71ce71735aa47a3b1d17e1b6639aaf6213b4c284243ad5ae7bb36fa1c5c9975f

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
27-05-2024 08:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

platform-tools/systrace/catapult/common/battor/battor/battor_error.py
Size

241B
MD5

0cb4832a92dd3d9df111e1a3ec244b18
SHA1

4c8479b954cfad19fa0e6725cda4bd090238bb34
SHA256

069549e0a89d7f64577e151d4c8919f504d053bfffe2841c72e05d8ecd676fcc
SHA512

6b1961a27e13c4f194665a1a088eb935ef009ebc74b5c572f6d292ad22272b01addfeee7d2c99827ae9f5e7974e65d17dbb88324fa7e2f6f5e63f9b9e3dd4ce5

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\py_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\py_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\py_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.py	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2260 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2260 AcroRd32.exe
2260 AcroRd32.exe

pid	process
2260	AcroRd32.exe

pid	process
2260	AcroRd32.exe
2260	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 2444 wrote to memory of 2780	2444	cmd.exe	rundll32.exe
PID 2444 wrote to memory of 2780	2444	cmd.exe	rundll32.exe
PID 2444 wrote to memory of 2780	2444	cmd.exe	rundll32.exe
PID 2780 wrote to memory of 2260	2780	rundll32.exe	AcroRd32.exe
PID 2780 wrote to memory of 2260	2780	rundll32.exe	AcroRd32.exe
PID 2780 wrote to memory of 2260	2780	rundll32.exe	AcroRd32.exe
PID 2780 wrote to memory of 2260	2780	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\platform-tools\systrace\catapult\common\battor\battor\battor_error.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\platform-tools\systrace\catapult\common\battor\battor\battor_error.py
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2780

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\platform-tools\systrace\catapult\common\battor\battor\battor_error.py"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
5a2ab9a580438de453025494ef02e24b

SHA1
ca4ff91a87f42b19a890d693ae47d4e06d879637

SHA256
358dae6423434b17dc815b1db7fe88fdc0f850c60164dd500fe47a095a9e9d78

SHA512
53272e3e4b2de1e2e5baab2400fff7aac492731fe01f08d2691ac7cf5d65bfd4dc6d389db6488b1eee3878745347641342eadfd11b9c0f79054099a36a1929e7

Download Submit