5271bd7e9e74c25bbdc1e973b7fdad634a643942ad6171ab67587e4b850fee91

Analysis

max time kernel
135s
max time network
138s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
18/03/2024, 14:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Batlez Tweaks.bat
Size

173KB
MD5

253e84d7b66dc7dc4922ea02958757a1
SHA1

384d054d833dcb36116f6c9257fbfb5fe47b843d
SHA256

5271bd7e9e74c25bbdc1e973b7fdad634a643942ad6171ab67587e4b850fee91
SHA512

91f13e643fa97a19d1c75b36802997057a7825379c2b2d05c83be27fd354d1a38e83d7699eaa442ed6464de5dad94628bd8008e5834b1f894087ca9a83e8b45b
SSDEEP

1536:xRlWO12I9CzhCCytht1MF+VWFUTUjU08o63b7H/UoiuU:r0zACytht1MF+VWSAwHjHBiP

Score

1^/10

Malware Config

Signatures

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
768	timeout.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3104	vlc.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3188	powershell.exe
3188	powershell.exe
3188	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3104	vlc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3188	powershell.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
3104	vlc.exe
3104	vlc.exe
3104	vlc.exe
3104	vlc.exe
3104	vlc.exe
3104	vlc.exe
3104	vlc.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
3104	vlc.exe
3104	vlc.exe
3104	vlc.exe
3104	vlc.exe
3104	vlc.exe
3104	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3104	vlc.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 708 wrote to memory of 3188	708	cmd.exe	74
PID 708 wrote to memory of 3188	708	cmd.exe	74
PID 3188 wrote to memory of 3588	3188	powershell.exe	75
PID 3188 wrote to memory of 3588	3188	powershell.exe	75
PID 3588 wrote to memory of 644	3588	cmd.exe	77
PID 3588 wrote to memory of 644	3588	cmd.exe	77
PID 3588 wrote to memory of 768	3588	cmd.exe	78
PID 3588 wrote to memory of 768	3588	cmd.exe	78
PID 3588 wrote to memory of 592	3588	cmd.exe	79
PID 3588 wrote to memory of 592	3588	cmd.exe	79
PID 3588 wrote to memory of 3192	3588	cmd.exe	80
PID 3588 wrote to memory of 3192	3588	cmd.exe	80
PID 3588 wrote to memory of 3200	3588	cmd.exe	81
PID 3588 wrote to memory of 3200	3588	cmd.exe	81

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Batlez Tweaks.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell start -verb runas '"C:\Users\Admin\AppData\Local\Temp\Batlez Tweaks.bat"' am_admin
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3188
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Batlez Tweaks.bat" am_admin
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3588
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:644
  - - C:\Windows\system32\timeout.exe
      timeout /t 2
      4⤵
      Delays execution with timeout.exe
      PID:768
  - - C:\Windows\system32\chcp.com
      chcp 437
      4⤵
      PID:592
  - - C:\Windows\system32\chcp.com
      chcp 437
      4⤵
      PID:3192
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3200

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3112

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\ConfirmRegister.ram"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3104

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s fdPHost
1⤵
PID:4328

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_imupc4mo.bom.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/3104-67-0x00007FFD925E0000-0x00007FFD925F7000-memory.dmp

Filesize
92KB

Download
memory/3104-70-0x00007FFD90AC0000-0x00007FFD90AD2000-memory.dmp

Filesize
72KB

Download
memory/3104-41-0x00007FFD90FE0000-0x00007FFD91294000-memory.dmp

Filesize
2.7MB

Download
memory/3104-43-0x00007FFD97710000-0x00007FFD97727000-memory.dmp

Filesize
92KB

Download
memory/3104-94-0x00007FFD848C0000-0x00007FFD848D7000-memory.dmp

Filesize
92KB

Download
memory/3104-93-0x00007FFD848E0000-0x00007FFD84A58000-memory.dmp

Filesize
1.5MB

Download
memory/3104-92-0x00007FFD84A60000-0x00007FFD84A71000-memory.dmp

Filesize
68KB

Download
memory/3104-44-0x00007FFD973D0000-0x00007FFD973E1000-memory.dmp

Filesize
68KB

Download
memory/3104-42-0x00007FFD97770000-0x00007FFD97788000-memory.dmp

Filesize
96KB

Download
memory/3104-45-0x00007FFD96930000-0x00007FFD96947000-memory.dmp

Filesize
92KB

Download
memory/3104-46-0x00007FFD94EB0000-0x00007FFD94EC1000-memory.dmp

Filesize
68KB

Download
memory/3104-47-0x00007FFD94E90000-0x00007FFD94EAD000-memory.dmp

Filesize
116KB

Download
memory/3104-48-0x00007FFD94E70000-0x00007FFD94E81000-memory.dmp

Filesize
68KB

Download
memory/3104-49-0x00007FFD90C30000-0x00007FFD90E30000-memory.dmp

Filesize
2.0MB

Download
memory/3104-50-0x00007FFD84F70000-0x00007FFD8601B000-memory.dmp

Filesize
16.7MB

Download
memory/3104-68-0x00007FFD90B00000-0x00007FFD90B23000-memory.dmp

Filesize
140KB

Download
memory/3104-52-0x00007FFD94A20000-0x00007FFD94A41000-memory.dmp

Filesize
132KB

Download
memory/3104-53-0x00007FFD94E50000-0x00007FFD94E68000-memory.dmp

Filesize
96KB

Download
memory/3104-54-0x00007FFD94A00000-0x00007FFD94A11000-memory.dmp

Filesize
68KB

Download
memory/3104-55-0x00007FFD949E0000-0x00007FFD949F1000-memory.dmp

Filesize
68KB

Download
memory/3104-56-0x00007FFD949C0000-0x00007FFD949D1000-memory.dmp

Filesize
68KB

Download
memory/3104-57-0x00007FFD948C0000-0x00007FFD948DB000-memory.dmp

Filesize
108KB

Download
memory/3104-58-0x00007FFD94640000-0x00007FFD94651000-memory.dmp

Filesize
68KB

Download
memory/3104-59-0x00007FFD94620000-0x00007FFD94638000-memory.dmp

Filesize
96KB

Download
memory/3104-60-0x00007FFD94370000-0x00007FFD943A0000-memory.dmp

Filesize
192KB

Download
memory/3104-61-0x00007FFD92600000-0x00007FFD92667000-memory.dmp

Filesize
412KB

Download
memory/3104-62-0x00007FFD90BC0000-0x00007FFD90C2F000-memory.dmp

Filesize
444KB

Download
memory/3104-63-0x00007FFD94350000-0x00007FFD94361000-memory.dmp

Filesize
68KB

Download
memory/3104-64-0x00007FFD90B60000-0x00007FFD90BB6000-memory.dmp

Filesize
344KB

Download
memory/3104-65-0x00007FFD928E0000-0x00007FFD92908000-memory.dmp

Filesize
160KB

Download
memory/3104-40-0x00007FFD97020000-0x00007FFD97054000-memory.dmp

Filesize
208KB

Download
memory/3104-66-0x00007FFD90B30000-0x00007FFD90B54000-memory.dmp

Filesize
144KB

Download
memory/3104-51-0x00007FFD94C20000-0x00007FFD94C5F000-memory.dmp

Filesize
252KB

Download
memory/3104-69-0x00007FFD90AE0000-0x00007FFD90AF1000-memory.dmp

Filesize
68KB

Download
memory/3104-39-0x00007FF7791C0000-0x00007FF7792B8000-memory.dmp

Filesize
992KB

Download
memory/3104-71-0x00007FFD90A90000-0x00007FFD90AB1000-memory.dmp

Filesize
132KB

Download
memory/3104-72-0x00007FFD90A70000-0x00007FFD90A83000-memory.dmp

Filesize
76KB

Download
memory/3104-73-0x00007FFD90A50000-0x00007FFD90A62000-memory.dmp

Filesize
72KB

Download
memory/3104-74-0x00007FFD90910000-0x00007FFD90A4B000-memory.dmp

Filesize
1.2MB

Download
memory/3104-75-0x00007FFD908E0000-0x00007FFD9090C000-memory.dmp

Filesize
176KB

Download
memory/3104-76-0x00007FFD90720000-0x00007FFD908D2000-memory.dmp

Filesize
1.7MB

Download
memory/3104-77-0x00007FFD906C0000-0x00007FFD9071C000-memory.dmp

Filesize
368KB

Download
memory/3104-78-0x00007FFD906A0000-0x00007FFD906B1000-memory.dmp

Filesize
68KB

Download
memory/3104-79-0x00007FFD8F990000-0x00007FFD8FA27000-memory.dmp

Filesize
604KB

Download
memory/3104-80-0x00007FFD90680000-0x00007FFD90692000-memory.dmp

Filesize
72KB

Download
memory/3104-81-0x00007FFD84D30000-0x00007FFD84F61000-memory.dmp

Filesize
2.2MB

Download
memory/3104-83-0x00007FFD84D00000-0x00007FFD84D25000-memory.dmp

Filesize
148KB

Download
memory/3104-87-0x00007FFD84C70000-0x00007FFD84C82000-memory.dmp

Filesize
72KB

Download
memory/3104-86-0x00007FFD86D10000-0x00007FFD86D21000-memory.dmp

Filesize
68KB

Download
memory/3104-88-0x00007FFD84C50000-0x00007FFD84C63000-memory.dmp

Filesize
76KB

Download
memory/3104-89-0x00007FFD84BB0000-0x00007FFD84C4F000-memory.dmp

Filesize
636KB

Download
memory/3104-85-0x00007FFD84C90000-0x00007FFD84CF1000-memory.dmp

Filesize
388KB

Download
memory/3104-90-0x00007FFD84B90000-0x00007FFD84BA1000-memory.dmp

Filesize
68KB

Download
memory/3104-84-0x00007FFD905B0000-0x00007FFD905C1000-memory.dmp

Filesize
68KB

Download
memory/3104-82-0x00007FFD8F890000-0x00007FFD8F8C5000-memory.dmp

Filesize
212KB

Download
memory/3104-91-0x00007FFD84A80000-0x00007FFD84B82000-memory.dmp

Filesize
1.0MB

Download
memory/3188-6-0x0000014735900000-0x0000014735910000-memory.dmp

Filesize
64KB

Download
memory/3188-4-0x00007FFD908B0000-0x00007FFD9129C000-memory.dmp

Filesize
9.9MB

Download
memory/3188-5-0x0000014735980000-0x00000147359A2000-memory.dmp

Filesize
136KB

Download
memory/3188-7-0x0000014735900000-0x0000014735910000-memory.dmp

Filesize
64KB

Download
memory/3188-10-0x000001474DFB0000-0x000001474E026000-memory.dmp

Filesize
472KB

Download
memory/3188-32-0x0000014735900000-0x0000014735910000-memory.dmp

Filesize
64KB

Download
memory/3188-33-0x00007FFD908B0000-0x00007FFD9129C000-memory.dmp

Filesize
9.9MB

Download