672080994fc581f09c4e199731f118b1ad2082f8820fdb6073a431892ed0f1b7

Analysis

max time kernel
98s
max time network
100s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
13-11-2024 00:30

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Batman_ATK_Ware.exe
Size

6.4MB
MD5

e3e7697d0a03ef75f3d25fc45f6fe83f
SHA1

e986a4c0d9f19fa87ca3736ee5c7563c39b1a8f7
SHA256

672080994fc581f09c4e199731f118b1ad2082f8820fdb6073a431892ed0f1b7
SHA512

28febc863d94a98bbef7b05854312befa40989251304bc46c76e67112e4e6aff5fc9bd90857c05e08d949dbc809d0b150827eb6847aca501ccfc8c68ea77a5b6
SSDEEP

196608:CRuig9hoy6Enwc4GgpG0REca3Irq7LkmrbW3jmrT:Cci+WyotGgpGLcW7AmrbmyrT

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 33 IoCs

Processes:

batman_atk_ware.exe icsys.icn.exebatman_atk_ware.exe explorer.exeicsys.icn.exespoolsv.exesvchost.exespoolsv.exebatman_atk_ware.exe icsys.icn.exebatman_atk_ware.exe icsys.icn.exeexplorer.exebatman_atk_ware.exe icsys.icn.exebatman_atk_ware.exe icsys.icn.exeexplorer.exebatman_atk_ware.exe icsys.icn.exebatman_atk_ware.exe explorer.exeicsys.icn.exebatman_atk_ware.exe icsys.icn.exebatman_atk_ware.exe icsys.icn.exeexplorer.exebatman_atk_ware.exe icsys.icn.exebatman_atk_ware.exe explorer.exeicsys.icn.exe

pid	Process
1480	batman_atk_ware.exe
4208	icsys.icn.exe
420	batman_atk_ware.exe
4396	explorer.exe
4896	icsys.icn.exe
3660	spoolsv.exe
4500	svchost.exe
3744	spoolsv.exe
1512	batman_atk_ware.exe
4196	icsys.icn.exe
1692	batman_atk_ware.exe
1452	icsys.icn.exe
3012	explorer.exe
3332	batman_atk_ware.exe
4688	icsys.icn.exe
3668	batman_atk_ware.exe
3428	icsys.icn.exe
1132	explorer.exe
3948	batman_atk_ware.exe
3888	icsys.icn.exe
4656	batman_atk_ware.exe
4100	explorer.exe
2820	icsys.icn.exe
2944	batman_atk_ware.exe
1560	icsys.icn.exe
384	batman_atk_ware.exe
2732	icsys.icn.exe
4892	explorer.exe
4060	batman_atk_ware.exe
2128	icsys.icn.exe
3408	batman_atk_ware.exe
2984	explorer.exe
2408	icsys.icn.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Explorer = "c:\\windows\\resources\\themes\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Svchost = "c:\\windows\\resources\\svchost.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Explorer = "c:\\windows\\resources\\themes\\explorer.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Svchost = "c:\\windows\\resources\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 16 IoCs

Processes:

batman_atk_ware.exe explorer.exebatman_atk_ware.exe batman_atk_ware.exe icsys.icn.exespoolsv.exebatman_atk_ware.exe Batman_ATK_Ware.exebatman_atk_ware.exe Batman_ATK_Ware.exebatman_atk_ware.exe Batman_ATK_Ware.exeBatman_ATK_Ware.exeBatman_ATK_Ware.exeBatman_ATK_Ware.exe

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	batman_atk_ware.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	batman_atk_ware.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	batman_atk_ware.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	batman_atk_ware.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	Batman_ATK_Ware.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	batman_atk_ware.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	Batman_ATK_Ware.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	batman_atk_ware.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	Batman_ATK_Ware.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	Batman_ATK_Ware.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	Batman_ATK_Ware.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	Batman_ATK_Ware.exe

System Location Discovery: System Language Discovery 1 TTPs 40 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

batman_atk_ware.exe icsys.icn.exeexplorer.exeBatman_ATK_Ware.exebatman_atk_ware.exe batman_atk_ware.exe Batman_ATK_Ware.exebatman_atk_ware.exe icsys.icn.exebatman_atk_ware.exe batman_atk_ware.exe batman_atk_ware.exe icsys.icn.exeexplorer.exespoolsv.exespoolsv.exebatman_atk_ware.exe icsys.icn.exeBatman_ATK_Ware.exeicsys.icn.exeexplorer.exebatman_atk_ware.exe Batman_ATK_Ware.exeicsys.icn.exeBatman_ATK_Ware.exeexplorer.exebatman_atk_ware.exe icsys.icn.exebatman_atk_ware.exe Batman_ATK_Ware.exebatman_atk_ware.exe explorer.exeicsys.icn.exeBatman_ATK_Ware.exesvchost.exeicsys.icn.exeicsys.icn.exeicsys.icn.exeexplorer.exeicsys.icn.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	batman_atk_ware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Batman_ATK_Ware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	batman_atk_ware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	batman_atk_ware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Batman_ATK_Ware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	batman_atk_ware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	batman_atk_ware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	batman_atk_ware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	batman_atk_ware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	batman_atk_ware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Batman_ATK_Ware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	batman_atk_ware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Batman_ATK_Ware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Batman_ATK_Ware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	batman_atk_ware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	batman_atk_ware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Batman_ATK_Ware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	batman_atk_ware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Batman_ATK_Ware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exefirefox.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "179"	LogonUI.exe

Modifies registry class 9 IoCs

Processes:

OpenWith.exefirefox.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\.ses	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\ses_auto_file	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\.ses\ = "ses_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\ses_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\ses_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\ses_auto_file\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\ses_auto_file\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Batman_ATK_Ware.exebatman_atk_ware.exe

pid	Process
5080	Batman_ATK_Ware.exe
5080	Batman_ATK_Ware.exe
5080	Batman_ATK_Ware.exe
5080	Batman_ATK_Ware.exe
5080	Batman_ATK_Ware.exe
5080	Batman_ATK_Ware.exe
5080	Batman_ATK_Ware.exe
5080	Batman_ATK_Ware.exe
5080	Batman_ATK_Ware.exe
5080	Batman_ATK_Ware.exe
5080	Batman_ATK_Ware.exe
5080	Batman_ATK_Ware.exe
5080	Batman_ATK_Ware.exe
5080	Batman_ATK_Ware.exe
5080	Batman_ATK_Ware.exe
5080	Batman_ATK_Ware.exe
5080	Batman_ATK_Ware.exe
5080	Batman_ATK_Ware.exe
5080	Batman_ATK_Ware.exe
5080	Batman_ATK_Ware.exe
5080	Batman_ATK_Ware.exe
5080	Batman_ATK_Ware.exe
5080	Batman_ATK_Ware.exe
5080	Batman_ATK_Ware.exe
5080	Batman_ATK_Ware.exe
5080	Batman_ATK_Ware.exe
5080	Batman_ATK_Ware.exe
5080	Batman_ATK_Ware.exe
5080	Batman_ATK_Ware.exe
5080	Batman_ATK_Ware.exe
5080	Batman_ATK_Ware.exe
5080	Batman_ATK_Ware.exe
1480	batman_atk_ware.exe
1480	batman_atk_ware.exe
1480	batman_atk_ware.exe
1480	batman_atk_ware.exe
1480	batman_atk_ware.exe
1480	batman_atk_ware.exe
1480	batman_atk_ware.exe
1480	batman_atk_ware.exe
1480	batman_atk_ware.exe
1480	batman_atk_ware.exe
1480	batman_atk_ware.exe
1480	batman_atk_ware.exe
1480	batman_atk_ware.exe
1480	batman_atk_ware.exe
1480	batman_atk_ware.exe
1480	batman_atk_ware.exe
1480	batman_atk_ware.exe
1480	batman_atk_ware.exe
1480	batman_atk_ware.exe
1480	batman_atk_ware.exe
1480	batman_atk_ware.exe
1480	batman_atk_ware.exe
1480	batman_atk_ware.exe
1480	batman_atk_ware.exe
1480	batman_atk_ware.exe
1480	batman_atk_ware.exe
1480	batman_atk_ware.exe
1480	batman_atk_ware.exe
1480	batman_atk_ware.exe
1480	batman_atk_ware.exe
1480	batman_atk_ware.exe
1480	batman_atk_ware.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

explorer.exesvchost.exeOpenWith.exe

pid	Process
4396	explorer.exe
4500	svchost.exe
3824	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description	pid	Process
Token: SeDebugPrivilege	3608	firefox.exe
Token: SeDebugPrivilege	3608	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

Processes:

firefox.exe

pid	Process
3608	firefox.exe
3608	firefox.exe
3608	firefox.exe
3608	firefox.exe
3608	firefox.exe
3608	firefox.exe
3608	firefox.exe
3608	firefox.exe
3608	firefox.exe
3608	firefox.exe
3608	firefox.exe
3608	firefox.exe
3608	firefox.exe
3608	firefox.exe
3608	firefox.exe
3608	firefox.exe
3608	firefox.exe
3608	firefox.exe
3608	firefox.exe
3608	firefox.exe
3608	firefox.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

Batman_ATK_Ware.exebatman_atk_ware.exe icsys.icn.exebatman_atk_ware.exe explorer.exeicsys.icn.exespoolsv.exesvchost.exespoolsv.exeBatman_ATK_Ware.exebatman_atk_ware.exe icsys.icn.exebatman_atk_ware.exe icsys.icn.exeexplorer.exeBatman_ATK_Ware.exebatman_atk_ware.exe batman_atk_ware.exe icsys.icn.exeBatman_ATK_Ware.exeicsys.icn.exeexplorer.exeBatman_ATK_Ware.exebatman_atk_ware.exe icsys.icn.exe

pid	Process
5080	Batman_ATK_Ware.exe
5080	Batman_ATK_Ware.exe
1480	batman_atk_ware.exe
1480	batman_atk_ware.exe
4208	icsys.icn.exe
4208	icsys.icn.exe
420	batman_atk_ware.exe
420	batman_atk_ware.exe
4396	explorer.exe
4396	explorer.exe
4896	icsys.icn.exe
4896	icsys.icn.exe
3660	spoolsv.exe
3660	spoolsv.exe
4500	svchost.exe
4500	svchost.exe
3744	spoolsv.exe
3744	spoolsv.exe
2400	Batman_ATK_Ware.exe
2400	Batman_ATK_Ware.exe
2400	Batman_ATK_Ware.exe
1512	batman_atk_ware.exe
1512	batman_atk_ware.exe
1512	batman_atk_ware.exe
4196	icsys.icn.exe
4196	icsys.icn.exe
1692	batman_atk_ware.exe
4196	icsys.icn.exe
1692	batman_atk_ware.exe
1692	batman_atk_ware.exe
1452	icsys.icn.exe
3012	explorer.exe
1452	icsys.icn.exe
3012	explorer.exe
1452	icsys.icn.exe
3012	explorer.exe
1264	Batman_ATK_Ware.exe
1264	Batman_ATK_Ware.exe
1264	Batman_ATK_Ware.exe
3332	batman_atk_ware.exe
3332	batman_atk_ware.exe
3332	batman_atk_ware.exe
3668	batman_atk_ware.exe
4688	icsys.icn.exe
4688	icsys.icn.exe
3668	batman_atk_ware.exe
4688	icsys.icn.exe
3668	batman_atk_ware.exe
1148	Batman_ATK_Ware.exe
3428	icsys.icn.exe
1148	Batman_ATK_Ware.exe
1132	explorer.exe
3428	icsys.icn.exe
1148	Batman_ATK_Ware.exe
1132	explorer.exe
3428	icsys.icn.exe
1132	explorer.exe
4496	Batman_ATK_Ware.exe
4496	Batman_ATK_Ware.exe
4496	Batman_ATK_Ware.exe
3948	batman_atk_ware.exe
3948	batman_atk_ware.exe
3948	batman_atk_ware.exe
3888	icsys.icn.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Batman_ATK_Ware.exeicsys.icn.exebatman_atk_ware.exe explorer.exespoolsv.exesvchost.exeBatman_ATK_Ware.exebatman_atk_ware.exe icsys.icn.exeBatman_ATK_Ware.exebatman_atk_ware.exe icsys.icn.exeBatman_ATK_Ware.exebatman_atk_ware.exe icsys.icn.exe

description	pid	Process	procid_target
PID 5080 wrote to memory of 1480	5080	Batman_ATK_Ware.exe	79
PID 5080 wrote to memory of 1480	5080	Batman_ATK_Ware.exe	79
PID 5080 wrote to memory of 1480	5080	Batman_ATK_Ware.exe	79
PID 5080 wrote to memory of 4208	5080	Batman_ATK_Ware.exe	81
PID 5080 wrote to memory of 4208	5080	Batman_ATK_Ware.exe	81
PID 5080 wrote to memory of 4208	5080	Batman_ATK_Ware.exe	81
PID 4208 wrote to memory of 4396	4208	icsys.icn.exe	82
PID 4208 wrote to memory of 4396	4208	icsys.icn.exe	82
PID 4208 wrote to memory of 4396	4208	icsys.icn.exe	82
PID 1480 wrote to memory of 420	1480	batman_atk_ware.exe	83
PID 1480 wrote to memory of 420	1480	batman_atk_ware.exe	83
PID 1480 wrote to memory of 420	1480	batman_atk_ware.exe	83
PID 1480 wrote to memory of 4896	1480	batman_atk_ware.exe	84
PID 1480 wrote to memory of 4896	1480	batman_atk_ware.exe	84
PID 1480 wrote to memory of 4896	1480	batman_atk_ware.exe	84
PID 4396 wrote to memory of 3660	4396	explorer.exe	85
PID 4396 wrote to memory of 3660	4396	explorer.exe	85
PID 4396 wrote to memory of 3660	4396	explorer.exe	85
PID 3660 wrote to memory of 4500	3660	spoolsv.exe	86
PID 3660 wrote to memory of 4500	3660	spoolsv.exe	86
PID 3660 wrote to memory of 4500	3660	spoolsv.exe	86
PID 4500 wrote to memory of 3744	4500	svchost.exe	87
PID 4500 wrote to memory of 3744	4500	svchost.exe	87
PID 4500 wrote to memory of 3744	4500	svchost.exe	87
PID 2400 wrote to memory of 1512	2400	Batman_ATK_Ware.exe	94
PID 2400 wrote to memory of 1512	2400	Batman_ATK_Ware.exe	94
PID 2400 wrote to memory of 1512	2400	Batman_ATK_Ware.exe	94
PID 2400 wrote to memory of 4196	2400	Batman_ATK_Ware.exe	95
PID 2400 wrote to memory of 4196	2400	Batman_ATK_Ware.exe	95
PID 2400 wrote to memory of 4196	2400	Batman_ATK_Ware.exe	95
PID 1512 wrote to memory of 1692	1512	batman_atk_ware.exe	96
PID 1512 wrote to memory of 1692	1512	batman_atk_ware.exe	96
PID 1512 wrote to memory of 1692	1512	batman_atk_ware.exe	96
PID 1512 wrote to memory of 1452	1512	batman_atk_ware.exe	97
PID 1512 wrote to memory of 1452	1512	batman_atk_ware.exe	97
PID 1512 wrote to memory of 1452	1512	batman_atk_ware.exe	97
PID 4196 wrote to memory of 3012	4196	icsys.icn.exe	98
PID 4196 wrote to memory of 3012	4196	icsys.icn.exe	98
PID 4196 wrote to memory of 3012	4196	icsys.icn.exe	98
PID 1264 wrote to memory of 3332	1264	Batman_ATK_Ware.exe	101
PID 1264 wrote to memory of 3332	1264	Batman_ATK_Ware.exe	101
PID 1264 wrote to memory of 3332	1264	Batman_ATK_Ware.exe	101
PID 1264 wrote to memory of 4688	1264	Batman_ATK_Ware.exe	102
PID 1264 wrote to memory of 4688	1264	Batman_ATK_Ware.exe	102
PID 1264 wrote to memory of 4688	1264	Batman_ATK_Ware.exe	102
PID 3332 wrote to memory of 3668	3332	batman_atk_ware.exe	103
PID 3332 wrote to memory of 3668	3332	batman_atk_ware.exe	103
PID 3332 wrote to memory of 3668	3332	batman_atk_ware.exe	103
PID 3332 wrote to memory of 3428	3332	batman_atk_ware.exe	105
PID 3332 wrote to memory of 3428	3332	batman_atk_ware.exe	105
PID 3332 wrote to memory of 3428	3332	batman_atk_ware.exe	105
PID 4688 wrote to memory of 1132	4688	icsys.icn.exe	106
PID 4688 wrote to memory of 1132	4688	icsys.icn.exe	106
PID 4688 wrote to memory of 1132	4688	icsys.icn.exe	106
PID 4496 wrote to memory of 3948	4496	Batman_ATK_Ware.exe	109
PID 4496 wrote to memory of 3948	4496	Batman_ATK_Ware.exe	109
PID 4496 wrote to memory of 3948	4496	Batman_ATK_Ware.exe	109
PID 4496 wrote to memory of 3888	4496	Batman_ATK_Ware.exe	110
PID 4496 wrote to memory of 3888	4496	Batman_ATK_Ware.exe	110
PID 4496 wrote to memory of 3888	4496	Batman_ATK_Ware.exe	110
PID 3948 wrote to memory of 4656	3948	batman_atk_ware.exe	111
PID 3948 wrote to memory of 4656	3948	batman_atk_ware.exe	111
PID 3948 wrote to memory of 4656	3948	batman_atk_ware.exe	111
PID 3888 wrote to memory of 4100	3888	icsys.icn.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Batman_ATK_Ware.exe
"C:\Users\Admin\AppData\Local\Temp\Batman_ATK_Ware.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5080
- \??\c:\users\admin\appdata\local\temp\batman_atk_ware.exe
  c:\users\admin\appdata\local\temp\batman_atk_ware.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1480
- - \??\c:\users\admin\appdata\local\temp\batman_atk_ware.exe
    c:\users\admin\appdata\local\temp\batman_atk_ware.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:420
- - C:\Windows\Resources\Themes\icsys.icn.exe
    C:\Windows\Resources\Themes\icsys.icn.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4896
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4208
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4396
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3660
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4500
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3744

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4412

C:\Users\Admin\AppData\Local\Temp\Batman_ATK_Ware.exe
"C:\Users\Admin\AppData\Local\Temp\Batman_ATK_Ware.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2400
- \??\c:\users\admin\appdata\local\temp\batman_atk_ware.exe
  c:\users\admin\appdata\local\temp\batman_atk_ware.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1512
- - \??\c:\users\admin\appdata\local\temp\batman_atk_ware.exe
    c:\users\admin\appdata\local\temp\batman_atk_ware.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1692
- - C:\Windows\Resources\Themes\icsys.icn.exe
    C:\Windows\Resources\Themes\icsys.icn.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1452
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4196
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3012

C:\Users\Admin\AppData\Local\Temp\Batman_ATK_Ware.exe
"C:\Users\Admin\AppData\Local\Temp\Batman_ATK_Ware.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1264
- \??\c:\users\admin\appdata\local\temp\batman_atk_ware.exe
  c:\users\admin\appdata\local\temp\batman_atk_ware.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3332
- - \??\c:\users\admin\appdata\local\temp\batman_atk_ware.exe
    c:\users\admin\appdata\local\temp\batman_atk_ware.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3668
- - C:\Windows\Resources\Themes\icsys.icn.exe
    C:\Windows\Resources\Themes\icsys.icn.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3428
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4688
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1132

C:\Users\Admin\AppData\Local\Temp\Batman_ATK_Ware.exe
"C:\Users\Admin\AppData\Local\Temp\Batman_ATK_Ware.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1148

C:\Users\Admin\AppData\Local\Temp\Batman_ATK_Ware.exe
"C:\Users\Admin\AppData\Local\Temp\Batman_ATK_Ware.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4496
- \??\c:\users\admin\appdata\local\temp\batman_atk_ware.exe
  c:\users\admin\appdata\local\temp\batman_atk_ware.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3948
- - \??\c:\users\admin\appdata\local\temp\batman_atk_ware.exe
    c:\users\admin\appdata\local\temp\batman_atk_ware.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4656
- - C:\Windows\Resources\Themes\icsys.icn.exe
    C:\Windows\Resources\Themes\icsys.icn.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2820
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3888
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4100

C:\Users\Admin\AppData\Local\Temp\Batman_ATK_Ware.exe
"C:\Users\Admin\AppData\Local\Temp\Batman_ATK_Ware.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3308
- \??\c:\users\admin\appdata\local\temp\batman_atk_ware.exe
  c:\users\admin\appdata\local\temp\batman_atk_ware.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2944
- - \??\c:\users\admin\appdata\local\temp\batman_atk_ware.exe
    c:\users\admin\appdata\local\temp\batman_atk_ware.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:384
- - C:\Windows\Resources\Themes\icsys.icn.exe
    C:\Windows\Resources\Themes\icsys.icn.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2732
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1560
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4892

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:3824
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\.ses"
  2⤵
  PID:1388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\.ses
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:3608
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1928 -parentBuildID 20240401114208 -prefsHandle 1844 -prefMapHandle 1832 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {47c5c496-7d32-4410-8b64-05f3d07d5aea} 3608 "\\.\pipe\gecko-crash-server-pipe.3608" gpu
      4⤵
      PID:3680
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2384 -parentBuildID 20240401114208 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {44b30dd0-ea5d-4367-89c1-ce9e3f2e3090} 3608 "\\.\pipe\gecko-crash-server-pipe.3608" socket
      4⤵
      Checks processor information in registry
      PID:1100
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3348 -childID 1 -isForBrowser -prefsHandle 3340 -prefMapHandle 3336 -prefsLen 24739 -prefMapSize 244658 -jsInitHandle 1364 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b537efd1-b050-461d-9e91-37846753e8f0} 3608 "\\.\pipe\gecko-crash-server-pipe.3608" tab
      4⤵
      PID:4320
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2752 -childID 2 -isForBrowser -prefsHandle 3216 -prefMapHandle 3172 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1364 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e67916fe-52b4-48a9-ab4d-fe4ce176d587} 3608 "\\.\pipe\gecko-crash-server-pipe.3608" tab
      4⤵
      PID:3068
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4464 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4516 -prefMapHandle 4468 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef7f6237-6eb6-4127-b7a0-7533e269e4e6} 3608 "\\.\pipe\gecko-crash-server-pipe.3608" utility
      4⤵
      Checks processor information in registry
      PID:3784
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5472 -childID 3 -isForBrowser -prefsHandle 5484 -prefMapHandle 5408 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1364 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bd7d5a1-6bf2-4b3b-9467-46feaaeec69d} 3608 "\\.\pipe\gecko-crash-server-pipe.3608" tab
      4⤵
      PID:3944
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5608 -childID 4 -isForBrowser -prefsHandle 5684 -prefMapHandle 5680 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1364 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {93b41138-3203-4f62-84b0-9e5fc4c084e3} 3608 "\\.\pipe\gecko-crash-server-pipe.3608" tab
      4⤵
      PID:3912
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5816 -childID 5 -isForBrowser -prefsHandle 5824 -prefMapHandle 5828 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1364 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23a55f95-f582-4564-8536-f7b8a20035a3} 3608 "\\.\pipe\gecko-crash-server-pipe.3608" tab
      4⤵
      PID:660

C:\Users\Admin\AppData\Local\Temp\Batman_ATK_Ware.exe
"C:\Users\Admin\AppData\Local\Temp\Batman_ATK_Ware.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4384
- \??\c:\users\admin\appdata\local\temp\batman_atk_ware.exe
  c:\users\admin\appdata\local\temp\batman_atk_ware.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4060
- - \??\c:\users\admin\appdata\local\temp\batman_atk_ware.exe
    c:\users\admin\appdata\local\temp\batman_atk_ware.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3408
- - C:\Windows\Resources\Themes\icsys.icn.exe
    C:\Windows\Resources\Themes\icsys.icn.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2408
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2128
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2984

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a24055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vo8scey3.default-release\activity-stream.discovery_stream.json

Filesize
24KB

MD5
35f1c4345be9973e7564918113f858d0

SHA1
d8d5b0b27cf50a41865ef4af2339b789cb56d737

SHA256
3d5fbf32e1e2cb5b54ed51de3b999219d5434da564d7342fe23511369585506f

SHA512
d689730aae1e4190364cd713b3e845508e9383b12b6ee90af9fb5ff4cec5f1faf7bd534a1a65585bbf34abb18db340e0ed29eb0d2c29544a84a5a51c023cc03f

Download Submit
C:\Users\Admin\AppData\Local\Temp\batman_atk_ware.exe

Filesize
6.2MB

MD5
fcdf4e7f3d0b6b4afc1316a7f6181d6d

SHA1
38e6dee3a26ca8d1d3586cce2322c60570134dcf

SHA256
0c20d6429204dc1ecc8517881ad166f9323f9aea65039c1864762765cf14508d

SHA512
e466568690cd5a0d86895bb6ec87fa515f7eab72dd6de4e45481b41c80b3c0548b1f71eecdbf90ad6937a7f27448d61ccf0c7ecc7185447376b7e6cca9d6ec55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
ebbcd41fdbb7a7bc3f92e86b6ee31cf0

SHA1
41dc3f94ac82fbf5186b5101623d7d0020b05059

SHA256
1781e2ddace09a3de1cf2c68f3334f68012c00a32fb55dc652fb5506737797b8

SHA512
1a7235d76e9751c100d41210bc96a2699c6d157f5287cab1499ec0978e85a5c8ef3c5a1a41e8d2deffd47d8b489e4628dcb44f3ebadbd7cd471f5e9aaa60285e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
a864888aa32755ca2a5064166501dc28

SHA1
f1fb2a044269e9d434efb03b92cd9ebd74afd20a

SHA256
2eb480999736b4cf446de9a75c22dfbb2e584eecdad98aba4b27406823649498

SHA512
de9dbd5a90f9334532be55ef0f10ae83b0b8957aa3cc642751a8bbd9c39a459ec78aa7c055278ffc02264f516cb76f24b6c56d52101ed6194b605ebfbccfdc81

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\pending_pings\722d65bc-fbf0-4645-b6e1-2362e256072c

Filesize
659B

MD5
288ed196b0560ef2cd32349bc2f278a9

SHA1
ee28e11f55ac8d5119244b7599c1101971cbd8f2

SHA256
67ce624e8b04ccb5e1409433631404a096c57bd52eb474fad9ebca17c2097106

SHA512
ddd9eb2c363aa54b8b352accc525bcb0cf6f7777a168cef8b86f1de88902f4ceefca401b4a596b825efe081b46e81ec288c32e85203ec5389ae19401f7e8089d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\pending_pings\a72d637f-1fdc-4a27-8a2c-a6a1e91de7e9

Filesize
982B

MD5
d1608ced5f9b2bd61ed9afb7169a6e2e

SHA1
605148fcf729e04f238dc49b41d3641a1053c194

SHA256
71e269394d04c70a9ff49d2b8d4dca2c9095cc3930f042c4c96a491a2e110322

SHA512
225f446caf1e95ebe2c781ad04d016f055b5e2117a121ac4a45a02a28a10f5009623777ef55fc4e34a8b2d0941b0db8276930a1156ca731f4edd0783ba75bb74

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\prefs-1.js

Filesize
11KB

MD5
27a9ab671507b537c2dd539a4035178f

SHA1
f4010fea9b2458935d161e466a748487d91665ff

SHA256
e1d70ef88cb2f7e38065d6667bd4df1ee1332a88cdec9e41ffcd5c5291368966

SHA512
19954ab14204f4a883d45bf8a6b062da0aa0faedc323a1bf9122076acc3dd12da4b9b473db09f83dbac1f4e81a3cf8c4557900c344cb5d37f8a9387094f9d5ac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\prefs.js

Filesize
10KB

MD5
3ceea5c502dd9b4fc414da0864a805df

SHA1
a1807e384b49ac4c0fbdba8a8cbf5cf296b376bf

SHA256
ac8128715a61fcec1d915a90db5bc75dc07f7bdb0e59678a7e5926fd9932a8ee

SHA512
fc57b5101b3db0802651b807a6de4ac2404f6b93baf18c07b1a04432dec773283acabcdc277ea1de52fb70242983bfc2241aea4f0ba80cba2675af32796c3c8f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\sessionCheckpoints.json.tmp

Filesize
288B

MD5
948a7403e323297c6bb8a5c791b42866

SHA1
88a555717e8a4a33eccfb7d47a2a4aa31038f9c0

SHA256
2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e

SHA512
17e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
e8a3872ce02eb93a5e85383edf7134a6

SHA1
94d0651a007036c349d58a6892580f2ed65ac03f

SHA256
30116c6f65fcda53423a5d0ffbb107b0cf4c9b8434556258e0cdec73969864f0

SHA512
ee9baa660aa94bc114dbb30f89689b0b296cda4eff9273933931204222193548555169760a7ef4dc619f722f57e6762a55b9d07b6a5f9cd36a64e207e1679fd2

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
52ba63335f94fbc8c11f548501f5dd5a

SHA1
991b81ec188fde62a83362961ad7379f2960451d

SHA256
2ff48a665066f077d0cc2fa9e34918987862ab14739db6cfca9cff5e87cdc492

SHA512
f386514bde96ebeb944f24587819ab79682e101ddc5431c6b0b8739b4fa6590851684e4722b9c074523e7a1d71e0cb13d24b005c469709f840952aac69633d73

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
a03fcaa8ace2272c31892fde6285054f

SHA1
3f7226733cd103c00d4726af4715f73975c6bbbc

SHA256
2865b373fe751f0f07393f0b8ea0aefaa0b4823a443dfb3c904663030f589f95

SHA512
793175f63bb7f6f1eba966d9ac62a9b79e0d4ed5a039c8d94982e5e849501ebc32f221d37c74f852b52ff9751cad5ca6d4d5ea35e4aa7515683f776f68d4bd92

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
b4c23243201a72590ca70a9639db73c5

SHA1
5254763c577d1a53298e28f6f81762cacf103c0a

SHA256
a5abf18e4aaf1a29410e19bfa01b973fecbc04c084397f098985076284a730b7

SHA512
667f329cb910c861e3f1e2603e5b0bbec4f142bec3a8f505f12b22539a42d6f20aab3e839a5b82cc2d161ffcf8a7cc63ce0f99c4f0f821f782004f1e9f6eb30f

Download Submit
memory/384-208-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/420-36-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1132-142-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1148-134-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1264-140-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1452-97-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1480-8-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1480-40-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1512-98-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1560-218-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1692-88-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2128-621-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2400-100-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2408-623-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2732-216-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2820-178-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2944-219-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2984-620-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3012-99-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3308-215-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3332-139-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3428-138-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3660-62-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3668-131-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3744-61-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3888-182-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3948-180-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4060-624-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4100-181-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4196-101-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4208-63-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4208-18-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4384-618-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4396-143-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4496-179-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4500-164-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4656-171-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4656-165-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4688-141-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4892-217-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4896-39-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5080-64-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5080-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads