73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2460	b2e.exe

Loads dropped DLL 5 IoCs

pid	Process
2376	batexe.exe
2376	batexe.exe
2988	WerFault.exe
2988	WerFault.exe
2988	WerFault.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2376-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2988	2460	WerFault.exe	28

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2460	2376	batexe.exe	28
PID 2376 wrote to memory of 2460	2376	batexe.exe	28
PID 2376 wrote to memory of 2460	2376	batexe.exe	28
PID 2376 wrote to memory of 2460	2376	batexe.exe	28
PID 2460 wrote to memory of 2988	2460	b2e.exe	29
PID 2460 wrote to memory of 2988	2460	b2e.exe	29
PID 2460 wrote to memory of 2988	2460	b2e.exe	29
PID 2460 wrote to memory of 2988	2460	b2e.exe	29

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Local\Temp\4588.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\4588.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\4588.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 124
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4588.tmp\b2e.exe

Filesize
1.3MB

MD5
cd2e147246a8f0dc58bad676a15048ca

SHA1
0382157b28b479809d4848771f63f209292dea25

SHA256
eee07142595f07a70af1c63f13f60f8d09efd8a1f565490bf5cf7cbee1bffc1c

SHA512
196cff5a99ab1de4fd542abf69f2416c59127edefad5b875b229f1744fa9591f1ee7b3730cf7822919194ea893624c97236dbbbc5b05c3f270cc8f66c59acaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\4588.tmp\b2e.exe

Filesize
704KB

MD5
2bb8bf63c7d7958f71f9307c8635131f

SHA1
2362f18b011bd1e60fa078052821edefa33b8e08

SHA256
85151a35fd2a7ef587918c4702b2adbe0c3e7eed43bc8564a662ed03a6f3ce79

SHA512
59eba9edea2b2af76f261db76b15912b20070d75db7cf498d55a1bc13f11692d016c9a70ed447a784c874f6d11582112312f3d058443606eb4b6de349a4857ec

Download Submit
\Users\Admin\AppData\Local\Temp\4588.tmp\b2e.exe

Filesize
1.6MB

MD5
4b3e3a3f84660472fb9714cd8feaba1b

SHA1
8561afb6ae0a1ab8a4d8364928811b66fcaf9da9

SHA256
006513b9e4310066d4cb66a1ea11b6619c10e428f5a1ccc39eab92e1d487f442

SHA512
a4ccf4de38da8d27dd065ef09b81a4bca708188c6102211faaa186ddd8f68b87381611da54cb6098758733c799e2a3450cb5cae66b58c29a4264d93f93a1edc2

Download Submit
\Users\Admin\AppData\Local\Temp\4588.tmp\b2e.exe

Filesize
1.8MB

MD5
fed226671f9daab029aaea0c1bf6c527

SHA1
bacded51e7bf4d82a756351748d561b93e5d56ba

SHA256
e7bed9d6ba6c3e79ef43fb8bf34f6748645e87d47c743fc8ead2ad2003a41304

SHA512
d25d032e623e053e35bf23ba71a5432f3ac3b31eeaf9810352d0561d05e8335837ed0afee8cc0008fb1915646912ca08f134ef9e4aac9170aa63d6a254b57fa2

Download Submit
\Users\Admin\AppData\Local\Temp\4588.tmp\b2e.exe

Filesize
1.2MB

MD5
05f6765e8266a1a7d81a80da7788444e

SHA1
e7afd0bf0dce889a026f4233c6705907083e6e23

SHA256
3256219f071d9bbeb2b3483abc7e647cbb550c0b74c415ace444bd8a334df9e8

SHA512
417d266a6eae32d630cf1322d3ab78f8547b09254ba3b5e2e544a7fd294de819754ab2f104ba2f3cab59a1fcfe7b0ea6f622712736079b7eec12a242b914293c

Download Submit
\Users\Admin\AppData\Local\Temp\4588.tmp\b2e.exe

Filesize
1022KB

MD5
3dd22562bfb09b96f101680bf774d289

SHA1
f449cdb885b1220fb7e8b64087cf065375eca994

SHA256
9751ebe9dfbbd5cd061e4d35f835411ab14d1d1d903d27e67a854de07895687b

SHA512
e37ff1c219a07e447317e6fc7ec5f2a5749f1e011250e1589f99deec0835825b9531146c058391df4d21f2ce324e3a50d76a090e919c330bb90daeac13e435fe

Download Submit
\Users\Admin\AppData\Local\Temp\4588.tmp\b2e.exe

Filesize
958KB

MD5
98ecb3441a6913db3fbd4aae2952d1ef

SHA1
c8ff13636f17787efc972c15c9ab5588365b3de6

SHA256
a5f396805743cf6f2ccde9f456f6b5d6d5e05d8a3458f4d84b89ac9f98e1ee22

SHA512
96d8f989da2e93c796cd285069630dbdca9a2b1e282b8570747e47c367cbe30065f4f147b08f402c3a39ffadccc06179e9eaf875de0f5b9376de2a523b4ca0ad

Download Submit
memory/2376-12-0x0000000005AA0000-0x0000000005AA5000-memory.dmp

Filesize
20KB

Download
memory/2376-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2376-4-0x0000000005AA0000-0x0000000005AA5000-memory.dmp

Filesize
20KB

Download
memory/2460-11-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing