Overview

overview

10

Static

static

5

My-Skidded...f2.exe

windows10-2004-x64

My-Skidded...Us.vbs

windows10-2004-x64

1

My-Skidded...AT.exe

windows10-2004-x64

10

My-Skidded...UN.exe

windows10-2004-x64

10

My-Skidded...no.exe

windows10-2004-x64

6

My-Skidded...MK.exe

windows10-2004-x64

My-Skidded...ck.vbs

windows10-2004-x64

1

My-Skidded...it.exe

windows10-2004-x64

7

My-Skidded... 2.bat

windows10-2004-x64

7

My-Skidded...OR.vbs

windows10-2004-x64

1

My-Skidded...ge.exe

windows10-2004-x64

My-Skidded...ck.exe

windows10-2004-x64

10

My-Skidded...BR.exe

windows10-2004-x64

My-Skidded...ba.vbs

windows10-2004-x64

1

My-Skidded...ad.exe

windows10-2004-x64

My-Skidded...BR.exe

windows10-2004-x64

6

My-Skidded...AL.exe

windows10-2004-x64

6

My-Skidded...en.exe

windows10-2004-x64

6

My-Skidded...in.exe

windows10-2004-x64

6

My-Skidded...BR.exe

windows10-2004-x64

My-Skidded...64.exe

windows10-2004-x64

My-Skidded...64.exe

windows10-2004-x64

10

My-Skidded...24.exe

windows10-2004-x64

10

My-Skidded....0.bat

windows10-2004-x64

7

My-Skidded...as.exe

windows10-2004-x64

My-Skidded...ll.bat

windows10-2004-x64

My-Skidded...ks.exe

windows10-2004-x64

My-Skidded...ua.exe

windows10-2004-x64

My-Skidded...kz.bat

windows10-2004-x64

8

My-Skidded...BR.exe

windows10-2004-x64

6

My-Skidded...UG.exe

windows10-2004-x64

My-Skidded...mi.exe

windows10-2004-x64

6

Resubmissions

09/03/2025, 01:58

250309-cdv29swybs 10

08/03/2025, 06:55

250308-hp35xatjt9 10

08/03/2025, 04:53

250308-fh1ebssky5 10

Analysis

  • max time kernel
    294s
  • max time network
    304s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/03/2025, 01:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    My-Skidded-malwares-main/RaM KilLEr 1.0.bat

  • Size

    3KB

  • MD5

    ce45f129d128fb1ce6e659451fc8ae48

  • SHA1

    44cccb5515797e51e51498a73d02e66f086f0040

  • SHA256

    7660ba2fc3dddcdc079e20771f4f0b1fde0c1b508f32edda841993ace2f08c40

  • SHA512

    23af808c2a413b7932668ec5d2163611e310e6d837839b0c8f96a1467c4122c702be99dfb45dbae780a026cac9a38b989b95b80f391ee9eb5d8f54044490b886

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops desktop.ini file(s) 11 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Kills process with taskkill 1 IoCs
    defense_evasion
  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
    adwarespyware
  • Modifies registry class 13 IoCs
  • NTFS ADS 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of FindShellTrayWindow 10 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of SetWindowsHookEx 30 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\RaM KilLEr 1.0.bat"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5100
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2860
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2860 CREDAT:17410 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:988
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2860 CREDAT:82950 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2704
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe
      2⤵
        PID:1364
      • C:\Windows\explorer.exe
        explorer.exe
        2⤵
        • Modifies registry class
        PID:2724
      • C:\Windows\system32\iexpress.exe
        iexpress.exe
        2⤵
          PID:756
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          2⤵
          • Modifies Internet Explorer settings
          PID:4076
        • C:\Windows\system32\SndVol.exe
          SndVol.exe
          2⤵
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:3640
        • C:\Windows\system32\tcmsetup.exe
          tcmsetup.exe
          2⤵
            PID:4792
          • C:\Windows\system32\rstrui.exe
            rstrui.exe
            2⤵
            • Drops file in Windows directory
            PID:3344
          • C:\Windows\system32\WSReset.exe
            WSReset.exe
            2⤵
            • Modifies registry class
            PID:4560
          • C:\Windows\system32\WSCollect.exe
            WSCollect.exe
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1896
            • C:\Windows\System32\reg.exe
              C:\Windows\System32\reg.exe export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SIH" "C:\Users\Admin\AppData\Local\Temp\registry_SIH.txt" /y
              3⤵
                PID:4864
              • C:\Windows\System32\reg.exe
                C:\Windows\System32\reg.exe export "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DnsPolicyConfig" "C:\Users\Admin\AppData\Local\Temp\registry_DNSPolicy.txt" /y
                3⤵
                  PID:4488
              • C:\Windows\system32\dialer.exe
                dialer.exe
                2⤵
                  PID:888
                • C:\Program Files\Windows Mail\wab.exe
                  "C:\Program Files\Windows Mail\wab.exe"
                  2⤵
                  • Modifies registry class
                  PID:1464
                • C:\Program Files\Windows Mail\wabmig.exe
                  "C:\Program Files\Windows Mail\wabmig.exe"
                  2⤵
                    PID:3208
                  • C:\Program Files\Common Files\microsoft shared\ink\mip.exe
                    "C:\Program Files\Common Files\microsoft shared\ink\mip.exe"
                    2⤵
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    • Suspicious use of SetWindowsHookEx
                    PID:4368
                  • C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
                    "C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe"
                    2⤵
                      PID:4432
                    • C:\Windows\system32\SnippingTool.exe
                      SnippingTool.exe
                      2⤵
                      • System Network Configuration Discovery: Internet Connection Discovery
                      • Suspicious use of SetWindowsHookEx
                      PID:2992
                    • C:\Windows\system32\verifier.exe
                      verifier.exe
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1152
                      • C:\Windows\system32\verifiergui.exe
                        "C:\Windows\system32\verifiergui.exe"
                        3⤵
                        • Suspicious use of SetWindowsHookEx
                        PID:2396
                    • C:\Windows\system32\systeminfo.exe
                      systeminfo.exe
                      2⤵
                      • Gathers system information
                      PID:2240
                    • C:\Windows\system32\taskkill.exe
                      taskkill.exe
                      2⤵
                      • Kills process with taskkill
                      PID:3916
                    • C:\Windows\system32\tasklist.exe
                      tasklist.exe
                      2⤵
                      • Enumerates processes with tasklist
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1464
                    • C:\Windows\system32\wscript.exe
                      wscript.exe
                      2⤵
                        PID:3992
                      • C:\Windows\system32\BdeHdCfg.exe
                        BdeHdCfg.exe
                        2⤵
                        • Drops file in Windows directory
                        PID:2724
                      • C:\Windows\System32\msra.exe
                        C:\Windows\System32\msra.exe
                        2⤵
                          PID:3776
                        • C:\Windows\SysWOW64\printui.exe
                          C:\Windows\SysWOW64\printui.exe
                          2⤵
                          • System Location Discovery: System Language Discovery
                          PID:4776
                        • C:\Windows\System32\PrintBrmUi.exe
                          C:\Windows\System32\PrintBrmUi.exe
                          2⤵
                            PID:2724
                          • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                            "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
                            2⤵
                            • Drops desktop.ini file(s)
                            • Enumerates connected drives
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of FindShellTrayWindow
                            PID:2240
                            • C:\Windows\SysWOW64\unregmp2.exe
                              "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
                              3⤵
                              • System Location Discovery: System Language Discovery
                              PID:3688
                              • C:\Windows\system32\unregmp2.exe
                                "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
                                4⤵
                                • Enumerates connected drives
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1608
                          • C:\Windows\system32\WFS.exe
                            WFS.exe
                            2⤵
                            • Drops desktop.ini file(s)
                            • NTFS ADS
                            • Suspicious use of SetWindowsHookEx
                            PID:4840
                          • C:\Windows\system32\FXSCOVER.exe
                            FXSCOVER.exe
                            2⤵
                            • Drops desktop.ini file(s)
                            • Modifies registry class
                            • Suspicious use of SetWindowsHookEx
                            PID:3820
                          • C:\Windows\system32\mspaint.exe
                            mspaint.exe
                            2⤵
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of SetWindowsHookEx
                            PID:5944
                          • C:\Windows\system32\cttune.exe
                            cttune.exe
                            2⤵
                              PID:5272
                            • C:\Windows\system32\DevicePairingWizard.exe
                              DevicePairingWizard.exe
                              2⤵
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of SetWindowsHookEx
                              PID:5276
                            • C:\Windows\system32\DpiScaling.exe
                              DpiScaling.exe
                              2⤵
                                PID:5292
                                • C:\Windows\explorer.exe
                                  "C:\Windows\explorer.exe" ms-settings:display
                                  3⤵
                                    PID:2120
                                • C:\Windows\system32\Netplwiz.exe
                                  Netplwiz.exe
                                  2⤵
                                    PID:1940
                                  • C:\Windows\system32\winver.exe
                                    winver.exe
                                    2⤵
                                      PID:5352
                                    • C:\Windows\system32\calc.exe
                                      calc.exe
                                      2⤵
                                      • Modifies registry class
                                      PID:5320
                                    • C:\Program Files\Windows NT\Accessories\wordpad.exe
                                      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
                                      2⤵
                                      • Suspicious use of SetWindowsHookEx
                                      PID:5136
                                  • C:\Windows\system32\wbengine.exe
                                    "C:\Windows\system32\wbengine.exe"
                                    1⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1060
                                  • C:\Windows\system32\vssvc.exe
                                    C:\Windows\system32\vssvc.exe
                                    1⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1536
                                  • C:\Windows\System32\vdsldr.exe
                                    C:\Windows\System32\vdsldr.exe -Embedding
                                    1⤵
                                      PID:4016
                                    • C:\Windows\System32\vds.exe
                                      C:\Windows\System32\vds.exe
                                      1⤵
                                      • Checks SCSI registry key(s)
                                      PID:3044
                                    • C:\Windows\system32\OpenWith.exe
                                      C:\Windows\system32\OpenWith.exe -Embedding
                                      1⤵
                                      • Suspicious use of SetWindowsHookEx
                                      PID:4940
                                    • C:\Windows\System32\svchost.exe
                                      C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
                                      1⤵
                                        PID:5084
                                      • C:\Windows\System32\rundll32.exe
                                        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                        1⤵
                                          PID:4256
                                        • C:\Windows\system32\svchost.exe
                                          C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
                                          1⤵
                                          • Drops file in Windows directory
                                          PID:5260
                                        • C:\Windows\system32\svchost.exe
                                          C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
                                          1⤵
                                            PID:5384
                                          • C:\Windows\system32\svchost.exe
                                            C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
                                            1⤵
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:6036
                                            • C:\Windows\system32\dashost.exe
                                              dashost.exe {09fe7ea8-a4c9-4a58-8bc1a1ce1ee2f3b0}
                                              2⤵
                                                PID:5448
                                              • C:\Windows\system32\dashost.exe
                                                dashost.exe {0027f645-b91e-49ef-8282d1a028316418}
                                                2⤵
                                                  PID:4836
                                                • C:\Windows\system32\dashost.exe
                                                  dashost.exe {0fd3da7d-2953-4001-b93bd917d62cff29}
                                                  2⤵
                                                    PID:4400
                                                • C:\Windows\explorer.exe
                                                  C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                                                  1⤵
                                                    PID:5428
                                                  • C:\Windows\system32\OpenWith.exe
                                                    C:\Windows\system32\OpenWith.exe -Embedding
                                                    1⤵
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:1368
                                                  • C:\Windows\system32\svchost.exe
                                                    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
                                                    1⤵
                                                      PID:3208

                                                    Network

                                                    MITRE ATT&CK Enterprise v15

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
                                                      Filesize

                                                      384KB

                                                      MD5

                                                      063793e4ba784832026ec8bc3528f7f1

                                                      SHA1

                                                      687d03823d7ab8954826f753a645426cff3c5db4

                                                      SHA256

                                                      cb153cb703aea1ba1afe2614cffb086fa781646a285c5ac37354ee933a29cedd

                                                      SHA512

                                                      225910c24052dfdf7fca574b12ecef4eb68e990167010f80d7136f03ac6e7faa33233685cbf37b38ee626bb22ff3afeee39e597080e429be3ec241fb30af40c6

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
                                                      Filesize

                                                      1024KB

                                                      MD5

                                                      e098044b128b255f5c3b345996390840

                                                      SHA1

                                                      85023495766df16f47672a65cc1341958cf558f6

                                                      SHA256

                                                      465c201addb46aeef1c972ee11ef2570708e04996a0c797472875c33367864bf

                                                      SHA512

                                                      de4de4eefb5b31a704942df3587ad2ce16079987564bd7801c5b1e8224dd3b78706236a9c12f7da3e576a3026161dd8a3ecefcd422304045e544270b79f5d72b

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb
                                                      Filesize

                                                      68KB

                                                      MD5

                                                      4b82dc1f5c7afcab8e7fa857c2e28e2e

                                                      SHA1

                                                      d8918cb93555d82fd0b8b91e42eefa45086a007e

                                                      SHA256

                                                      00efea56f6a19a0813828d1a36289b641436ec06ebe3fb7be6cec9eef4f2817b

                                                      SHA512

                                                      07dfd9b1064939fea73be325e153e3fa80807af1e2aedf3ad32dcdbfab303d686131dceb48620afb56981009d25ff40877fde2387c49245219fb21139ab24ae9

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
                                                      Filesize

                                                      9KB

                                                      MD5

                                                      7050d5ae8acfbe560fa11073fef8185d

                                                      SHA1

                                                      5bc38e77ff06785fe0aec5a345c4ccd15752560e

                                                      SHA256

                                                      cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

                                                      SHA512

                                                      a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\REG245C.tmp
                                                      Filesize

                                                      1KB

                                                      MD5

                                                      be8c55b6da69b8698228b44af35c7e18

                                                      SHA1

                                                      e26861d74daf73c08f02a8d364a32f3b3805522c

                                                      SHA256

                                                      2450e005e01a98e0a79e0d692da78fbeb191b9e4bef5c0d1f2d913f42ce78983

                                                      SHA512

                                                      227139d8444cadc673cef0ad75e23e29bbe38c185a5e07f9e38353f3265a7d99021c78cc92772f3a49852115897cfc2e8735eb75ed71fc2ce21547499372cd2a

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\REG247B.tmp
                                                      Filesize

                                                      270B

                                                      MD5

                                                      edcaaed49057b04d804ef38622dcfeca

                                                      SHA1

                                                      200458ae3a380983860136acca9b18d62c5bac76

                                                      SHA256

                                                      b9532ca922a984f207d3a82499308fa038e1d78169b534b8d7fc116aefe5a05e

                                                      SHA512

                                                      052065767b3bf96cf1314dd8c42940ace0d256eb7f536de0b642f5816dc0b5e6db3ce9a10450e9564b7c932e9261a9d78ca7929a4537646cbf7d5ee8c363b5fb

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
                                                      Filesize

                                                      1KB

                                                      MD5

                                                      52fa6f2287fb230d4965ee47ed114fdc

                                                      SHA1

                                                      d876f246f9479ce61d031d112d5efb9153d4a1bf

                                                      SHA256

                                                      4435d1f54ffbb08f4615bce745681f09eec3aa30c276211678aab9c53f147330

                                                      SHA512

                                                      b6ac0fe46dc33600a378db08f74701d8614efef5b37db6e3ef61458c617e5a75c734543a399dfbd782bd0c9967f6928d944e7b5e337b1749772e8041c356a216

                                                      Download Submit

                                                    • C:\Users\Admin\Documents\Fax\Personal CoverPages\desktop.ini
                                                      Filesize

                                                      83B

                                                      MD5

                                                      598e1a868a65c0b66b59c088f52360ba

                                                      SHA1

                                                      54418059a2190ee09d84dd1dfb80ce44f1fc661e

                                                      SHA256

                                                      c183370acb893e1c862bb094ffa9abc34af886933ef45a572d4bcf52f845bbb2

                                                      SHA512

                                                      dce894ce4ffd8c2cc14a83d1416c0a2ea2d4abe02eda88cee571ecdba094c2d458b4f6644969cf0e96baf3367c286bfa01099400ae5d0cbe0b3ed97f8e803edd

                                                      Download Submit

                                                    • C:\Users\Admin\Documents\Scanned Documents\Welcome Scan.jpg
                                                      Filesize

                                                      504KB

                                                      MD5

                                                      73d4281e46a68222934403627e5b4e19

                                                      SHA1

                                                      0f1c29cea7ea24ebb75c95114e0b0d26438e1d39

                                                      SHA256

                                                      aac4ac970ec47cd95dc7c65d7d38d29c1f948be24d5dad1d5aa21053125367c7

                                                      SHA512

                                                      bb7aad10e5accd3f5c0f6b2968973034a2f7c2523401eb234b2de0cdad2dc13f4fd58d08ece94ec06420a52b3d371ba832f8fb4741f48799703bdf32a4daf555

                                                      Download Submit

                                                    • memory/4836-115-0x0000021642790000-0x0000021642A6B000-memory.dmp

                                                      Filesize

                                                      2.9MB

                                                      Download