Overview

overview

7

Static

static

3

bat2exe.exe

windows7-x64

3

bat2exe.exe

windows10-2004-x64

7

Resubmissions

25/02/2024, 15:00

240225-sdjx1afb2s 7

25/02/2024, 14:57

240225-sbvxgseb68 7

25/02/2024, 14:51

240225-r8lveaeh9z 7

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/02/2024, 14:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bat2exe.exe

  • Size

    966KB

  • MD5

    7a56c8b9ffdd23e6f7a2d0ee422e0eb7

  • SHA1

    ada737e537318f5fb900865b6ecd5de9b8ae58f6

  • SHA256

    a80c25d09bfc8bc4affb8e394a7254574b7e7e39404404775382f005e6a067c6

  • SHA512

    ba4fc80b151e4a6b22a1601817f5a6bc2caa80ebb0762e8b8c6af571064bafc54d6d3029ca3f3d7d2e5a4aa1b5dd3bbcf5009bc95110680dcfd351f6bcf4cb20

  • SSDEEP

    24576:MddFMz0EHPf4R9urwd1Hj+2mZ1j6wF320ujMw91SnA4eOm4Bd7x:Mdd6z0sau41D+xr3O4wiA424Bj

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 24 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bat2exe.exe
    "C:\Users\Admin\AppData\Local\Temp\bat2exe.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:64
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zS3DC4.tmp\bat2exe.cmd" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2020
      • C:\Windows\SysWOW64\mode.com
        MODE 90,50
        3⤵
          PID:4064
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c cscript //nologo bin\browse.vbs
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1880
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c dir /b /OD "C:\Users\Admin\Desktop\*.bat" "C:\Users\Admin\Desktop\*.cmd"
          3⤵
            PID:3720
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c dir /b /OD "C:\Users\Admin\Desktop\*.ico"
            3⤵
              PID:1800
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c cscript //nologo bin\browse.vbs
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:4012
        • C:\Windows\SysWOW64\cscript.exe
          cscript //nologo bin\browse.vbs
          1⤵
          • Modifies registry class
          PID:2404
        • C:\Windows\SysWOW64\cscript.exe
          cscript //nologo bin\browse.vbs
          1⤵
          • Modifies registry class
          PID:2360
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\g.txt
          1⤵
          • Modifies registry class
          • Opens file in notepad (likely ransom note)
          • Suspicious use of SetWindowsHookEx
          PID:3932

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\7zS3DC4.tmp\bat2exe.cmd
          Filesize

          9KB

          MD5

          de17828363c64b86228226d8dd6b125c

          SHA1

          ac63e42e54a2bc36d0a1e3b8dcbb3a3d65dde8dd

          SHA256

          3d86572d4a0f14634dfb2b1ec7caed5a55d053c25b32d840bc2de0130cdbc3c7

          SHA512

          78a1b06ba57921abea492bd7de00d3285a8e04f38883cfa08cbad708344192f43b902d580d4856c7cf4ead0e982f1f0b12e95229925672f88581ebcf5fe7ca82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7zS3DC4.tmp\bin\browse.vbs
          Filesize

          928B

          MD5

          8580d8cab38506f200f4d935edcc19be

          SHA1

          02866d139fd8addedaef72521e245f713c5187b4

          SHA256

          cbaf396ff11d723e0fff497c6b7afedabe6975bcb32b7512058732911111ab15

          SHA512

          6875831af53a0dd9de1de23fd30703fc851f129078699cb0b2331c41d2fd66a98fe0eb09cff208890563bc627533b8de793bb06e44746588109d0156857887a1

          Download Submit