Analysis
-
max time kernel
0s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
01-01-2024 15:12
General
-
Target
81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe
-
Size
1.1MB
-
MD5
7d1c7ce6a2f202bb5df3f45c7f62bac3
-
SHA1
50a9f5b3130b14d5a18b418e9c355586eaecf4fb
-
SHA256
81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740
-
SHA512
48b20444b0d72a37ecbed0969e2a9d9be3efc51d75e1283bc755cad10068fb40055430dc1fc4b295aae3d31d71de86d84b4f1c29da8636a3ef0baf014eaf82cd
-
SSDEEP
24576:RsBH9jqVwCwh/RICu4upRwIzAKXRYVN2uaj7MM1By+hm:uH9jJ9RspRwIDRiJak2By+hm
Score
9/10
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 10 IoCs
-
Enumerates processes with tasklist 1 TTPs 11 IoCs
-
Gathers system information 1 TTPs 2 IoCs
Runs systeminfo.exe.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
Processes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /i "dcdcf"2⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /v /fo csv2⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe"C:\Users\Admin\AppData\Local\Temp\81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo %date%-%time%2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c systeminfo|find /i "os name"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\t2_svc.bat'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&t2_svc.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ver2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c systeminfo|find /i "original"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ver2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\v9_svc.vbs"1⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\h4_svc.bat" "2⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak3⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\find.exefind /I "81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe"3⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq 81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe" /fo csv3⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq 81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe" /fo csv3⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak3⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\find.exefind /I "81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe"3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak3⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\find.exefind /I "81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe"3⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq 81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe" /fo csv3⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak3⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\find.exefind /I "81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe"3⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq 81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe" /fo csv3⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak3⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\find.exefind /I "81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe"3⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq 81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe" /fo csv3⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I "81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe"3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak3⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq 81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe" /fo csv3⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I "81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe"3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak3⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq 81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe" /fo csv3⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak3⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\find.exefind /I "81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe"3⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq 81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe" /fo csv3⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak3⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\find.exefind /I "81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe"3⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq 81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe" /fo csv3⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C echo C:\Users\Admin\AppData\h4_svc.bat2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\Admin\AppData\t2_svc.bat'" /f1⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\find.exefind /I /c "dcdcf"1⤵
-
C:\Windows\SysWOW64\find.exefind /i "os name"1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak1⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet1⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo1⤵
- Gathers system information
-
C:\Windows\SysWOW64\tasklist.exetasklist /v1⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /i "original"1⤵
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo1⤵
- Gathers system information
-
C:\Windows\SysWOW64\nslookup.exenslookup myip.opendns.com. resolver1.opendns.com1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\h4_svc.batFilesize
2KB
MD509f8d44c69e9eae827e435cde094de21
SHA14840b8ef91578374c17e003ab3eaa6750f9be7d9
SHA2564359939b1e129a575f53227297b469e519f452803b295f11c466a3be692b5102
SHA512579f090a25afb16b0201c22786c5e9ad47cfa5bb3f998d2baa96e0aba0081efa71220a994c58accf0d2d6da0cbe4d545a8b41018a59c1e78ead4e7f35c18b405
-
C:\Users\Admin\AppData\t2_svc.batFilesize
138B
MD5702f5dc6f9dec28c8c9b7b6885c9fe09
SHA1dbb85da6de899deb21ce0a8f25c1726cd19e49e8
SHA25620bf5224af318c449407c99e5f4628f71b874463a1cb777031a43b6236ab97e9
SHA512fa4bfc3ac77561585d03bf62e7bb4de0602cf442b5c54b70945f8c75114d111559f50ad36026e2bb1027323f7f50130b7c60bee22835400a8a07feab436ccff7
-
C:\Users\Admin\AppData\v9_svc.vbsFilesize
686B
MD5e9c50acda9063b2462697bdbd0a0dfe2
SHA1d1a2bc54905ce0e9121f8e5c249e0527f2190b7e
SHA256f236c75a867944ce27e123b3aaf3a465084bc6135dc453f7f4aacb1cbf9946bd
SHA512d5cd841b82867e323f5cd28f97c9a27ea32be1b3793cb7ddff1ccc3c0559c6b3758f6366d259eda2265431f67a1eebe41dcfb2047ee94c515eb458af6311b8a9