Analysis

  • max time kernel
    13s
  • max time network
    69s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/11/2024, 11:50

General

  • Target

    BatSD.exe

  • Size

    169KB

  • MD5

    e625c07f89ae4fc9184ea7af37f7311e

  • SHA1

    b1269be3072402fd9f8b7025e02345c54928f3d0

  • SHA256

    71f419149200ada26a7497d8e8ce53d4e3e98bbf45fdaf6a962cdddfbbf368b7

  • SHA512

    0f982fb5561d42984d325dbfd3f788cb702af0f5c72ca06c1d3cb640b7ff8d153e55c9a502532496ea9fe6db0b4e3053a4d90effee768cede9524a46c0c58f00

  • SSDEEP

    3072:MaObYrSD4kjua2DH4xW+5GWp1icKAArDZz4N9GhbkrNEkQfH7YyIb:MaKMSD4YuaeEp0yN90QEff

Malware Config

Signatures

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Modifies system executable filetype association 2 TTPs 34 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\BatSD.exe
    "C:\Users\Admin\AppData\Local\Temp\BatSD.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c BatSD.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:960
      • C:\Windows\system32\timeout.exe
        timeout 1 /nobreak
        3⤵
        • Delays execution with timeout.exe
        PID:2608
      • C:\Windows\system32\reg.exe
        reg delete HKEY_CLASSES_ROOT /f
        3⤵
        • Modifies system executable filetype association
        • Modifies registry class
        PID:4952
      • C:\Windows\system32\reg.exe
        reg delete HKEY_CURRENT_USER /f
        3⤵
          PID:1132
        • C:\Windows\system32\reg.exe
          reg delete HKEY_LOCAL_MACHINE /f
          3⤵
            PID:3732
          • C:\Windows\system32\reg.exe
            reg delete HKEY_USERS /f
            3⤵
              PID:4064
            • C:\Windows\system32\reg.exe
              reg delete HKEY_CURRENT_CONFIG /f
              3⤵
                PID:4568

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BatSD.bat

                  Filesize

                  584B

                  MD5

                  1fb41ca3337bd87c7a613fb7e6737f3a

                  SHA1

                  a2eae147407bc601b496678e331cca9f687f5a6c

                  SHA256

                  4d6989bba0c7380e1afa92097485a32e629e996e660a2a7c565d6a062433c329

                  SHA512

                  989dd073d8bcc3fda21ef9c24263a936505a531e2a944160b945aa1441b94695d6ed4da86b30406937fd37135284369ec096c57521d544a76912e6364c47f3dc