9297b5d410cefe35dac62911c78d9a39544dc347a91642591127642f73d0ee35

Analysis

max time kernel
141s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/09/2024, 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batmon.exe
Size

910KB
MD5

50d07dce5687a0c44946b9e74467455f
SHA1

a3756053572c7d6c1351b483a273dec568f36b77
SHA256

0d9d4ce668e0ec26b2d2db0ec9795610d8b62913256ca0b0449aa25c34b0d386
SHA512

8e216cca8ccc4d29ddecca0efa08ce8d26348bff978855733aff5369dc5bf704e11376621a47ccb35daab4136f0d20c7b6dd47799203e0cc415d1492622791d7
SSDEEP

24576:Hxu0+kY/NH6CFAsk1/LKH0LNmgM+xAqxI9w+Hu:Ru0+kW6sGKnga3NHu

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2880	is-F4FUR.tmp

Loads dropped DLL 4 IoCs

pid	Process
2716	batmon.exe
2880	is-F4FUR.tmp
2880	is-F4FUR.tmp
2880	is-F4FUR.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	batmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-F4FUR.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2880	is-F4FUR.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2880	2716	batmon.exe	30
PID 2716 wrote to memory of 2880	2716	batmon.exe	30
PID 2716 wrote to memory of 2880	2716	batmon.exe	30
PID 2716 wrote to memory of 2880	2716	batmon.exe	30
PID 2716 wrote to memory of 2880	2716	batmon.exe	30
PID 2716 wrote to memory of 2880	2716	batmon.exe	30
PID 2716 wrote to memory of 2880	2716	batmon.exe	30

C:\Users\Admin\AppData\Local\Temp\batmon.exe
"C:\Users\Admin\AppData\Local\Temp\batmon.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Users\Admin\AppData\Local\Temp\is-HHN93.tmp\is-F4FUR.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-HHN93.tmp\is-F4FUR.tmp" /SL4 $400F4 C:\Users\Admin\AppData\Local\Temp\batmon.exe 712468 50688
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-40SLN.tmp\_isdecmp.dll

Filesize
12KB

MD5
9f015911c4073ba9b8ad5a4c36fcaf88

SHA1
d4bd8d2348a2a6294f3f92ad7831f2cf660da6a5

SHA256
c630fb87c007c1e3d008eac97edf7e025c0cb806c886971e32b7063d606fd125

SHA512
c36dc582141259ec0813edf531431870f96acc346e3f9af0cd86544245a84bb2d6bc4c37518bf309fa0922cdd5535d087e4fef20f0d5aa0494b1a4b0ce388ea9

Download Submit
\Users\Admin\AppData\Local\Temp\is-40SLN.tmp\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-HHN93.tmp\is-F4FUR.tmp

Filesize
572KB

MD5
0d0622f7d2fd629455a028d7e1cb1c07

SHA1
82bdfc15f188241c535d7a42f0f95c99d0913bf4

SHA256
ab0982c120a65adc3aa898af09ad923c9b896edfc52f7d206798c5fdf59d8f5a

SHA512
eb5a930c1ba85b9cdb60a65fcead39592f7a1b87985d927580bbdb9f8682087291a4eac9f5b2f7c8d4aa7abff78ce8c53dd7285bd7be8572cb65ade906e8807a

Download Submit
memory/2716-2-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/2716-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2716-17-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2880-18-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download