe
  cmd /c exit 114
  2⤵
  PID:364
- C:\Windows\system32\cmd.exe
  cmd /c exit 115
  2⤵
  PID:2448
- C:\Windows\system32\cmd.exe
  cmd /c exit 116
  2⤵
  PID:4576
- C:\Windows\system32\cmd.exe
  cmd /c exit 117
  2⤵
  PID:4024
- C:\Windows\system32\cmd.exe
  cmd /c exit 118
  2⤵
  PID:520
- C:\Windows\system32\cmd.exe
  cmd /c exit 119
  2⤵
  PID:4520
- C:\Windows\system32\cmd.exe
  cmd /c exit 120
  2⤵
  PID:2948
- C:\Windows\system32\cmd.exe
  cmd /c exit 121
  2⤵
  PID:3700
- C:\Windows\system32\cmd.exe
  cmd /c exit 122
  2⤵
  PID:3828
- C:\Windows\system32\cmd.exe
  cmd /c exit 65
  2⤵
  PID:4208
- C:\Windows\system32\cmd.exe
  cmd /c exit 66
  2⤵
  PID:3832
- C:\Windows\system32\cmd.exe
  cmd /c exit 67
  2⤵
  PID:4656
- C:\Windows\system32\cmd.exe
  cmd /c exit 68
  2⤵
  PID:2316
- C:\Windows\system32\cmd.exe
  cmd /c exit 69
  2⤵
  PID:4512
- C:\Windows\system32\cmd.exe
  cmd /c exit 70
  2⤵
  PID:3364
- C:\Windows\system32\cmd.exe
  cmd /c exit 71
  2⤵
  PID:3004
- C:\Windows\system32\cmd.exe
  cmd /c exit 72
  2⤵
  PID:508
- C:\Windows\system32\cmd.exe
  cmd /c exit 73
  2⤵
  PID:4556
- C:\Windows\system32\cmd.exe
  cmd /c exit 74
  2⤵
  PID:4100
- C:\Windows\system32\cmd.exe
  cmd /c exit 75
  2⤵
  PID:792
- C:\Windows\system32\cmd.exe
  cmd /c exit 76
  2⤵
  PID:4524
- C:\Windows\system32\cmd.exe
  cmd /c exit 77
  2⤵
  PID:2092
- C:\Windows\system32\cmd.exe
  cmd /c exit 78
  2⤵
  PID:4808
- C:\Windows\system32\cmd.exe
  cmd /c exit 79
  2⤵
  PID:2416
- C:\Windows\system32\cmd.exe
  cmd /c exit 80
  2⤵
  PID:3260
- C:\Windows\system32\cmd.exe
  cmd /c exit 81
  2⤵
  PID:3300
- C:\Windows\system32\cmd.exe
  cmd /c exit 82
  2⤵
  PID:4812
- C:\Windows\system32\cmd.exe
  cmd /c exit 83
  2⤵
  PID:3928
- C:\Windows\system32\cmd.exe
  cmd /c exit 84
  2⤵
  PID:4948
- C:\Windows\system32\cmd.exe
  cmd /c exit 85
  2⤵
  PID:4924
- C:\Windows\system32\cmd.exe
  cmd /c exit 86
  2⤵
  PID:5052
- C:\Windows\system32\cmd.exe
  cmd /c exit 87
  2⤵
  PID:5016
- C:\Windows\system32\cmd.exe
  cmd /c exit 88
  2⤵
  PID:5008
- C:\Windows\system32\cmd.exe
  cmd /c exit 89
  2⤵
  PID:4204
- C:\Windows\system32\cmd.exe
  cmd /c exit 90
  2⤵
  PID:2420
- C:\Windows\system32\cmd.exe
  cmd /c exit 48
  2⤵
  PID:4920
- C:\Windows\system32\cmd.exe
  cmd /c exit 49
  2⤵
  PID:5080
- C:\Windows\system32\cmd.exe
  cmd /c exit 50
  2⤵
  PID:4688
- C:\Windows\system32\cmd.exe
  cmd /c exit 51
  2⤵
  PID:2560
- C:\Windows\system32\cmd.exe
  cmd /c exit 52
  2⤵
  PID:4608
- C:\Windows\system32\cmd.exe
  cmd /c exit 53
  2⤵
  PID:5100
- C:\Windows\system32\cmd.exe
  cmd /c exit 54
  2⤵
  PID:4588
- C:\Windows\system32\cmd.exe
  cmd /c exit 55
  2⤵
  PID:2756
- C:\Windows\system32\cmd.exe
  cmd /c exit 56
  2⤵
  PID:3620
- C:\Windows\system32\cmd.exe
  cmd /c exit 57
  2⤵
  PID:4460
- C:\Windows\system32\cmd.exe
  cmd /c exit 123
  2⤵
  PID:1844
- C:\Windows\system32\cmd.exe
  cmd /c exit 125
  2⤵
  PID:4592
- C:\Windows\system32\cmd.exe
  cmd /c exit 63
  2⤵
  PID:4800
- C:\Windows\system32\cmd.exe
  cmd /c exit 58
  2⤵
  PID:2288
- C:\Windows\system32\cmd.exe
  cmd /c exit 46
  2⤵
  PID:2988
- C:\Windows\system32\cmd.exe
  cmd /c exit 61
  2⤵
  PID:4932
- C:\Windows\system32\cmd.exe
  cmd /c exit 44
  2⤵
  PID:3584
- C:\Windows\system32\cmd.exe
  cmd /c exit 95
  2⤵
  PID:4364

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1668

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\batchuscation.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:2440

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads