a54b1eb2d637f1b5131907bfffbd97c961d96b09608032e10bf33ae3c4914a14

Analysis

max time kernel
49s
max time network
21s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

notif.bat
Size

412B
MD5

9825f3d577471389a56320b28091c7fb
SHA1

5acb5e44efd677cdc0144aa368e9e894c24e7b16
SHA256

a54b1eb2d637f1b5131907bfffbd97c961d96b09608032e10bf33ae3c4914a14
SHA512

f7f047ebbae32d131463dba76cfd17aeb9c0fb32f15a7ec907d7519af6971e0fea627b071968f8ec14352e09c6b5bc40602687aa4eb942d7402b7e78b9ea98f6

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2980	powershell.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2640	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2980	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2980	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 2980	1368	cmd.exe	31
PID 1368 wrote to memory of 2980	1368	cmd.exe	31
PID 1368 wrote to memory of 2980	1368	cmd.exe	31

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\notif.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Install-Module -Name BurntToast -Force; $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri 'https://schooicodes.github.io/file_hosting/epik-fake.ico' -OutFile 'C:\Users\Admin\Downloads\epic-face.ico' -UseBasicParsing; Import-Module BurntToast; New-BurntToastNotification -Text 'Thank you!', 'Thanks for using SMT! <3' -AppLogo 'C:\Users\Admin\Downloads\epic-face.ico'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2980

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\notif.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2980-4-0x000007FEF60DE000-0x000007FEF60DF000-memory.dmp

Filesize
4KB

Download
memory/2980-5-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2980-6-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/2980-7-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp

Filesize
9.6MB

Download
memory/2980-9-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp

Filesize
9.6MB

Download
memory/2980-8-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp

Filesize
9.6MB

Download
memory/2980-10-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp

Filesize
9.6MB

Download
memory/2980-11-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp

Filesize
9.6MB

Download