911ab129e3b78ee3073c8299bb75380845e71fec09ea47f5c87619c4de8205ae

Analysis

max time kernel
444s
max time network
437s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2024, 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test_file.bat
Size

2KB
MD5

47549fa030fbe1169f769d3d7764bc39
SHA1

26a71ed14bd944448cd5829f20f41c8012484568
SHA256

911ab129e3b78ee3073c8299bb75380845e71fec09ea47f5c87619c4de8205ae
SHA512

89b4c100a4836a3060442980422e8c82310292cb794a958b7b8743829def5d9b0d5c2fbfe92600cbc8ee6efc6ce683536027da81387284c14315b07c30437dd8

Score

8^/10

evasion

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4644	schtasks.exe

Runs net.exe

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

pid	Process
4548	PING.EXE
3180	PING.EXE
2504	PING.EXE
1848	PING.EXE
3876	PING.EXE
4932	PING.EXE
228	PING.EXE
2584	PING.EXE
3620	PING.EXE
3684	PING.EXE
4484	PING.EXE
3432	PING.EXE
2088	PING.EXE
840	PING.EXE
3404	PING.EXE
624	PING.EXE
5008	PING.EXE
1504	PING.EXE
1584	PING.EXE
1888	PING.EXE
3764	PING.EXE
2524	PING.EXE
2924	PING.EXE
360	PING.EXE
1608	PING.EXE
4180	PING.EXE
4544	PING.EXE
1764	PING.EXE
3512	PING.EXE
360	PING.EXE
1600	PING.EXE
4520	PING.EXE
3624	PING.EXE
4448	PING.EXE
3124	PING.EXE
5096	PING.EXE
4576	PING.EXE
3048	PING.EXE
4244	PING.EXE
2320	PING.EXE
708	PING.EXE
4860	PING.EXE
4900	PING.EXE
4060	PING.EXE
840	PING.EXE
3752	PING.EXE
2652	PING.EXE
2944	PING.EXE
2448	PING.EXE
2336	PING.EXE
3968	PING.EXE
3940	PING.EXE
4104	PING.EXE
2948	PING.EXE
2428	PING.EXE
1532	PING.EXE
2296	PING.EXE
4480	PING.EXE
4716	PING.EXE
1872	PING.EXE
4604	PING.EXE
2248	PING.EXE
1740	PING.EXE
3444	PING.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 4644	1436	cmd.exe	85
PID 1436 wrote to memory of 4644	1436	cmd.exe	85
PID 1436 wrote to memory of 1888	1436	cmd.exe	86
PID 1436 wrote to memory of 1888	1436	cmd.exe	86
PID 1888 wrote to memory of 4392	1888	net.exe	87
PID 1888 wrote to memory of 4392	1888	net.exe	87
PID 1436 wrote to memory of 708	1436	cmd.exe	88
PID 1436 wrote to memory of 708	1436	cmd.exe	88
PID 1436 wrote to memory of 3588	1436	cmd.exe	89
PID 1436 wrote to memory of 3588	1436	cmd.exe	89
PID 1436 wrote to memory of 3240	1436	cmd.exe	101
PID 1436 wrote to memory of 3240	1436	cmd.exe	101
PID 1436 wrote to memory of 2944	1436	cmd.exe	103
PID 1436 wrote to memory of 2944	1436	cmd.exe	103
PID 1436 wrote to memory of 4548	1436	cmd.exe	106
PID 1436 wrote to memory of 4548	1436	cmd.exe	106
PID 1436 wrote to memory of 3180	1436	cmd.exe	107
PID 1436 wrote to memory of 3180	1436	cmd.exe	107
PID 1436 wrote to memory of 3624	1436	cmd.exe	108
PID 1436 wrote to memory of 3624	1436	cmd.exe	108
PID 1436 wrote to memory of 3432	1436	cmd.exe	109
PID 1436 wrote to memory of 3432	1436	cmd.exe	109
PID 1436 wrote to memory of 1872	1436	cmd.exe	110
PID 1436 wrote to memory of 1872	1436	cmd.exe	110
PID 1436 wrote to memory of 3048	1436	cmd.exe	112
PID 1436 wrote to memory of 3048	1436	cmd.exe	112
PID 1436 wrote to memory of 2248	1436	cmd.exe	114
PID 1436 wrote to memory of 2248	1436	cmd.exe	114
PID 1436 wrote to memory of 4244	1436	cmd.exe	115
PID 1436 wrote to memory of 4244	1436	cmd.exe	115
PID 1436 wrote to memory of 1888	1436	cmd.exe	116
PID 1436 wrote to memory of 1888	1436	cmd.exe	116
PID 1436 wrote to memory of 3764	1436	cmd.exe	117
PID 1436 wrote to memory of 3764	1436	cmd.exe	117
PID 1436 wrote to memory of 5096	1436	cmd.exe	118
PID 1436 wrote to memory of 5096	1436	cmd.exe	118
PID 1436 wrote to memory of 2228	1436	cmd.exe	119
PID 1436 wrote to memory of 2228	1436	cmd.exe	119
PID 1436 wrote to memory of 2088	1436	cmd.exe	120
PID 1436 wrote to memory of 2088	1436	cmd.exe	120
PID 1436 wrote to memory of 3888	1436	cmd.exe	121
PID 1436 wrote to memory of 3888	1436	cmd.exe	121
PID 1436 wrote to memory of 2504	1436	cmd.exe	127
PID 1436 wrote to memory of 2504	1436	cmd.exe	127
PID 1436 wrote to memory of 840	1436	cmd.exe	128
PID 1436 wrote to memory of 840	1436	cmd.exe	128
PID 1436 wrote to memory of 3908	1436	cmd.exe	129
PID 1436 wrote to memory of 3908	1436	cmd.exe	129
PID 1436 wrote to memory of 3940	1436	cmd.exe	130
PID 1436 wrote to memory of 3940	1436	cmd.exe	130
PID 1436 wrote to memory of 3876	1436	cmd.exe	131
PID 1436 wrote to memory of 3876	1436	cmd.exe	131
PID 1436 wrote to memory of 4576	1436	cmd.exe	132
PID 1436 wrote to memory of 4576	1436	cmd.exe	132
PID 1436 wrote to memory of 4604	1436	cmd.exe	133
PID 1436 wrote to memory of 4604	1436	cmd.exe	133
PID 1436 wrote to memory of 4104	1436	cmd.exe	134
PID 1436 wrote to memory of 4104	1436	cmd.exe	134
PID 1436 wrote to memory of 4932	1436	cmd.exe	138
PID 1436 wrote to memory of 4932	1436	cmd.exe	138
PID 1436 wrote to memory of 1568	1436	cmd.exe	142
PID 1436 wrote to memory of 1568	1436	cmd.exe	142
PID 1436 wrote to memory of 4448	1436	cmd.exe	143
PID 1436 wrote to memory of 4448	1436	cmd.exe	143

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test_file.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Windows\system32\schtasks.exe
  schtasks /create /sc ONLOGON /tn "TestRansomware" /tr "cmd /c echo This is a test. > C:\test.txt" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:4644
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:4392
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
  2⤵
  PID:708
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.241
  2⤵
  PID:3588
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.129
  2⤵
  PID:3240
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.242
  2⤵
  - Runs ping.exe
  PID:2944
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.73
  2⤵
  - Runs ping.exe
  PID:4548
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.112
  2⤵
  - Runs ping.exe
  PID:3180
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.190
  2⤵
  - Runs ping.exe
  PID:3624
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.248
  2⤵
  - Runs ping.exe
  PID:3432
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.73
  2⤵
  - Runs ping.exe
  PID:1872
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.72
  2⤵
  PID:3048
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.97
  2⤵
  - Runs ping.exe
  PID:2248
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.1
  2⤵
  PID:4244
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.2
  2⤵
  - Runs ping.exe
  PID:1888
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.3
  2⤵
  - Runs ping.exe
  PID:3764
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.4
  2⤵
  - Runs ping.exe
  PID:5096
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.5
  2⤵
  PID:2228
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.6
  2⤵
  - Runs ping.exe
  PID:2088
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.7
  2⤵
  PID:3888
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.8
  2⤵
  - Runs ping.exe
  PID:2504
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.9
  2⤵
  - Runs ping.exe
  PID:840
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.10
  2⤵
  PID:3908
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.11
  2⤵
  - Runs ping.exe
  PID:3940
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.12
  2⤵
  - Runs ping.exe
  PID:3876
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.13
  2⤵
  - Runs ping.exe
  PID:4576
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.14
  2⤵
  - Runs ping.exe
  PID:4604
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.15
  2⤵
  - Runs ping.exe
  PID:4104
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.16
  2⤵
  - Runs ping.exe
  PID:4932
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.17
  2⤵
  PID:1568
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.18
  2⤵
  - Runs ping.exe
  PID:4448
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.19
  2⤵
  PID:264
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.20
  2⤵
  - Runs ping.exe
  PID:2524
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.21
  2⤵
  - Runs ping.exe
  PID:2296
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.22
  2⤵
  - Runs ping.exe
  PID:2948
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.23
  2⤵
  PID:1144
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.24
  2⤵
  PID:4440
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.25
  2⤵
  PID:4584
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.26
  2⤵
  PID:3892
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.27
  2⤵
  - Runs ping.exe
  PID:3512
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.28
  2⤵
  PID:4508
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.29
  2⤵
  - Runs ping.exe
  PID:5008
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.30
  2⤵
  PID:4940
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.31
  2⤵
  - Runs ping.exe
  PID:2320
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.32
  2⤵
  - Runs ping.exe
  PID:840
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.33
  2⤵
  PID:4656
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.34
  2⤵
  - Runs ping.exe
  PID:360
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.35
  2⤵
  - Runs ping.exe
  PID:228
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.36
  2⤵
  - Runs ping.exe
  PID:2428
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.37
  2⤵
  - Runs ping.exe
  PID:1532
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.38
  2⤵
  PID:3252
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.39
  2⤵
  PID:624
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.40
  2⤵
  PID:1584
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.41
  2⤵
  - Runs ping.exe
  PID:1504
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.42
  2⤵
  - Runs ping.exe
  PID:4480
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.43
  2⤵
  - Runs ping.exe
  PID:2924
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.44
  2⤵
  - Runs ping.exe
  PID:1600
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.45
  2⤵
  PID:1816
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.46
  2⤵
  PID:4384
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.47
  2⤵
  PID:4524
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.48
  2⤵
  - Runs ping.exe
  PID:3684
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.49
  2⤵
  PID:1996
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.50
  2⤵
  PID:3624
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.51
  2⤵
  PID:3912
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.52
  2⤵
  - Runs ping.exe
  PID:3048
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.53
  2⤵
  - Runs ping.exe
  PID:708
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.54
  2⤵
  PID:5096
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.55
  2⤵
  - Runs ping.exe
  PID:2448
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.56
  2⤵
  PID:3528
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.57
  2⤵
  - Runs ping.exe
  PID:4244
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.58
  2⤵
  PID:4064
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.59
  2⤵
  - Runs ping.exe
  PID:1740
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.60
  2⤵
  PID:4472
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.61
  2⤵
  - Runs ping.exe
  PID:3444
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.62
  2⤵
  - Runs ping.exe
  PID:1608
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.63
  2⤵
  PID:5112
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.64
  2⤵
  PID:3104
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.65
  2⤵
  - Runs ping.exe
  PID:4860
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.66
  2⤵
  PID:4988
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.67
  2⤵
  PID:4024
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.68
  2⤵
  PID:1080
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.69
  2⤵
  - Runs ping.exe
  PID:3124
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.70
  2⤵
  - Runs ping.exe
  PID:3752
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.71
  2⤵
  - Runs ping.exe
  PID:4900
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.72
  2⤵
  PID:1020
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.73
  2⤵
  PID:1164
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.74
  2⤵
  - Runs ping.exe
  PID:2584
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.75
  2⤵
  PID:424
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.76
  2⤵
  PID:3776
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.77
  2⤵
  PID:1288
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.78
  2⤵
  - Runs ping.exe
  PID:2652
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.79
  2⤵
  PID:1676
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.80
  2⤵
  - Runs ping.exe
  PID:2336
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.81
  2⤵
  - Runs ping.exe
  PID:1848
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.82
  2⤵
  - Runs ping.exe
  PID:4180
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.83
  2⤵
  PID:3096
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.84
  2⤵
  - Runs ping.exe
  PID:4716
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.85
  2⤵
  PID:4528
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.86
  2⤵
  - Runs ping.exe
  PID:4060
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.87
  2⤵
  - Runs ping.exe
  PID:3404
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.88
  2⤵
  - Runs ping.exe
  PID:360
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.89
  2⤵
  PID:1992
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.90
  2⤵
  PID:5076
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.91
  2⤵
  - Runs ping.exe
  PID:4484
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.92
  2⤵
  PID:4072
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.93
  2⤵
  - Runs ping.exe
  PID:3620
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.94
  2⤵
  - Runs ping.exe
  PID:624
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.95
  2⤵
  - Runs ping.exe
  PID:1584
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.96
  2⤵
  - Runs ping.exe
  PID:4544
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.97
  2⤵
  - Runs ping.exe
  PID:3968
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.98
  2⤵
  PID:1484
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.99
  2⤵
  - Runs ping.exe
  PID:1764
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.100
  2⤵
  - Runs ping.exe
  PID:4520
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.101
  2⤵
  PID:1432
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.102
  2⤵
  PID:4996
- C:\Windows\system32\PING.EXE
  ping -n 1 192.168.1.103
  2⤵
  PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads