a1e6c9e5074eeea8e0a430d3b2c49f9330ac9ea52770fe87cc833a7f3eca9114

Resubmissions

03-02-2024 23:42

240203-3qaj7sceg9 1

03-02-2024 23:39

240203-3m89csehbq 3

03-02-2024 23:35

240203-3k4k4acea5 1

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03-02-2024 23:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

programs.rar/Quiz/Quiz.bat
Size

1KB
MD5

e02d012ddb31d4dfe66d3f2c5dc94110
SHA1

4d823c77c5f6c1dd7f76c3cd25518a6f4c56ee0e
SHA256

7bbddca55507d767f303ccb46f62032c532e408edd4c0f183e04ca296d518c79
SHA512

a5779bca3a823e732743d1cb5f2ca187c0c065e7d0af325c0964aaf6820bd1316c08a4e92df01a65c038ff134e0b70e42bf40439ef03e1c4be21fbd77f2621e7

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
2816	NOTEPAD.EXE
2584	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 2816	1216	cmd.exe	29
PID 1216 wrote to memory of 2816	1216	cmd.exe	29
PID 1216 wrote to memory of 2816	1216	cmd.exe	29
PID 1216 wrote to memory of 2584	1216	cmd.exe	32
PID 1216 wrote to memory of 2584	1216	cmd.exe	32
PID 1216 wrote to memory of 2584	1216	cmd.exe	32

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\programs.rar\Quiz\Quiz.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\programs.rar\Quiz\First.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2816
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\programs.rar\Quiz\Bruh.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\programs.rar\Quiz\Bruh.txt

Filesize
5B

MD5
260425a51e05f557b8dccc3b0d9f7b4b

SHA1
78c82b2423ec5de83d44e73ef95add33211e9621

SHA256
ea45208a8f09ca021df7582bebb56bc02e91e4c571860c630212f67684550326

SHA512
ee5bd57f62fb691cd69caaf4f879eeeb29ef400d8a795f622758e1c16af17dff05fa4b6c62fb0131f58222b4e24c2dd44cab916a59e3b2fbbf5e8663729cfa90

Download Submit
C:\Users\Admin\AppData\Local\Temp\programs.rar\Quiz\First.txt

Filesize
18B

MD5
81b061b6e11c6b6aad157082eb353b91

SHA1
ed0ed21f0044f6c82e0737f89046bb4d4daf4beb

SHA256
94cbe7ce5fa2844226e20a075db972e96b38a0fa0e391826c5e798b359028d86

SHA512
65a74f8daf73364e810036d4f7adb5bfd00a1206cc7d9026661b3c9ff2e519262f953ccc9126918d276e972bbf3bd194adbd16121940e6001ed6c2fe0a204aad

Download Submit
memory/2584-48-0x0000000001B60000-0x0000000001B61000-memory.dmp

Filesize
4KB

Download