Analysis Overview
SHA256
a44e75344f1f7dd3d3e4566447686dbd9cca6e50beeea3f78e3069d12fa55d76
Threat Level: No (potentially) malicious behavior was detected
The file dont run this.bat was found to be: No (potentially) malicious behavior was detected.
Malicious Activity Summary
Delays execution with timeout.exe
Opens file in notepad (likely ransom note)
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-03 12:05
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 12:05
Reported
2024-06-03 12:07
Platform
win7-20240508-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\dont run this.bat"
C:\Windows\system32\timeout.exe
timeout /t 3
C:\Windows\system32\cmd.exe
cmd /k "call :spam"
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\cmd.exe
cmd /k "call :spam"
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\cmd.exe
cmd /k "call :spam"
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\cmd.exe
cmd /k "call :spam"
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\cmd.exe
cmd /k "call :spam"
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\IMWATCHING_YOU21372.txt
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
Network
Files
C:\Users\Admin\Desktop\IMWATCHING_YOU21372.txt
| MD5 | f7eee7e91e37d81b8ae79f37d17a0424 |
| SHA1 | 44d0ae25a1d061669d6090dce1f52f5db9c8a79c |
| SHA256 | 2f0f6bb32acd214b377095734ad68710cdcaa79ef0d014b92d37bfaad8a0f5e4 |
| SHA512 | 7795d76b3b993d02752960386a63e897ac27633b2cb1daac4e2e9c4adef1ba8956eb6dc085d25533839531c6353030d2514138df78d1be218cf2b270cbd4085d |
C:\Users\Admin\Desktop\IMWATCHING_YOU21372.txt
| MD5 | c6c0caa478775aeddda4ed1e9494831a |
| SHA1 | c2a774c603e85abb3aee79be1570cdd989fab1bc |
| SHA256 | 394388e29a1169f2024b7b9a6b9dd05b8a8171ed319933b08a7f2b2c99ff4f4d |
| SHA512 | 8f9e748b91796233df4257a22cb93002f61a70cc77b657fc3728e57154a92cc09d78ebf7e22a30017d8a5b08abbdfd3b6ee189efe60cb264d6738f971d6a7739 |
C:\Users\Admin\Desktop\IMWATCHING_YOU21372.txt
| MD5 | c64ab4599343804361b8c3361de4a32c |
| SHA1 | f7671d660d81f579514a00144b69611231712ac3 |
| SHA256 | f1f97cb2ed8c86834e7f2bd0b0fd83bb03e294b47bfee7e9eac7694c5b555cfe |
| SHA512 | 4daa843c4d993d10add079d92814790cc72ac4529f86cd69f8d4f6d6080d80e02dc06b8aad9c77622f39ebc699c17cbea6e9914ffcc0c462073cfca75cbbee01 |
C:\Users\Admin\Desktop\IMWATCHING_YOU21372.txt
| MD5 | 385e9e11f4d42c894ff142da5b227485 |
| SHA1 | 1ea5274772fc5c421c350b2434e3fd071f03d574 |
| SHA256 | b746cc054f516052a4cfe4d287e897c990dbcdc4a050b1dee8c99bd9a7da0f3f |
| SHA512 | 40a822851c2e54bd73d078a76f3ff67151982276d012b3b70c5a85801968360b9f9472253e7a8e46f78a84b6647878ec7a14704ec6bfee0a1e8324a8ad12a671 |
C:\Users\Admin\Desktop\IMWATCHING_YOU21372.txt
| MD5 | d492c3a6ee82ba075dae805af3b2562c |
| SHA1 | 4ada1abf7552aa8ed1d53a5dac72343e634ab5fa |
| SHA256 | b75515e29da738d2b2f5273bee71e0f53afb605d1f06d27aca56b6e28c8cce99 |
| SHA512 | 5564b7e682ff0d9d93043b63b54272d5802089f57cc24d4dd99cc7365fd1cc46bc787bd37d5dc4ad7da096c02c6c3e7c3082aa8a018d73abfd258b6feb195edc |
C:\Users\Admin\Desktop\IMWATCHING_YOU21372.txt
| MD5 | 8213197a010791cb000171b2166bc192 |
| SHA1 | 221df0b64668a85df8abc738ee6515f83a1f7114 |
| SHA256 | e944d4679e5170ae88b2dd158c946708ba1d7c1c8331156c4db3316d62c9f71d |
| SHA512 | 45a71a6d51ec2c91c009c246d2d5362e84ec147aa4e19baf4010d33c7bf96ff9d0640838272897251141387d3e80d71535f46f3d3c0bfec7004ccfad6bf17613 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 12:05
Reported
2024-06-03 12:07
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
95s
Command Line
Signatures
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dont run this.bat"
C:\Windows\system32\timeout.exe
timeout /t 3
C:\Windows\system32\cmd.exe
cmd /k "call :spam"
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\cmd.exe
cmd /k "call :spam"
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\cmd.exe
cmd /k "call :spam"
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\cmd.exe
cmd /k "call :spam"
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\cmd.exe
cmd /k "call :spam"
C:\Windows\system32\timeout.exe
timeout /t 1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.107.17.2.in-addr.arpa | udp |
Files
C:\Users\Admin\Desktop\IMWATCHING_YOU20850.txt
| MD5 | d492c3a6ee82ba075dae805af3b2562c |
| SHA1 | 4ada1abf7552aa8ed1d53a5dac72343e634ab5fa |
| SHA256 | b75515e29da738d2b2f5273bee71e0f53afb605d1f06d27aca56b6e28c8cce99 |
| SHA512 | 5564b7e682ff0d9d93043b63b54272d5802089f57cc24d4dd99cc7365fd1cc46bc787bd37d5dc4ad7da096c02c6c3e7c3082aa8a018d73abfd258b6feb195edc |