d4b74666f41414973bff4c2dbfe7d05e3d414cc81ba007b23353393c1d7d5c22

General

Target

tulipicalv1.bat
Size

135B
MD5

a5ec871d590f7aaa91f31900dafd7d85
SHA1

6ca11d8a45399dab87e9b92c940e8d5f448a8bd3
SHA256

d4b74666f41414973bff4c2dbfe7d05e3d414cc81ba007b23353393c1d7d5c22
SHA512

f854d5e3146821434b1cb634910b1d8965a0b5fe0b371f1c0a888d570c5d018e52f9b1331b0503744e103944f905f0014a302208688e3230b74a52d3cd22fd4e

Score

1^/10

Malware Config

Signatures

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1536	ipconfig.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000078000000	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "1"	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	NOTEPAD.EXE

Opens file in notepad (likely ransom note) 3 IoCs

ransomware

pid	Process
1540	NOTEPAD.EXE
2872	NOTEPAD.EXE
1800	NOTEPAD.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2872	NOTEPAD.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1540	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 1752	2976	cmd.exe	29
PID 2976 wrote to memory of 1752	2976	cmd.exe	29
PID 2976 wrote to memory of 1752	2976	cmd.exe	29
PID 2976 wrote to memory of 1536	2976	cmd.exe	30
PID 2976 wrote to memory of 1536	2976	cmd.exe	30
PID 2976 wrote to memory of 1536	2976	cmd.exe	30
PID 2976 wrote to memory of 2184	2976	cmd.exe	31
PID 2976 wrote to memory of 2184	2976	cmd.exe	31
PID 2976 wrote to memory of 2184	2976	cmd.exe	31
PID 2976 wrote to memory of 2432	2976	cmd.exe	32
PID 2976 wrote to memory of 2432	2976	cmd.exe	32
PID 2976 wrote to memory of 2432	2976	cmd.exe	32

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\tulipicalv1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\system32\help.exe
  help
  2⤵
  PID:1752
- C:\Windows\system32\ipconfig.exe
  ipconfig
  2⤵
  - Gathers network information
  PID:1536
- C:\Windows\system32\help.exe
  help
  2⤵
  PID:2184
- C:\Windows\system32\help.exe
  help
  2⤵
  PID:2432

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ree.bat
1⤵
- Modifies registry class
- Opens file in notepad (likely ransom note)
- Suspicious use of SetWindowsHookEx
PID:1540

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\ree.bat" "
1⤵
PID:2840

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ree.bat
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:2872

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\ree.bat" "
1⤵
PID:1676

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\ree.bat" "
1⤵
PID:1936

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ree.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:1800

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\ree.bat" "
1⤵
PID:1944

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\ree.bat" "
1⤵
PID:1992

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\ree.bat" "
1⤵
PID:1060

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\ree.bat" "
1⤵
PID:764

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\ree.bat" "
1⤵
PID:812

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\ree.bat" "
1⤵
PID:2112

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\ree.bat" "
1⤵
PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\ree.bat

Filesize
31B

MD5
de5c4bb60e064b41300843ae182e0310

SHA1
0ab528af89aa36c8ace2f9611080ff291eb449f6

SHA256
15ae4efe79c2561dc02419e0698bee10449de8a97cff98cd9834c000f2e0047f

SHA512
d0e9e2536908955e63140733e50693d37ee5892b889d878c366c938b4cc07dbd0d39073824618388469c5ea73dd6bd5e076520d79d28e38b6644c6f58f76adf2

Download Submit
C:\Users\Admin\Desktop\ree.bat

Filesize
35B

MD5
a83f0fcf63b6bbf4917a7b050dae721f

SHA1
f41ac3cd1d46770a530d99182f69107d9563b0b3

SHA256
c0b69846f1d9e8521541e41e935e0e4bc338fe351d6d047fcf7dd79354500ffa

SHA512
2a2fb5c8d834003a817b1c14fce5ce7a0319aade646f41da4d3ca9146282ac0b2032bc5e5d3533fbabb303171e45cb868fa4490ba03c53bcd0533dab823742cc

Download Submit
memory/1540-0-0x0000000003C80000-0x0000000003C90000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing