Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
01-12-2023 19:44
Static task
static1
Behavioral task
behavioral1
Sample
#πΎπ βπππΌβπ ππ.π.bat
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
#πΎπ βπππΌβπ ππ.π.bat
Resource
win10v2004-20231127-en
General
-
Target
#πΎπ βπππΌβπ ππ.π.bat
-
Size
20KB
-
MD5
a7793c10f4e024c789964be67375ab2a
-
SHA1
988d0af9a4ca435dd084ce541a250f6ba57f590a
-
SHA256
770eedd081641838d18c615b60ea2658febcb6bb19a35a0fe1c569eeedb8026d
-
SHA512
50e2b5c410fc1d865f446214bfc655ca64fcd17bde6e840f89bf4ecd2970203a173fc0d388a18cfd838b61bea397c0c9c851d7c946ec8d4343787162cd772f83
-
SSDEEP
384:QNJuPLwF+5InJhMFcJqJ+C7inKvcO3oF57talCp1h2wHdpIhG/8J/D8Au99mmBkn:CJuT48InJhMFcJqJ+C7inKvcO3oF57tO
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 3020 notepad.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cmd.exedescription pid process target process PID 2568 wrote to memory of 1652 2568 cmd.exe cacls.exe PID 2568 wrote to memory of 1652 2568 cmd.exe cacls.exe PID 2568 wrote to memory of 1652 2568 cmd.exe cacls.exe PID 2568 wrote to memory of 3020 2568 cmd.exe notepad.exe PID 2568 wrote to memory of 3020 2568 cmd.exe notepad.exe PID 2568 wrote to memory of 3020 2568 cmd.exe notepad.exe PID 2568 wrote to memory of 2580 2568 cmd.exe PING.EXE PID 2568 wrote to memory of 2580 2568 cmd.exe PING.EXE PID 2568 wrote to memory of 2580 2568 cmd.exe PING.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\#πΎπ βπππΌβπ ππ.π.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\system32\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"2⤵PID:1652
-
C:\Windows\system32\notepad.exenotepad.exe C:\Users\Admin\AppData\Local\Temp\HOW_TO_USE.txt2⤵
- Opens file in notepad (likely ransom note)
PID:3020 -
C:\Windows\system32\PING.EXEping -n 5 127.0.0.12⤵
- Runs ping.exe
PID:2580