File name: | ransomware.bat |
Full analysis: | https://app.any.run/tasks/e900b9b6-ba14-4c15-bb7a-9018df0df2ec |
Verdict: | Malicious activity |
Analysis date: | May 20, 2022, 21:20:43 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/x-msdos-batch |
File info: | DOS batch file, ASCII text, with CRLF line terminators |
MD5: | D18922F0510DCBC6B17B6BA9C1DD5469 |
SHA1: | 5C8FB787AEB3C3228B87CD4305851E6539CC7045 |
SHA256: | 74AA3CEF6B9F311DAC31AA38CF9652D147DC5465D4196691CE86CF80B4452DCD |
SSDEEP: | 6:hENekVCFl2IOhBGihl2tsNMN27YGPQyDC1gFoekVCFl2IOhhDA:LmCFdOhBGihlwcMaUyDCuVmCFdOhhc |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2944 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\Desktop\ransomware.bat" " | C:\Windows\system32\cmd.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
2400 | C:\Windows\system32\cmd.exe /c dir /b /s "C:\Users\admin" | C:\Windows\system32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
1244 | certutil -encode "C:\Users\admin\.oracle_jre_usage" "C:\Users\admin\.oracle_jre_usage.encrypted" | C:\Windows\system32\certutil.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 2147942405 Version: 6.1.7601.18151 (win7sp1_gdr.130512-1533) Modules
| |||||||||||||||
3488 | certutil -encode "C:\Users\admin\Contacts" "C:\Users\admin\Contacts.encrypted" | C:\Windows\system32\certutil.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 2147942405 Version: 6.1.7601.18151 (win7sp1_gdr.130512-1533) Modules
| |||||||||||||||
3920 | certutil -encode "C:\Users\admin\Desktop" "C:\Users\admin\Desktop.encrypted" | C:\Windows\system32\certutil.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 2147942405 Version: 6.1.7601.18151 (win7sp1_gdr.130512-1533) Modules
| |||||||||||||||
976 | certutil -encode "C:\Users\admin\Documents" "C:\Users\admin\Documents.encrypted" | C:\Windows\system32\certutil.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 2147942405 Version: 6.1.7601.18151 (win7sp1_gdr.130512-1533) Modules
| |||||||||||||||
524 | certutil -encode "C:\Users\admin\Downloads" "C:\Users\admin\Downloads.encrypted" | C:\Windows\system32\certutil.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 2147942405 Version: 6.1.7601.18151 (win7sp1_gdr.130512-1533) Modules
| |||||||||||||||
2384 | certutil -encode "C:\Users\admin\Favorites" "C:\Users\admin\Favorites.encrypted" | C:\Windows\system32\certutil.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 2147942405 Version: 6.1.7601.18151 (win7sp1_gdr.130512-1533) Modules
| |||||||||||||||
2576 | certutil -encode "C:\Users\admin\Links" "C:\Users\admin\Links.encrypted" | C:\Windows\system32\certutil.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 2147942405 Version: 6.1.7601.18151 (win7sp1_gdr.130512-1533) Modules
| |||||||||||||||
2580 | certutil -encode "C:\Users\admin\Music" "C:\Users\admin\Music.encrypted" | C:\Windows\system32\certutil.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 2147942405 Version: 6.1.7601.18151 (win7sp1_gdr.130512-1533) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
2496 | certutil.exe | C:\Users\admin\AppData\Local\Adobe\A0A2C719-B8B1-4DC7-B33B-C50E709F20B0\96458326-0F6E-4F95-88EE-ED9F0B2D5401.encrypted | text | |
MD5:348830E80F6D438D4A7FDEC039E814F5 | SHA256:58541C3F79F80265BB408FD42D4702B4792644E3CAE811CE77C88AB74E7537C0 | |||
2108 | certutil.exe | C:\Users\admin\AppData\Local\Adobe\A0A2C719-B8B1-4DC7-B33B-C50E709F20B0\progressbar_pole_null_150.png.encrypted | text | |
MD5:A6ADE28B463D1EFA6D822FE74948DDFE | SHA256:F5C24A22DB5DA4DDE13CCC5B7BCD3930566CEF5D2937D84E199F93EDC9812846 | |||
2544 | certutil.exe | C:\Users\admin\AppData\Local\Adobe\A0A2C719-B8B1-4DC7-B33B-C50E709F20B0\status_icon_caution_100.png.encrypted | text | |
MD5:C64FD27F0E05D60488A21295D7DDF403 | SHA256:DF849F65046527CC37FC085616082BF8CBC3E1D9E660D6A914C1E06E22AF7340 | |||
2864 | certutil.exe | C:\Users\admin\AppData\Local\Adobe\A0A2C719-B8B1-4DC7-B33B-C50E709F20B0\status_icon_caution_125.png.encrypted | text | |
MD5:8ABEB335E5F09F427FD80DD87E9E697C | SHA256:25642A1BA56715B0942B65DE6A73A8C9B3463B6D11A069AF08B02AFEC1F110B3 | |||
1328 | certutil.exe | C:\Users\admin\AppData\Local\Adobe\A0A2C719-B8B1-4DC7-B33B-C50E709F20B0\progressbar_blue_active_100.png.encrypted | text | |
MD5:6FDD504069B6126F4C310D0CA1388D50 | SHA256:EF1534E06BB30D3A18E55AABE55EBD87C75435DD2C9F131455C0DAA3DE364288 | |||
2468 | certutil.exe | C:\Users\admin\AppData\Local\Adobe\A0A2C719-B8B1-4DC7-B33B-C50E709F20B0\progressbar_blue_active_150.png.encrypted | text | |
MD5:D3B8E410271711E2789307ADEDB9A304 | SHA256:CFB167CBC06A7219A8FA6C7D13B05F0C61CCD817E9278C663462285D41145BB2 | |||
1020 | certutil.exe | C:\Users\admin\AppData\Local\Adobe\A0A2C719-B8B1-4DC7-B33B-C50E709F20B0\progressbar_pole_null_100.png.encrypted | text | |
MD5:2E5A93891924E2FE4D994F60CD185A19 | SHA256:CD73EAE82F967E0538FC3677C871C14B466067B1B6124368AE12DE36A170A1D8 | |||
3456 | certutil.exe | C:\Users\admin\AppData\Local\Adobe\A0A2C719-B8B1-4DC7-B33B-C50E709F20B0\gccheck_small.exe.encrypted | text | |
MD5:6091A8D908627069B301F8779F34169C | SHA256:A561A05C706647D2F79E5E917412A5BBAA12F29842D168434647C1E0E7649D6C | |||
3236 | certutil.exe | C:\Users\admin\AppData\Local\Adobe\A0A2C719-B8B1-4DC7-B33B-C50E709F20B0\close_200.png.encrypted | text | |
MD5:E1F54F7FA7C6EDE38C82BF5281C40519 | SHA256:C8A31241215A03520C6DD4A7AEF5F2018DA4707FE71D62483A82625AD6B6690C | |||
472 | certutil.exe | C:\Users\admin\AppData\Local\Adobe\A0A2C719-B8B1-4DC7-B33B-C50E709F20B0\gtcheck.exe.encrypted | text | |
MD5:560B6534ED17B79E1986953D1ABAC4E4 | SHA256:8CF110BB233D2CDF0200F417095976377C23340FBFA9F93C3FD0E95D6403D7C9 |