5661c9345c5a0d8e76c7b76158006554a9721526a6ea0e8adfdd34bf47bf08db

Resubmissions

27-04-2024 10:20

240427-mc49nahb6s 8

27-04-2024 10:17

240427-mbg3qshb2z 8

27-04-2024 10:12

240427-l81exagc99 8

Analysis

max time kernel
134s
max time network
143s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
27-04-2024 10:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0EXNM3VL.bat
Size

23KB
MD5

f94ee210eb268d477b98419357872564
SHA1

85032ece2031a10f2839d10ffd13ca3a05d76a4d
SHA256

5661c9345c5a0d8e76c7b76158006554a9721526a6ea0e8adfdd34bf47bf08db
SHA512

a1ccb8f70558290d59e0488b9e86e5b74e86e5ec17b88022c977e7e4d648b49ec0df6923f0c22495cf30cc1ec154995f9a7f655296322a77d31d1f3fe3f1240f
SSDEEP

384:fSpSw/3x030ySTMmmXfUHb+h8ilPdaN5RdHkZ2fvqS2p0glkZXiJZGOrIOCq+iCI:fSpSw/3x030ySFmXfUHb+h8ilPdaN5RO

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
232	tasklist.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1988	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	232	tasklist.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4036 wrote to memory of 1400	4036	cmd.exe	87
PID 4036 wrote to memory of 1400	4036	cmd.exe	87
PID 4036 wrote to memory of 3956	4036	cmd.exe	88
PID 4036 wrote to memory of 3956	4036	cmd.exe	88
PID 4036 wrote to memory of 3692	4036	cmd.exe	89
PID 4036 wrote to memory of 3692	4036	cmd.exe	89
PID 4036 wrote to memory of 3020	4036	cmd.exe	90
PID 4036 wrote to memory of 3020	4036	cmd.exe	90
PID 3020 wrote to memory of 232	3020	cmd.exe	91
PID 3020 wrote to memory of 232	3020	cmd.exe	91
PID 4036 wrote to memory of 2072	4036	cmd.exe	93
PID 4036 wrote to memory of 2072	4036	cmd.exe	93
PID 4036 wrote to memory of 5096	4036	cmd.exe	94
PID 4036 wrote to memory of 5096	4036	cmd.exe	94
PID 4036 wrote to memory of 3292	4036	cmd.exe	95
PID 4036 wrote to memory of 3292	4036	cmd.exe	95
PID 3292 wrote to memory of 1696	3292	cmd.exe	96
PID 3292 wrote to memory of 1696	3292	cmd.exe	96
PID 4036 wrote to memory of 2416	4036	cmd.exe	97
PID 4036 wrote to memory of 2416	4036	cmd.exe	97
PID 2416 wrote to memory of 1068	2416	cmd.exe	98
PID 2416 wrote to memory of 1068	2416	cmd.exe	98

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0EXNM3VL.bat"
1⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Windows\system32\xcopy.exe
  xcopy "\Pro" "C:\Program Files\CELSYS\CLIP STUDIO 1.5\CLIP STUDIO PAINT" /S /E /Y /R
  2⤵
  PID:1400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo ------ Trial is successfully removed! ------ "
  2⤵
  PID:3956
- C:\Windows\system32\msg.exe
  msg *
  2⤵
  PID:3692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq SbieSvc.exe" /fo csv /nh
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\system32\tasklist.exe
    tasklist /fi "imagename eq SbieSvc.exe" /fo csv /nh
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:232
- C:\Windows\system32\reg.exe
  Reg query "HKLM\SOFTWARE\Microsoft\Alu" /s /reg:32
  2⤵
  PID:2072
- C:\Windows\system32\reg.exe
  Reg Add "HKLM\SOFTWARE\Microsoft\Alu" /f /reg:32
  2⤵
  PID:5096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v "SystemProductName"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3292
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v "SystemProductName"
    3⤵
    PID:1696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current" /v "SystemProductName"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current" /v "SystemProductName"
    3⤵
    PID:1068

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1036

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\0EXNM3VL.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads