01a2d60d1ed5738abd140509ea5be65b9b4b83d9fe82443fa604c117006cb28a

Analysis

max time kernel
1247s
max time network
1215s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
01/10/2023, 06:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Battly-Launcher-win-x64.exe
Size

104.6MB
MD5

33fb20267a90628b27913b3457c81b8a
SHA1

ab82935a67564c25b8c119af6825f737162de8f4
SHA256

01a2d60d1ed5738abd140509ea5be65b9b4b83d9fe82443fa604c117006cb28a
SHA512

b1ca43d83ccc5f3e000bc1d7a539801e2ed3d6a400f6209c13135510deb215d3b3999cd77a2826a9c2315d404cef65699cec360a9151571d0816f9715bd0b8cd
SSDEEP

3145728:qdXn1ULIy5D63G6VP1ULsojbNX2ATo5L67bU7zLi:qXGc3ZP1osmbNX2yuPi

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 6 IoCs

pid	Process
2300	Battly-Launcher-win-x64.exe
2300	Battly-Launcher-win-x64.exe
2300	Battly-Launcher-win-x64.exe
2300	Battly-Launcher-win-x64.exe
2300	Battly-Launcher-win-x64.exe
2300	Battly-Launcher-win-x64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1044	tasklist.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2300	Battly-Launcher-win-x64.exe
1044	tasklist.exe
1044	tasklist.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2300	Battly-Launcher-win-x64.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1044	tasklist.exe
Token: SeSecurityPrivilege	2300	Battly-Launcher-win-x64.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2300	Battly-Launcher-win-x64.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 312	2300	Battly-Launcher-win-x64.exe	30
PID 2300 wrote to memory of 312	2300	Battly-Launcher-win-x64.exe	30
PID 2300 wrote to memory of 312	2300	Battly-Launcher-win-x64.exe	30
PID 2300 wrote to memory of 312	2300	Battly-Launcher-win-x64.exe	30
PID 2300 wrote to memory of 312	2300	Battly-Launcher-win-x64.exe	30
PID 2300 wrote to memory of 312	2300	Battly-Launcher-win-x64.exe	30
PID 2300 wrote to memory of 312	2300	Battly-Launcher-win-x64.exe	30
PID 312 wrote to memory of 1044	312	cmd.exe	32
PID 312 wrote to memory of 1044	312	cmd.exe	32
PID 312 wrote to memory of 1044	312	cmd.exe	32
PID 312 wrote to memory of 1044	312	cmd.exe	32
PID 312 wrote to memory of 1044	312	cmd.exe	32
PID 312 wrote to memory of 1044	312	cmd.exe	32
PID 312 wrote to memory of 1044	312	cmd.exe	32
PID 312 wrote to memory of 2188	312	cmd.exe	33
PID 312 wrote to memory of 2188	312	cmd.exe	33
PID 312 wrote to memory of 2188	312	cmd.exe	33
PID 312 wrote to memory of 2188	312	cmd.exe	33
PID 312 wrote to memory of 2188	312	cmd.exe	33
PID 312 wrote to memory of 2188	312	cmd.exe	33
PID 312 wrote to memory of 2188	312	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\Battly-Launcher-win-x64.exe
"C:\Users\Admin\AppData\Local\Temp\Battly-Launcher-win-x64.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq Battly Launcher.exe" | %SYSTEMROOT%\System32\find.exe "Battly Launcher.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:312
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq Battly Launcher.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1044
- - C:\Windows\SysWOW64\find.exe
    C:\Windows\System32\find.exe "Battly Launcher.exe"
    3⤵
    PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsi5DE9.tmp\7z-out\resources\app\node_modules\@fortawesome\fontawesome-free\js\regular.js

Filesize
120KB

MD5
1f1eb37b5caff742b8e0ee857a34cd77

SHA1
127e4bd8983e888665d81d30fd2d135d6b33cd50

SHA256
f471f033bf47cf7061c7750de75fe3fcbac051ebf95c713c11eb6842d0513004

SHA512
7c1a6fe7e5d097756b23b763116fb085629333e854346a2a040d7a9b17c4bdd55bcd67b73fc06c6fe4cb60a48dea1254ce46f1153c4bc01f88156630f841adab

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi5DE9.tmp\7z-out\resources\app\node_modules\@isaacs\cliui\node_modules\emoji-regex\es2015\text.js

Filesize
15KB

MD5
12148d2dff9ca3478e4467945663fa70

SHA1
50998482c521255af2760ed95bbdb1c4f7387212

SHA256
1fb82c82d847ebc4aa287f481ff67c8cc9bde03149987b2d43eb0dee2a5160b6

SHA512
f9f6a61af37d1924e3a9785aa04a33fa0107791d54cb07663c6ea8a68edfae3766682e914b6afaf198eb97c7f73ab53aa500b4661cdabdebd2576526664166f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi5DE9.tmp\7z-out\resources\app\node_modules\@isaacs\cliui\node_modules\emoji-regex\text.js

Filesize
14KB

MD5
7b33dd38c0c08bf185f5480efdf9ab90

SHA1
b3d9d61ad3ab1f87712280265df367eff502ef8b

SHA256
d1e41c11aa11e125105d14c95d05e1e1acd3bede89429d3a1c12a71450318f88

SHA512
22da641c396f9972b136d4a18eb0747747252cf7d5d89f619a928c5475d79375fbbe42d4e91821102e271ea144f89267ff307cd46494fdf7d6002ce9768b7bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi5DE9.tmp\7z-out\resources\app\node_modules\@isaacs\cliui\node_modules\string-width\license

Filesize
1KB

MD5
d5f2a6dd0192dcc7c833e50bb9017337

SHA1
80674912e3033be358331910ba27d5812369c2fc

SHA256
5c932d88256b4ab958f64a856fa48e8bd1f55bc1d96b8149c65689e0c61789d3

SHA512
d1f336ff272bc6b96dc9a04a7d0ef8f02936dd594f514060340478ee575fe01d55fc7a174df5814a4faf72c8462b012998eca7bb898e3f9a3e87205fb9135af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi5DE9.tmp\7z-out\resources\app\node_modules\ansi-styles\license

Filesize
1KB

MD5
915042b5df33c31a6db2b37eadaa00e3

SHA1
5aaf48196ddd4d007a3067aa7f30303ca8e4b29c

SHA256
48da2f39e100d4085767e94966b43f4fa95ff6a0698fba57ed460914e35f94a0

SHA512
9c8b2def76ae5ffe4d636166bf9635d7abd69cdac4bf819a2145f7969646d39ae95c96364bc117f9fa544b98518c294233455d4f665af430c75d70798dd4ab13

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi5DE9.tmp\7z-out\resources\app\node_modules\color-support\LICENSE

Filesize
765B

MD5
82703a69f6d7411dde679954c2fd9dca

SHA1
bb408e929caeb1731945b2ba54bc337edb87cc66

SHA256
4ec3d4c66cd87f5c8d8ad911b10f99bf27cb00cdfcff82621956e379186b016b

SHA512
3fa748e59fb3af0c5293530844faa9606d9271836489d2c8013417779d10cc180187f5e670477f9ec77d341e0ef64eab7dcfb876c6390f027bc6f869a12d0f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi5DE9.tmp\7z-out\resources\app\node_modules\foreground-child\node_modules\signal-exit\dist\cjs\package.json

Filesize
25B

MD5
df9ffc6aa3f78a5491736d441c4258a8

SHA1
9d0d83ae5d399d96b36d228e614a575fc209d488

SHA256
8005a3491db7d92f36ac66369861589f9c47123d3a7c71e643fc2c06168cd45a

SHA512
6c58939da58f9b716293a8328f7a3649b6e242bf235fae00055a0cc79fb2788e4a99dfaa422e0cfadbe84e0d5e33b836f68627e6a409654877edc443b94d04c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi5DE9.tmp\7z-out\resources\app\node_modules\foreground-child\node_modules\signal-exit\dist\mjs\package.json

Filesize
23B

MD5
d0707362e90f00edd12435e9d3b9d71c

SHA1
50faeb965b15dfc6854cb1235b06dbb5e79148d2

SHA256
3ca9d4afd21425087cf31893b8f9f63c81b0b8408db5e343ca76e5f8aa26ab9a

SHA512
9d323420cc63c6bee79dcc5db5f0f18f6b8e073daaf8ffa5459e11f2de59a9f5e8c178d77fa92afc9ddd352623dec362c62fff859c71a2fab93f1e2172c4987f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi5DE9.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
\Users\Admin\AppData\Local\Temp\nsi5DE9.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
\Users\Admin\AppData\Local\Temp\nsi5DE9.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
\Users\Admin\AppData\Local\Temp\nsi5DE9.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Local\Temp\nsi5DE9.tmp\nsDialogs.dll

Filesize
9KB

MD5
466179e1c8ee8a1ff5e4427dbb6c4a01

SHA1
eb607467009074278e4bd50c7eab400e95ae48f7

SHA256
1e40211af65923c2f4fd02ce021458a7745d28e2f383835e3015e96575632172

SHA512
7508a29c722d45297bfb090c8eb49bd1560ef7d4b35413f16a8aed62d3b1030a93d001a09de98c2b9fea9acf062dc99a7278786f4ece222e7436b261d14ca817

Download Submit
\Users\Admin\AppData\Local\Temp\nsi5DE9.tmp\nsExec.dll

Filesize
6KB

MD5
ec0504e6b8a11d5aad43b296beeb84b2

SHA1
91b5ce085130c8c7194d66b2439ec9e1c206497c

SHA256
5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

SHA512
3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

Download Submit
\Users\Admin\AppData\Local\Temp\nsi5DE9.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit