458356522cd7f251a4e86b87fbcdf375f81a9ddc9af7f9c6e2a166c1a1d4c1f9

Analysis

max time kernel
24s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-03-2024 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ransom.bat
Size

772B
MD5

65fa17810ee502541074b1cf56381270
SHA1

ed6358e7d3e5e1aa48af83f30d296ed5919418c4
SHA256

458356522cd7f251a4e86b87fbcdf375f81a9ddc9af7f9c6e2a166c1a1d4c1f9
SHA512

8ef0778c77e6bf68ad8a085d74434fb4fe7d39c091b23f6515bf22a55e600750e06a83ebc3c9655f8e2ba4036a4ce76fcfa4f28df27dbbd6d8f949da082bc54a

Score

1^/10

Malware Config

Signatures

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2132	timeout.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 116	5032	cmd.exe	89
PID 5032 wrote to memory of 116	5032	cmd.exe	89
PID 5032 wrote to memory of 3932	5032	cmd.exe	90
PID 5032 wrote to memory of 3932	5032	cmd.exe	90
PID 5032 wrote to memory of 3528	5032	cmd.exe	91
PID 5032 wrote to memory of 3528	5032	cmd.exe	91
PID 5032 wrote to memory of 2576	5032	cmd.exe	92
PID 5032 wrote to memory of 2576	5032	cmd.exe	92
PID 5032 wrote to memory of 4716	5032	cmd.exe	93
PID 5032 wrote to memory of 4716	5032	cmd.exe	93
PID 5032 wrote to memory of 1640	5032	cmd.exe	96
PID 5032 wrote to memory of 1640	5032	cmd.exe	96
PID 5032 wrote to memory of 4612	5032	cmd.exe	97
PID 5032 wrote to memory of 4612	5032	cmd.exe	97
PID 5032 wrote to memory of 4052	5032	cmd.exe	98
PID 5032 wrote to memory of 4052	5032	cmd.exe	98
PID 5032 wrote to memory of 4992	5032	cmd.exe	100
PID 5032 wrote to memory of 4992	5032	cmd.exe	100
PID 5032 wrote to memory of 4640	5032	cmd.exe	101
PID 5032 wrote to memory of 4640	5032	cmd.exe	101
PID 5032 wrote to memory of 3648	5032	cmd.exe	102
PID 5032 wrote to memory of 3648	5032	cmd.exe	102
PID 5032 wrote to memory of 4964	5032	cmd.exe	103
PID 5032 wrote to memory of 4964	5032	cmd.exe	103
PID 5032 wrote to memory of 1836	5032	cmd.exe	104
PID 5032 wrote to memory of 1836	5032	cmd.exe	104
PID 5032 wrote to memory of 2128	5032	cmd.exe	105
PID 5032 wrote to memory of 2128	5032	cmd.exe	105
PID 5032 wrote to memory of 888	5032	cmd.exe	106
PID 5032 wrote to memory of 888	5032	cmd.exe	106
PID 5032 wrote to memory of 1736	5032	cmd.exe	107
PID 5032 wrote to memory of 1736	5032	cmd.exe	107
PID 5032 wrote to memory of 1516	5032	cmd.exe	108
PID 5032 wrote to memory of 1516	5032	cmd.exe	108
PID 5032 wrote to memory of 2132	5032	cmd.exe	109
PID 5032 wrote to memory of 2132	5032	cmd.exe	109

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Ransom.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\vcredist2010_x64.log-MSI_vc_red.msi.txt" "C:\Users\Admin\AppData\Local\Temp\vcredist2010_x64.log-MSI_vc_red.msi.txt.enc"
  2⤵
  PID:116
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\vcredist2010_x64.log.html" "C:\Users\Admin\AppData\Local\Temp\vcredist2010_x64.log.html.enc"
  2⤵
  PID:3932
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\vcredist2010_x86.log-MSI_vc_red.msi.txt" "C:\Users\Admin\AppData\Local\Temp\vcredist2010_x86.log-MSI_vc_red.msi.txt.enc"
  2⤵
  PID:3528
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\vcredist2010_x86.log.html" "C:\Users\Admin\AppData\Local\Temp\vcredist2010_x86.log.html.enc"
  2⤵
  PID:2576
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log" "C:\Users\Admin\AppData\Local\Temp\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.enc"
  2⤵
  PID:4716
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log" "C:\Users\Admin\AppData\Local\Temp\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.enc"
  2⤵
  PID:1640
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log" "C:\Users\Admin\AppData\Local\Temp\vcredist2012_x86_0_vcRuntimeMinimum_x86.log.enc"
  2⤵
  PID:4612
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log" "C:\Users\Admin\AppData\Local\Temp\vcredist2012_x86_1_vcRuntimeAdditional_x86.log.enc"
  2⤵
  PID:4052
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log" "C:\Users\Admin\AppData\Local\Temp\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.enc"
  2⤵
  PID:4992
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log" "C:\Users\Admin\AppData\Local\Temp\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.enc"
  2⤵
  PID:4640
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log" "C:\Users\Admin\AppData\Local\Temp\vcredist2013_x86_000_vcRuntimeMinimum_x86.log.enc"
  2⤵
  PID:3648
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log" "C:\Users\Admin\AppData\Local\Temp\vcredist2013_x86_001_vcRuntimeAdditional_x86.log.enc"
  2⤵
  PID:4964
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log" "C:\Users\Admin\AppData\Local\Temp\vcredist2022_x64_000_vcRuntimeMinimum_x64.log.enc"
  2⤵
  PID:1836
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log" "C:\Users\Admin\AppData\Local\Temp\vcredist2022_x64_001_vcRuntimeAdditional_x64.log.enc"
  2⤵
  PID:2128
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\vcredist2022_x86_000_vcRuntimeMinimum_x86.log" "C:\Users\Admin\AppData\Local\Temp\vcredist2022_x86_000_vcRuntimeMinimum_x86.log.enc"
  2⤵
  PID:888
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\vcredist2022_x86_001_vcRuntimeAdditional_x86.log" "C:\Users\Admin\AppData\Local\Temp\vcredist2022_x86_001_vcRuntimeAdditional_x86.log.enc"
  2⤵
  PID:1736
- C:\Windows\system32\msg.exe
  msg * Your files have been encrypted Send $30 worth of Bitcoin to bc1q7ze0jx5ktwn8vyfw8cs2yzpcyks274fmh3ny2d to get the decryption key.
  2⤵
  PID:1516
- C:\Windows\system32\timeout.exe
  timeout /t 1800 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2132

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vcredist2010_x64.log-MSI_vc_red.msi.txt.enc

Filesize
521KB

MD5
409ae73d57f023aa81bdcd26413459e3

SHA1
86302e56fc77bc2dab6ad6cfde1188633bce0c85

SHA256
65ac76dcae4367896b21f883e5dc97fd8a8285a68fc5c0c469f0758089267729

SHA512
8ee4465b6d8867bb06c80e8078a18ca19e6320918e735af38724c4c22bdae3d145f32bf87f31ddfb0b3cee8c3c8c4514b3f98ecef133425e13d7024f9397e0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcredist2010_x64.log.html.enc

Filesize
118KB

MD5
f94298a5ebdcb9d792f5c78346e1417e

SHA1
8736abf9f2e7b6355b066ae496f32e5ec3488643

SHA256
448872b77d6aad6e2dc44842230e2581fc4d0cbec2a8287c227478c0bbf8ce4d

SHA512
eaa1e84c0d6da70f43614b82647d4ea014bf3e91baf81a0bca539be03245e192bbab82a7b3831f2f73949eee07e951ad6db2e552cc3269392fca4a98cf5a9434

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcredist2010_x86.log-MSI_vc_red.msi.txt.enc

Filesize
545KB

MD5
aa8566bde04127af8347e5bffd1d9628

SHA1
b3cc64e0473acdcbb784ae03ae33f16b8092081e

SHA256
03c75f815086c72f488d322703c8d3579af2801c9e26baf7886f5f04440737dc

SHA512
0afce04f88366a320f541371cbd93460d8d3c685ed0935e3e8458cc1717ac6ffb2217dba0d815aa9a65917e18808e7265d2c070cc3e297749fd2af6de928cd90

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcredist2010_x86.log.html.enc

Filesize
112KB

MD5
4f938d971224824a7b9e0e1170a5e710

SHA1
c7c582307c32d7936e4227f0783ee52c4e0e7d51

SHA256
600ac973b477fabe26575dd7677e3c150253268308af10ea39d36a3b8b3299fa

SHA512
041ce9f19c9a8d5f6b0df41259778ac83bde9d20ac0f531cdc34c79404436a1a5de68dcd87000a83aeab407099c1776182a2d2dd2f9e4af5dab266a4ffbf2119

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.enc

Filesize
231KB

MD5
2d607f2cbd40e5e15bdce85823a6f569

SHA1
d84079ab56386a945ad5cc9947ea248600cd9f90

SHA256
ecb2cc35ad1da2443d996c47d936d2bda5a8f4440c32f59260e3a9d198105170

SHA512
72268c9526d76d3ec0a3c4a4d587d87dfc4f86d38849cd3727f46f1561c8b22e0ee264909e8eb7436a9f1a3e6a5420075fe9198d90c74b44f324f0e86161ceeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.enc

Filesize
268KB

MD5
549660db864179a50f40b25660796d60

SHA1
b740926738a41202af203e191e482eb8066c253f

SHA256
29c7cd0cca84d6d1bd1486f1c285fe28d1cbca251b4482ed3c9af24e9756009e

SHA512
772c04ffb239d2a9be0db1179de758a33d33587013425a1aba75e3b3e44f6eaff2d60001169a593ae3773a6e4c437e3491e773fae59a960b06aae307061bad8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcredist2012_x86_0_vcRuntimeMinimum_x86.log.enc

Filesize
235KB

MD5
b5dca3073161a767ab1207ef73f85ae2

SHA1
fc6b182c6df8e0195221cc4da7c3c2624c13d734

SHA256
356ef239a1959998d071584b83e394e41351fe60f5bd2a5bf71e74a075d672b6

SHA512
56b37d09bf46e42bbb49a1190e8f0336331ada22c10dd6319ecbf18309cda823ae8d1c893f9ff3a017c996dbc390b130f53b3add25b4d75c76241fcceca28754

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcredist2012_x86_1_vcRuntimeAdditional_x86.log.enc

Filesize
287KB

MD5
13165915f450ecc6a2db78c862bcf672

SHA1
98f89ece7a37609cfc12f5f718f625259bf9d1bb

SHA256
0b180bfbd5f59c4f048d8b275b7be6ed01fa01c54c4ef7489b5bb1f8519537f4

SHA512
e6b2fdd3c438b15bad2c456db9997c689c38108bcc7f752a201368d0902ecfa649b923b5bd5582cfcaae264a5793734a9dcf7b7dc4f1a2c7d7c256e68819caee

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.enc

Filesize
234KB

MD5
820a733517481f4de45978cb102f3230

SHA1
7fcf556d5b7c8e1aec3c940ab5db3ff3c0a71a01

SHA256
1c78408f6552dfdc218ecb3bc34699c34c44344ee68f6d6b417d12de52e7685e

SHA512
bd5d88388428d170a2acec056cfe716a7b8565c822e9fa4eee754778d34751b8b3f9fca962aac9d23651797fa35e96704facc339710f2ac5dd2f694a775c7351

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.enc

Filesize
262KB

MD5
21deb4e347e42b7a4ed7865d89f5ca04

SHA1
99618d3fbf0a983128867e0d532459a53264d46b

SHA256
e87fe954f9bb31f0eb3398aa12f6e84814971e2ff6e33b0704835277c26c7583

SHA512
207094c36c0fd526e08ae9535b228a0e3ac19d024f4affcac617531603c4d9b81d8b999e69d2c24c6461493d4ee8fe398451cee290315acf33d16ac0095c7646

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcredist2013_x86_000_vcRuntimeMinimum_x86.log.enc

Filesize
234KB

MD5
2753f313f2ee5bfc9a149904a3c00fb6

SHA1
ef4c77e9b65085f1b7ed6407ce5517b98116d21e

SHA256
4c772b57c41e9c6dda6e77a1c0837115bc2408d031ef0a2c9efb234b8f591b48

SHA512
7e266350dca87116d47c4ea5e999dbb3b62b45f23ff629fb7ef5057f67890b72f6916e235caf6f40e23239ed00d7501ed13f4c7432beed53725eb3a8a5ea4f24

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcredist2013_x86_001_vcRuntimeAdditional_x86.log.enc

Filesize
273KB

MD5
db1a33eb39d97168e0ac5c346b7101c8

SHA1
8c482edeb65c8903e8ff5213f4d5f03c63338bf0

SHA256
3b1aaf3119d079064be1bf05b6e02c02cfbd55e251befd8c7ce47b4db819ffa4

SHA512
da962a8bf063c6b046d84c1db25112ef64b3fd40548a2ef0f8f5fef40c1b309a1e047013dbfeee9cd41da17b8a759fcdb1dc61c8c9fc831c23cb305f72de1281

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcredist2022_x64_000_vcRuntimeMinimum_x64.log.enc

Filesize
169KB

MD5
3601dc5fa8bc68b86a5686fd580b42d7

SHA1
7cbe193e7ab33dac09d5d3860724304114f52981

SHA256
490b2edf104d98b648504f9906b58668de0e5756a7a3dd996827b3232ef551ec

SHA512
6f0c2ad0b58fb3f34335556aada4dee9f05e265f2f4a51d7831f47fdf560f89cf70f0efe7f519bc9fb72bfc7f00efb9b946b6a9f5a30680a5cfb1827d50bd40a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcredist2022_x64_001_vcRuntimeAdditional_x64.log.enc

Filesize
178KB

MD5
c7fb185d07f5aacd0339105235dc4b59

SHA1
e9d681677cec90648c04c96d60c6b7194d0886cf

SHA256
292e523287c244dc7107de023df385fb9c713a38caf5e8351ee86b55720b8e4d

SHA512
5780241b537532b64be8c2798f9cb1a153b78ddced5b28e1045af3d7fd484cdbfef4043143ab88b1456ca35ac25d6b05a8cfd4061ffecda69db9978c7b326949

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcredist2022_x86_000_vcRuntimeMinimum_x86.log.enc

Filesize
170KB

MD5
bee0a37125519e9fb8e1dec256273b11

SHA1
2efb342a679ad64c85f3676fce67c6b126f48b54

SHA256
e93b37d33441564d525446d2d457504e4cd3694ff4884bdaca3b47fed95053fc

SHA512
864c6223313d5856cebc8cfb0b997d3a982f2ef9cf229bf86ae180e922b96cd43d272a86c362982309ab0cdfeb0ad3f39205a12e05bdabaf420d669b0c2b583a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcredist2022_x86_001_vcRuntimeAdditional_x86.log.enc

Filesize
186KB

MD5
3c13b870cc7e7dcadf22a490a2bbe963

SHA1
aa7d19dda99b954cf85cccb07d9c12bac7ab8d19

SHA256
106541cf6a901984236d529518e6f08b3349bb3c3bba8a5cbc6a738b5bf76da2

SHA512
b281ed066c0604525452e21aa187fe15338417e8ba782f8e916d939339b8cc062c17036b850fb1400f00cada25b27b8664c163a859f332ffe4beaaaf8c2ee9c4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads