71ce71735aa47a3b1d17e1b6639aaf6213b4c284243ad5ae7bb36fa1c5c9975f

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
27-05-2024 08:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

platform-tools/systrace/catapult/common/battor/battor/battor_wrapper.py
Size

15KB
MD5

d2a93ab365251001f39f0a71feac5275
SHA1

1bf9854bad16f14de0b74eb7efcd2671b0b8db7c
SHA256

fbacb34ebd9b4af177f818f5cd0724c91c4ed1085cf1bd70eee9ae4115d112c9
SHA512

bbafd95d57ccabd4f11c15a3264761d329554ca429219dd855353a4a8dd9cef53fe20819bded5f8f4dbaf2b04dd9bf5930852aa3a33521362b0b751e66cab825
SSDEEP

384:SzxnQF5rr+ZTADM6uJE0x96JQNo3OUBete/rU72hT:UxnQF5zDB77ele/b

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.py	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2696 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2696 AcroRd32.exe
2696 AcroRd32.exe

pid	process
2696	AcroRd32.exe

pid	process
2696	AcroRd32.exe
2696	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 2884 wrote to memory of 2088	2884	cmd.exe	rundll32.exe
PID 2884 wrote to memory of 2088	2884	cmd.exe	rundll32.exe
PID 2884 wrote to memory of 2088	2884	cmd.exe	rundll32.exe
PID 2088 wrote to memory of 2696	2088	rundll32.exe	AcroRd32.exe
PID 2088 wrote to memory of 2696	2088	rundll32.exe	AcroRd32.exe
PID 2088 wrote to memory of 2696	2088	rundll32.exe	AcroRd32.exe
PID 2088 wrote to memory of 2696	2088	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\platform-tools\systrace\catapult\common\battor\battor\battor_wrapper.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\platform-tools\systrace\catapult\common\battor\battor\battor_wrapper.py
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2088

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\platform-tools\systrace\catapult\common\battor\battor\battor_wrapper.py"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2696

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
5041804f15b98a35e9a590f152d2354c

SHA1
2ee0eb5a73ea3f8110c636ca1ea2de7a59e10537

SHA256
a7dda13511be30ff3653e6d950de5b8412db802b2e3a1230d4584ee057d413b6

SHA512
15bbc47c4bc883b5793b23a4dd56e700c5795dd38cccab80263a57a16f2f52e1ce7c471cd4256ab210a306c62681cc0a9de12be6fc3044cee01eafdeb94ebe86

Download Submit