672080994fc581f09c4e199731f118b1ad2082f8820fdb6073a431892ed0f1b7

Analysis

max time kernel
150s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2024 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Batman_ATK_Ware.exe
Size

6.4MB
MD5

e3e7697d0a03ef75f3d25fc45f6fe83f
SHA1

e986a4c0d9f19fa87ca3736ee5c7563c39b1a8f7
SHA256

672080994fc581f09c4e199731f118b1ad2082f8820fdb6073a431892ed0f1b7
SHA512

28febc863d94a98bbef7b05854312befa40989251304bc46c76e67112e4e6aff5fc9bd90857c05e08d949dbc809d0b150827eb6847aca501ccfc8c68ea77a5b6
SSDEEP

196608:CRuig9hoy6Enwc4GgpG0REca3Irq7LkmrbW3jmrT:Cci+WyotGgpGLcW7AmrbmyrT

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 8 IoCs

Processes:

batman_atk_ware.exe icsys.icn.exebatman_atk_ware.exe explorer.exeicsys.icn.exespoolsv.exesvchost.exespoolsv.exe

pid	Process
904	batman_atk_ware.exe
4708	icsys.icn.exe
2080	batman_atk_ware.exe
1528	explorer.exe
2000	icsys.icn.exe
1120	spoolsv.exe
4672	svchost.exe
1100	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 6 IoCs

Processes:

spoolsv.exeexplorer.exeBatman_ATK_Ware.exebatman_atk_ware.exe icsys.icn.exe

description	ioc	Process
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	Batman_ATK_Ware.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	batman_atk_ware.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

svchost.exeicsys.icn.exebatman_atk_ware.exe explorer.exeicsys.icn.exespoolsv.exespoolsv.exeBatman_ATK_Ware.exebatman_atk_ware.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	batman_atk_ware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Batman_ATK_Ware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	batman_atk_ware.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Batman_ATK_Ware.exebatman_atk_ware.exe

pid	Process
320	Batman_ATK_Ware.exe
320	Batman_ATK_Ware.exe
320	Batman_ATK_Ware.exe
320	Batman_ATK_Ware.exe
320	Batman_ATK_Ware.exe
320	Batman_ATK_Ware.exe
320	Batman_ATK_Ware.exe
320	Batman_ATK_Ware.exe
320	Batman_ATK_Ware.exe
320	Batman_ATK_Ware.exe
320	Batman_ATK_Ware.exe
320	Batman_ATK_Ware.exe
320	Batman_ATK_Ware.exe
320	Batman_ATK_Ware.exe
320	Batman_ATK_Ware.exe
320	Batman_ATK_Ware.exe
320	Batman_ATK_Ware.exe
320	Batman_ATK_Ware.exe
320	Batman_ATK_Ware.exe
320	Batman_ATK_Ware.exe
320	Batman_ATK_Ware.exe
320	Batman_ATK_Ware.exe
320	Batman_ATK_Ware.exe
320	Batman_ATK_Ware.exe
320	Batman_ATK_Ware.exe
320	Batman_ATK_Ware.exe
320	Batman_ATK_Ware.exe
320	Batman_ATK_Ware.exe
320	Batman_ATK_Ware.exe
320	Batman_ATK_Ware.exe
320	Batman_ATK_Ware.exe
320	Batman_ATK_Ware.exe
904	batman_atk_ware.exe
904	batman_atk_ware.exe
904	batman_atk_ware.exe
904	batman_atk_ware.exe
904	batman_atk_ware.exe
904	batman_atk_ware.exe
904	batman_atk_ware.exe
904	batman_atk_ware.exe
904	batman_atk_ware.exe
904	batman_atk_ware.exe
904	batman_atk_ware.exe
904	batman_atk_ware.exe
904	batman_atk_ware.exe
904	batman_atk_ware.exe
904	batman_atk_ware.exe
904	batman_atk_ware.exe
904	batman_atk_ware.exe
904	batman_atk_ware.exe
904	batman_atk_ware.exe
904	batman_atk_ware.exe
904	batman_atk_ware.exe
904	batman_atk_ware.exe
904	batman_atk_ware.exe
904	batman_atk_ware.exe
904	batman_atk_ware.exe
904	batman_atk_ware.exe
904	batman_atk_ware.exe
904	batman_atk_ware.exe
904	batman_atk_ware.exe
904	batman_atk_ware.exe
904	batman_atk_ware.exe
904	batman_atk_ware.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid	Process
1528	explorer.exe
4672	svchost.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

Batman_ATK_Ware.exebatman_atk_ware.exe icsys.icn.exebatman_atk_ware.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	Process
320	Batman_ATK_Ware.exe
320	Batman_ATK_Ware.exe
904	batman_atk_ware.exe
904	batman_atk_ware.exe
4708	icsys.icn.exe
4708	icsys.icn.exe
2080	batman_atk_ware.exe
2080	batman_atk_ware.exe
2000	icsys.icn.exe
1528	explorer.exe
2000	icsys.icn.exe
1528	explorer.exe
1120	spoolsv.exe
1120	spoolsv.exe
4672	svchost.exe
4672	svchost.exe
1100	spoolsv.exe
1100	spoolsv.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Batman_ATK_Ware.exebatman_atk_ware.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	Process	procid_target
PID 320 wrote to memory of 904	320	Batman_ATK_Ware.exe	85
PID 320 wrote to memory of 904	320	Batman_ATK_Ware.exe	85
PID 320 wrote to memory of 904	320	Batman_ATK_Ware.exe	85
PID 320 wrote to memory of 4708	320	Batman_ATK_Ware.exe	87
PID 320 wrote to memory of 4708	320	Batman_ATK_Ware.exe	87
PID 320 wrote to memory of 4708	320	Batman_ATK_Ware.exe	87
PID 904 wrote to memory of 2080	904	batman_atk_ware.exe	88
PID 904 wrote to memory of 2080	904	batman_atk_ware.exe	88
PID 904 wrote to memory of 2080	904	batman_atk_ware.exe	88
PID 4708 wrote to memory of 1528	4708	icsys.icn.exe	89
PID 4708 wrote to memory of 1528	4708	icsys.icn.exe	89
PID 4708 wrote to memory of 1528	4708	icsys.icn.exe	89
PID 904 wrote to memory of 2000	904	batman_atk_ware.exe	90
PID 904 wrote to memory of 2000	904	batman_atk_ware.exe	90
PID 904 wrote to memory of 2000	904	batman_atk_ware.exe	90
PID 1528 wrote to memory of 1120	1528	explorer.exe	91
PID 1528 wrote to memory of 1120	1528	explorer.exe	91
PID 1528 wrote to memory of 1120	1528	explorer.exe	91
PID 1120 wrote to memory of 4672	1120	spoolsv.exe	92
PID 1120 wrote to memory of 4672	1120	spoolsv.exe	92
PID 1120 wrote to memory of 4672	1120	spoolsv.exe	92
PID 4672 wrote to memory of 1100	4672	svchost.exe	93
PID 4672 wrote to memory of 1100	4672	svchost.exe	93
PID 4672 wrote to memory of 1100	4672	svchost.exe	93

C:\Users\Admin\AppData\Local\Temp\Batman_ATK_Ware.exe
"C:\Users\Admin\AppData\Local\Temp\Batman_ATK_Ware.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:320
- \??\c:\users\admin\appdata\local\temp\batman_atk_ware.exe
  c:\users\admin\appdata\local\temp\batman_atk_ware.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:904
- - \??\c:\users\admin\appdata\local\temp\batman_atk_ware.exe
    c:\users\admin\appdata\local\temp\batman_atk_ware.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2080
- - C:\Windows\Resources\Themes\icsys.icn.exe
    C:\Windows\Resources\Themes\icsys.icn.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2000
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4708
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1528
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1120
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4672
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\batman_atk_ware.exe

Filesize
6.2MB

MD5
fcdf4e7f3d0b6b4afc1316a7f6181d6d

SHA1
38e6dee3a26ca8d1d3586cce2322c60570134dcf

SHA256
0c20d6429204dc1ecc8517881ad166f9323f9aea65039c1864762765cf14508d

SHA512
e466568690cd5a0d86895bb6ec87fa515f7eab72dd6de4e45481b41c80b3c0548b1f71eecdbf90ad6937a7f27448d61ccf0c7ecc7185447376b7e6cca9d6ec55

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
69bbcfc0f187dd1c2acb2d2271963450

SHA1
a3a26ba6c734c714b4cbd58480e44a0738a633c3

SHA256
906ae9d0dc0c965670170a40eb61788b0333b068b2c316ab9299135ca9839c19

SHA512
14b8d1475c4e0a8e208dc461955a205a5696627fcbe095973f517539e0071f8992893c272a49eedba31d4a3982e1071e94bc773ad5bbb3eb0dcd39fd215db701

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
52ba63335f94fbc8c11f548501f5dd5a

SHA1
991b81ec188fde62a83362961ad7379f2960451d

SHA256
2ff48a665066f077d0cc2fa9e34918987862ab14739db6cfca9cff5e87cdc492

SHA512
f386514bde96ebeb944f24587819ab79682e101ddc5431c6b0b8739b4fa6590851684e4722b9c074523e7a1d71e0cb13d24b005c469709f840952aac69633d73

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
09dedfc46f122bad537318427cfdc7fc

SHA1
833bb7e84194cf3d67c2570f671316554391d637

SHA256
66f39e25e68f1de302a1647718bff0d5896df114f54b055329f210219aa519ca

SHA512
36db03553c9e3406d2760ae5ebef6ea915ebb73b444f4591d513475be236e84df1d70ef6fea51778c18dbf6fda9ebc5c1ec938d9c2c9a05b15dc37fea305061c

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
e06e3e9d467e640d36712bf02ae5a7b1

SHA1
41ab74d922a891a65c73c01a91a958b0aa5627d4

SHA256
f183669908d60efc48b2d61cbdfdaf9e27dbbfab1bd8572a11950df03dc5cc3a

SHA512
cd765a86ca5aa02b3966864bc5a159c83baec9ef011f31d169bd199d093e3195743cd35b9edd6e9253c52914ccad4b37bd7785118ab1856aac74cab225422c4f

Download Submit
memory/320-65-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/320-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/904-8-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/904-41-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1100-62-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1120-63-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1528-32-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1528-66-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2000-40-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2080-38-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2080-22-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4672-67-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4708-64-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download