Overview

overview

10

Static

static

3

AlmiqueArt...b3.dll

windows7-x64

3

AlmiqueArt...b3.dll

windows10-2004-x64

3

launcher.bat

windows7-x64

1

launcher.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2023 14:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    launcher.bat

  • Size

    82B

  • MD5

    57a97b0b1b4d1f1418acb99e27c61423

  • SHA1

    bd9a011eeaf67e32a0242675ee2214105947a408

  • SHA256

    aa64b11b87f40593764f6b9a9fb2b87ab0cce1059305834862be0a5844308b7d

  • SHA512

    c72c6cdd07d9ee843d2bdc7a5eb19e3c29caf2781535b6ceafcf3a0cc63ef2ca57cc26da9b9c7e6ae08e031295c9fb6651a86e7d0502715a6fbddde53417b466

Score
1/10

Malware Config

Signatures

  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\launcher.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Windows\system32\rundll32.exe
      rundll32.exe AlmiqueArtilleryman_pkb3.dll, Throw
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2852
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe AlmiqueArtilleryman_pkb3.dll, Throw
        3⤵
          PID:1400
    • C:\Windows\system32\verclsid.exe
      "C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
      1⤵
        PID:2648
      • C:\Windows\System32\NOTEPAD.EXE
        "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\launcher.bat
        1⤵
        • Opens file in notepad (likely ransom note)
        PID:2944
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\launcher.bat" "
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2504
        • C:\Windows\system32\rundll32.exe
          rundll32.exe AlmiqueArtilleryman_pkb3.dll, Throw
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2868
          • C:\Windows\SysWOW64\rundll32.exe
            rundll32.exe AlmiqueArtilleryman_pkb3.dll, Throw
            3⤵
              PID:2908
        • C:\Windows\System32\NOTEPAD.EXE
          "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\launcher.bat
          1⤵
          • Opens file in notepad (likely ransom note)
          PID:1612
        • C:\Windows\system32\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\launcher.bat" "
          1⤵
            PID:2788
            • C:\Windows\system32\rundll32.exe
              rundll32.exe AlmiqueArtilleryman_pkb3.dll, Throw
              2⤵
                PID:2772
                • C:\Windows\SysWOW64\rundll32.exe
                  rundll32.exe AlmiqueArtilleryman_pkb3.dll, Throw
                  3⤵
                    PID:1976

              Network

              MITRE ATT&CK Matrix

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\launcher.bat
                Filesize

                88B

                MD5

                2f1086d62e79ba2fc3d9206e9c9a7325

                SHA1

                1392cd1561ba5b6e4c5714872e39c8c5dc9dfcda

                SHA256

                773478dde6b5d1b913faf422164d81327529a39f126a846880071f2c06fd8b9f

                SHA512

                ca40a58db2a564d578c88fc66600dcef6dcda2cf0887580aa006573558438e85187863e22c9226b68934ccbb985a83574d95a6c122a6c7d3f9bb0f5eed4004ed

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\launcher.bat
                Filesize

                88B

                MD5

                2f1086d62e79ba2fc3d9206e9c9a7325

                SHA1

                1392cd1561ba5b6e4c5714872e39c8c5dc9dfcda

                SHA256

                773478dde6b5d1b913faf422164d81327529a39f126a846880071f2c06fd8b9f

                SHA512

                ca40a58db2a564d578c88fc66600dcef6dcda2cf0887580aa006573558438e85187863e22c9226b68934ccbb985a83574d95a6c122a6c7d3f9bb0f5eed4004ed

                Download Submit
              • memory/1400-0-0x0000000000160000-0x0000000000163000-memory.dmp
                Filesize

                12KB

                Download
              • memory/1400-1-0x0000000010000000-0x00000000100C7000-memory.dmp
                Filesize

                796KB

                Download
              • memory/1400-6-0x000000006FC80000-0x000000006FDD5000-memory.dmp
                Filesize

                1.3MB

                Download
              • memory/1976-43-0x000000006FC80000-0x000000006FDD5000-memory.dmp
                Filesize

                1.3MB

                Download
              • memory/2908-23-0x000000006FC80000-0x000000006FDD5000-memory.dmp
                Filesize

                1.3MB

                Download