Analysis
-
max time kernel
36s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-01-2021 17:31
Static task
static1
Behavioral task
behavioral1
Sample
ballelong.bat.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
ballelong.bat.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
ballelong.bat.exe
-
Size
513KB
-
MD5
888ddaf3d1539e84e9b6de38263fbbe5
-
SHA1
03a207de60e69dd6b7d293d4d3ec9d7b6c29a197
-
SHA256
0caa6fb680e981e7d3353f19f830903c9e6438ecb14ddaa237ce747619d7d4c6
-
SHA512
ba311147160b50edab59a0472bf01c175e6251371c8a0dc4a7b0e0e4bbd83ebcbbb9616f7066c564344a7ca6e636718adbe612618747bf0b00718c9a973c3903
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
ballelong.bat.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe You_are_a_wanker.exe" ballelong.bat.exe -
Drops file in System32 directory 2 IoCs
Processes:
ballelong.bat.exedescription ioc process File created C:\Windows\SysWOW64\You_are_a_wanker.exe ballelong.bat.exe File opened for modification C:\Windows\SysWOW64\You_are_a_wanker.exe ballelong.bat.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ballelong.bat.exe"C:\Users\Admin\AppData\Local\Temp\ballelong.bat.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:1052
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵PID:812
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3108