ce229ce6a57f1c3b7c1ebd39d83032165bf21027e58e5cba133fa92e0df32c0d

Analysis

max time kernel
119s
max time network
127s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
20-11-2023 14:33

Target

launcher.bat
Size

82B
MD5

57a97b0b1b4d1f1418acb99e27c61423
SHA1

bd9a011eeaf67e32a0242675ee2214105947a408
SHA256

aa64b11b87f40593764f6b9a9fb2b87ab0cce1059305834862be0a5844308b7d
SHA512

c72c6cdd07d9ee843d2bdc7a5eb19e3c29caf2781535b6ceafcf3a0cc63ef2ca57cc26da9b9c7e6ae08e031295c9fb6651a86e7d0502715a6fbddde53417b466

Score

1^/10

Opens file in notepad (likely ransom note) 2 IoCs

pid	Process
2944	NOTEPAD.EXE
1612	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2852	1752	cmd.exe	30
PID 1752 wrote to memory of 2852	1752	cmd.exe	30
PID 1752 wrote to memory of 2852	1752	cmd.exe	30
PID 2852 wrote to memory of 1400	2852	rundll32.exe	31
PID 2852 wrote to memory of 1400	2852	rundll32.exe	31
PID 2852 wrote to memory of 1400	2852	rundll32.exe	31
PID 2852 wrote to memory of 1400	2852	rundll32.exe	31
PID 2852 wrote to memory of 1400	2852	rundll32.exe	31
PID 2852 wrote to memory of 1400	2852	rundll32.exe	31
PID 2852 wrote to memory of 1400	2852	rundll32.exe	31
PID 2504 wrote to memory of 2868	2504	cmd.exe	40
PID 2504 wrote to memory of 2868	2504	cmd.exe	40
PID 2504 wrote to memory of 2868	2504	cmd.exe	40
PID 2868 wrote to memory of 2908	2868	rundll32.exe	41
PID 2868 wrote to memory of 2908	2868	rundll32.exe	41
PID 2868 wrote to memory of 2908	2868	rundll32.exe	41
PID 2868 wrote to memory of 2908	2868	rundll32.exe	41
PID 2868 wrote to memory of 2908	2868	rundll32.exe	41
PID 2868 wrote to memory of 2908	2868	rundll32.exe	41
PID 2868 wrote to memory of 2908	2868	rundll32.exe	41

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\launcher.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\system32\rundll32.exe
  rundll32.exe AlmiqueArtilleryman_pkb3.dll, Throw
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe AlmiqueArtilleryman_pkb3.dll, Throw
    3⤵
    PID:1400

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
1⤵
PID:2648

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\launcher.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:2944

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\launcher.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\system32\rundll32.exe
  rundll32.exe AlmiqueArtilleryman_pkb3.dll, Throw
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe AlmiqueArtilleryman_pkb3.dll, Throw
    3⤵
    PID:2908

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\launcher.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:1612

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\launcher.bat" "
1⤵
PID:2788
- C:\Windows\system32\rundll32.exe
  rundll32.exe AlmiqueArtilleryman_pkb3.dll, Throw
  2⤵
  PID:2772
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe AlmiqueArtilleryman_pkb3.dll, Throw
    3⤵
    PID:1976

C:\Users\Admin\AppData\Local\Temp\launcher.bat

Filesize
88B

MD5
2f1086d62e79ba2fc3d9206e9c9a7325

SHA1
1392cd1561ba5b6e4c5714872e39c8c5dc9dfcda

SHA256
773478dde6b5d1b913faf422164d81327529a39f126a846880071f2c06fd8b9f

SHA512
ca40a58db2a564d578c88fc66600dcef6dcda2cf0887580aa006573558438e85187863e22c9226b68934ccbb985a83574d95a6c122a6c7d3f9bb0f5eed4004ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\launcher.bat

Filesize
88B

MD5
2f1086d62e79ba2fc3d9206e9c9a7325

SHA1
1392cd1561ba5b6e4c5714872e39c8c5dc9dfcda

SHA256
773478dde6b5d1b913faf422164d81327529a39f126a846880071f2c06fd8b9f

SHA512
ca40a58db2a564d578c88fc66600dcef6dcda2cf0887580aa006573558438e85187863e22c9226b68934ccbb985a83574d95a6c122a6c7d3f9bb0f5eed4004ed

Download Submit
memory/1400-0-0x0000000000160000-0x0000000000163000-memory.dmp

Filesize
12KB

Download
memory/1400-1-0x0000000010000000-0x00000000100C7000-memory.dmp

Filesize
796KB

Download
memory/1400-6-0x000000006FC80000-0x000000006FDD5000-memory.dmp

Filesize
1.3MB

Download
memory/1976-43-0x000000006FC80000-0x000000006FDD5000-memory.dmp

Filesize
1.3MB

Download
memory/2908-23-0x000000006FC80000-0x000000006FDD5000-memory.dmp

Filesize
1.3MB

Download