9d8763451c2bd900dbf10e3cdb16132ec706b8e13dbd563aa15835d5b2d8cc4d

Resubmissions

19-08-2024 23:46

240819-3sqdfasdnh 10

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2024 23:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Battly Launcher.exe
Size

168.1MB
MD5

cf0daf7c7befec7beda4e24c7805c05c
SHA1

bb0644bc24081142c559e930e032720a80e88009
SHA256

e799120b79693d6467e75a1f3a47696b1c4dba12b66a0efc82d5e5ff779ed8f3
SHA512

82215a85b35770d9f74519df25569d3afd7d4a865937ddf52a6cbd92f084edd9c98d1b43b18082e5d0af2afc2537ebb76f8c157ba137243b6496fb5e4b3e8521
SSDEEP

1572864:SQqT4eFUirK1e2zSQ5Rcw/N5cae/bHhrPdacyodvcPSBoHESUlyAzl/:kBKRcAMyAzB

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Battly Launcher.exeBattly Launcher.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Battly Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Battly Launcher.exe

Drops file in System32 directory 2 IoCs

Processes:

Battly Launcher.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	Battly Launcher.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	Battly Launcher.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Battly Launcher.exe

pid process

2348 Battly Launcher.exe
2348 Battly Launcher.exe
2348 Battly Launcher.exe
2348 Battly Launcher.exe

pid	process
2348	Battly Launcher.exe
2348	Battly Launcher.exe
2348	Battly Launcher.exe
2348	Battly Launcher.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Battly Launcher.exe

description	pid	process
Token: SeShutdownPrivilege	4544	Battly Launcher.exe
Token: SeCreatePagefilePrivilege	4544	Battly Launcher.exe
Token: SeShutdownPrivilege	4544	Battly Launcher.exe
Token: SeCreatePagefilePrivilege	4544	Battly Launcher.exe
Token: SeShutdownPrivilege	4544	Battly Launcher.exe
Token: SeCreatePagefilePrivilege	4544	Battly Launcher.exe
Token: SeShutdownPrivilege	4544	Battly Launcher.exe
Token: SeCreatePagefilePrivilege	4544	Battly Launcher.exe
Token: SeShutdownPrivilege	4544	Battly Launcher.exe
Token: SeCreatePagefilePrivilege	4544	Battly Launcher.exe
Token: SeShutdownPrivilege	4544	Battly Launcher.exe
Token: SeCreatePagefilePrivilege	4544	Battly Launcher.exe
Token: SeShutdownPrivilege	4544	Battly Launcher.exe
Token: SeCreatePagefilePrivilege	4544	Battly Launcher.exe
Token: SeShutdownPrivilege	4544	Battly Launcher.exe
Token: SeCreatePagefilePrivilege	4544	Battly Launcher.exe
Token: SeShutdownPrivilege	4544	Battly Launcher.exe
Token: SeCreatePagefilePrivilege	4544	Battly Launcher.exe
Token: SeShutdownPrivilege	4544	Battly Launcher.exe
Token: SeCreatePagefilePrivilege	4544	Battly Launcher.exe
Token: SeShutdownPrivilege	4544	Battly Launcher.exe
Token: SeCreatePagefilePrivilege	4544	Battly Launcher.exe
Token: SeShutdownPrivilege	4544	Battly Launcher.exe
Token: SeCreatePagefilePrivilege	4544	Battly Launcher.exe
Token: SeShutdownPrivilege	4544	Battly Launcher.exe
Token: SeCreatePagefilePrivilege	4544	Battly Launcher.exe
Token: SeShutdownPrivilege	4544	Battly Launcher.exe
Token: SeCreatePagefilePrivilege	4544	Battly Launcher.exe
Token: SeShutdownPrivilege	4544	Battly Launcher.exe
Token: SeCreatePagefilePrivilege	4544	Battly Launcher.exe
Token: SeShutdownPrivilege	4544	Battly Launcher.exe
Token: SeCreatePagefilePrivilege	4544	Battly Launcher.exe
Token: SeShutdownPrivilege	4544	Battly Launcher.exe
Token: SeCreatePagefilePrivilege	4544	Battly Launcher.exe
Token: SeShutdownPrivilege	4544	Battly Launcher.exe
Token: SeCreatePagefilePrivilege	4544	Battly Launcher.exe
Token: SeShutdownPrivilege	4544	Battly Launcher.exe
Token: SeCreatePagefilePrivilege	4544	Battly Launcher.exe
Token: SeShutdownPrivilege	4544	Battly Launcher.exe
Token: SeCreatePagefilePrivilege	4544	Battly Launcher.exe
Token: SeShutdownPrivilege	4544	Battly Launcher.exe
Token: SeCreatePagefilePrivilege	4544	Battly Launcher.exe
Token: SeShutdownPrivilege	4544	Battly Launcher.exe
Token: SeCreatePagefilePrivilege	4544	Battly Launcher.exe
Token: SeShutdownPrivilege	4544	Battly Launcher.exe
Token: SeCreatePagefilePrivilege	4544	Battly Launcher.exe
Token: SeShutdownPrivilege	4544	Battly Launcher.exe
Token: SeCreatePagefilePrivilege	4544	Battly Launcher.exe
Token: SeShutdownPrivilege	4544	Battly Launcher.exe
Token: SeCreatePagefilePrivilege	4544	Battly Launcher.exe
Token: SeShutdownPrivilege	4544	Battly Launcher.exe
Token: SeCreatePagefilePrivilege	4544	Battly Launcher.exe
Token: SeShutdownPrivilege	4544	Battly Launcher.exe
Token: SeCreatePagefilePrivilege	4544	Battly Launcher.exe
Token: SeShutdownPrivilege	4544	Battly Launcher.exe
Token: SeCreatePagefilePrivilege	4544	Battly Launcher.exe
Token: SeShutdownPrivilege	4544	Battly Launcher.exe
Token: SeCreatePagefilePrivilege	4544	Battly Launcher.exe
Token: SeShutdownPrivilege	4544	Battly Launcher.exe
Token: SeCreatePagefilePrivilege	4544	Battly Launcher.exe
Token: SeShutdownPrivilege	4544	Battly Launcher.exe
Token: SeCreatePagefilePrivilege	4544	Battly Launcher.exe
Token: SeShutdownPrivilege	4544	Battly Launcher.exe
Token: SeCreatePagefilePrivilege	4544	Battly Launcher.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

Battly Launcher.exe

description	pid	process	target process
PID 4544 wrote to memory of 972	4544	Battly Launcher.exe	Battly Launcher.exe
PID 4544 wrote to memory of 972	4544	Battly Launcher.exe	Battly Launcher.exe
PID 4544 wrote to memory of 972	4544	Battly Launcher.exe	Battly Launcher.exe
PID 4544 wrote to memory of 972	4544	Battly Launcher.exe	Battly Launcher.exe
PID 4544 wrote to memory of 972	4544	Battly Launcher.exe	Battly Launcher.exe
PID 4544 wrote to memory of 972	4544	Battly Launcher.exe	Battly Launcher.exe
PID 4544 wrote to memory of 972	4544	Battly Launcher.exe	Battly Launcher.exe
PID 4544 wrote to memory of 972	4544	Battly Launcher.exe	Battly Launcher.exe
PID 4544 wrote to memory of 972	4544	Battly Launcher.exe	Battly Launcher.exe
PID 4544 wrote to memory of 972	4544	Battly Launcher.exe	Battly Launcher.exe
PID 4544 wrote to memory of 972	4544	Battly Launcher.exe	Battly Launcher.exe
PID 4544 wrote to memory of 972	4544	Battly Launcher.exe	Battly Launcher.exe
PID 4544 wrote to memory of 972	4544	Battly Launcher.exe	Battly Launcher.exe
PID 4544 wrote to memory of 972	4544	Battly Launcher.exe	Battly Launcher.exe
PID 4544 wrote to memory of 972	4544	Battly Launcher.exe	Battly Launcher.exe
PID 4544 wrote to memory of 972	4544	Battly Launcher.exe	Battly Launcher.exe
PID 4544 wrote to memory of 972	4544	Battly Launcher.exe	Battly Launcher.exe
PID 4544 wrote to memory of 972	4544	Battly Launcher.exe	Battly Launcher.exe
PID 4544 wrote to memory of 972	4544	Battly Launcher.exe	Battly Launcher.exe
PID 4544 wrote to memory of 972	4544	Battly Launcher.exe	Battly Launcher.exe
PID 4544 wrote to memory of 972	4544	Battly Launcher.exe	Battly Launcher.exe
PID 4544 wrote to memory of 972	4544	Battly Launcher.exe	Battly Launcher.exe
PID 4544 wrote to memory of 972	4544	Battly Launcher.exe	Battly Launcher.exe
PID 4544 wrote to memory of 972	4544	Battly Launcher.exe	Battly Launcher.exe
PID 4544 wrote to memory of 972	4544	Battly Launcher.exe	Battly Launcher.exe
PID 4544 wrote to memory of 972	4544	Battly Launcher.exe	Battly Launcher.exe
PID 4544 wrote to memory of 972	4544	Battly Launcher.exe	Battly Launcher.exe
PID 4544 wrote to memory of 972	4544	Battly Launcher.exe	Battly Launcher.exe
PID 4544 wrote to memory of 972	4544	Battly Launcher.exe	Battly Launcher.exe
PID 4544 wrote to memory of 972	4544	Battly Launcher.exe	Battly Launcher.exe
PID 4544 wrote to memory of 2084	4544	Battly Launcher.exe	Battly Launcher.exe
PID 4544 wrote to memory of 2084	4544	Battly Launcher.exe	Battly Launcher.exe
PID 4544 wrote to memory of 5024	4544	Battly Launcher.exe	Battly Launcher.exe
PID 4544 wrote to memory of 5024	4544	Battly Launcher.exe	Battly Launcher.exe
PID 4544 wrote to memory of 2348	4544	Battly Launcher.exe	Battly Launcher.exe
PID 4544 wrote to memory of 2348	4544	Battly Launcher.exe	Battly Launcher.exe

C:\Users\Admin\AppData\Local\Temp\Battly Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Battly Launcher.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Users\Admin\AppData\Local\Temp\Battly Launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\Battly Launcher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Battly Launcher Installer" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1684 --field-trial-handle=1688,i,15052899404441688602,1548808181959314045,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
  2⤵
  PID:972
- C:\Users\Admin\AppData\Local\Temp\Battly Launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\Battly Launcher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Battly Launcher Installer" --mojo-platform-channel-handle=1900 --field-trial-handle=1688,i,15052899404441688602,1548808181959314045,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:3
  2⤵
  PID:2084
- C:\Users\Admin\AppData\Local\Temp\Battly Launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\Battly Launcher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Battly Launcher Installer" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2448 --field-trial-handle=1688,i,15052899404441688602,1548808181959314045,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
  2⤵
  - Checks computer location settings
  PID:5024
- C:\Users\Admin\AppData\Local\Temp\Battly Launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\Battly Launcher.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\Battly Launcher Installer" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2404 --field-trial-handle=1688,i,15052899404441688602,1548808181959314045,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Battly Launcher Installer\Network\Network Persistent State

Filesize
697B

MD5
e4b9b7cee486bc0a1106aecf2fc11795

SHA1
0ee848a4f6f05d78ef91a513fbf195a3c6d81261

SHA256
8f25c365f29ec87b890bf6cb894f23ad2f34b61f4d29bf9349857acb812702d8

SHA512
2959528cb45f340366fac2ac0d4fc92ab7d9b967e2e71cbee39506a71f3a10692712342ffcff092c98c3e18d67b8819c4ca66b5ac67e80e31e2b10551948a0e3

Download Submit
C:\Users\Admin\AppData\Roaming\Battly Launcher Installer\Network\Network Persistent State~RFe58a766.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/2348-85-0x00000105759C0000-0x00000105759C1000-memory.dmp

Filesize
4KB

Download
memory/2348-77-0x00000105759C0000-0x00000105759C1000-memory.dmp

Filesize
4KB

Download
memory/2348-76-0x00000105759C0000-0x00000105759C1000-memory.dmp

Filesize
4KB

Download
memory/2348-75-0x00000105759C0000-0x00000105759C1000-memory.dmp

Filesize
4KB

Download
memory/2348-86-0x00000105759C0000-0x00000105759C1000-memory.dmp

Filesize
4KB

Download
memory/2348-84-0x00000105759C0000-0x00000105759C1000-memory.dmp

Filesize
4KB

Download
memory/2348-83-0x00000105759C0000-0x00000105759C1000-memory.dmp

Filesize
4KB

Download
memory/2348-82-0x00000105759C0000-0x00000105759C1000-memory.dmp

Filesize
4KB

Download
memory/2348-81-0x00000105759C0000-0x00000105759C1000-memory.dmp

Filesize
4KB

Download
memory/2348-87-0x00000105759C0000-0x00000105759C1000-memory.dmp

Filesize
4KB

Download