73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2344	b2e.exe

Loads dropped DLL 5 IoCs

pid	Process
2652	batexe.exe
2652	batexe.exe
3004	WerFault.exe
3004	WerFault.exe
3004	WerFault.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2652-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3004	2344	WerFault.exe	28

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2344	2652	batexe.exe	28
PID 2652 wrote to memory of 2344	2652	batexe.exe	28
PID 2652 wrote to memory of 2344	2652	batexe.exe	28
PID 2652 wrote to memory of 2344	2652	batexe.exe	28
PID 2344 wrote to memory of 3004	2344	b2e.exe	29
PID 2344 wrote to memory of 3004	2344	b2e.exe	29
PID 2344 wrote to memory of 3004	2344	b2e.exe	29
PID 2344 wrote to memory of 3004	2344	b2e.exe	29

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Users\Admin\AppData\Local\Temp\1AE0.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\1AE0.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\1AE0.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 124
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1AE0.tmp\b2e.exe

Filesize
833KB

MD5
29f22c869282fe1f5a894b7f5a50514a

SHA1
c18244e916124d778ef98c77c4a1ba45a682687e

SHA256
7f4fbc22317ed2e018420b1ad84d3eb9152425e21471c72af0d1bde7d5400439

SHA512
4d1a29b14d9f81b434d717bc57f733ec620a2fc02801b4d6d47e2cd3724fa181ebb781c0507477d2cb08ac81fad95c2715042ec531311d77d42d1402439ef0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1AE0.tmp\b2e.exe

Filesize
953KB

MD5
4ef01e21e9d290f2595d6fad3f041973

SHA1
d25b492421749774d45a299cb043ee18349b48ae

SHA256
ad67c864583e9f1e6cce9cf512a7771dcec3c56db281ab126a1dfb21a8367955

SHA512
121976a7f9872e0e1805535de6a38d9be2a63c7e28a5c92d180166673c687863de87ec7de50b4a1656abf2d0c01beee0c77cf4ef2cea853d9dfd6cf775a369e8

Download Submit
\Users\Admin\AppData\Local\Temp\1AE0.tmp\b2e.exe

Filesize
3.9MB

MD5
0e174c917ac04f1324909128dcea39f4

SHA1
c8e2095c05aca81005da419ac804b479e6f00eef

SHA256
471671c7eb6697c7948fd841395f5dc55df43ad790e96f4e255c05d5dcc2a452

SHA512
b0608dfb7e2e2e844f41a7c6fea20ad8a1df9fa20e6fd4342a0929a737553ccade3c62c1d60aa9ea7b63f4c25b53d7b732df9120daa856e645bec6c0707f22f2

Download Submit
\Users\Admin\AppData\Local\Temp\1AE0.tmp\b2e.exe

Filesize
4.8MB

MD5
6dc1748cbd0e96f85bc5cdf10c6639b1

SHA1
acf7ef21a278db482c1bd32fd3d69587a775f8d7

SHA256
6508b7be9b855ef16db391e9e343b4f75fb2408c0437929a577f7935fcc2012b

SHA512
65f5c7d5b2673a53485992ce118c8a516aa66ee4de431f39ada068dabf2855509a52895cb0753dcd8a66d46d2bdf7997425eb1059b623f215e8d999beec43cdd

Download Submit
\Users\Admin\AppData\Local\Temp\1AE0.tmp\b2e.exe

Filesize
3.8MB

MD5
4291772617599bc4429074b5174b55d1

SHA1
572f087bfad4a0eea29599405cd605f90eacca99

SHA256
6d42ed9baadf835ec2ec853f0acbaba06fb0bd3650ecfc85799b05d11b425216

SHA512
31970a5f29ed8abce9234e4ad037219d438cde3b0c84921d208affee020308171333fa1206b4d231f47e5149c239619a7a2c23b5ed727eaab36e31ea2c5c00eb

Download Submit
\Users\Admin\AppData\Local\Temp\1AE0.tmp\b2e.exe

Filesize
960KB

MD5
d15ecf39e70d4d6e278b0da9ff36ba87

SHA1
2139694bf96cc3b6fbfadb8a9c8745b8901bff6a

SHA256
04b2e6191d36dccb7b93c7d207ff16c0702cdec9b64b98206f9ffc7dc7633d54

SHA512
326cdd9b35aa3dbd39d2fd4a22dd78f732d481f05ef6dca085cd086d8ca91502f3be961b44e5c4bbf2ebf947ffc4f1b4d4703593951fce22acaa418a77741434

Download Submit
\Users\Admin\AppData\Local\Temp\1AE0.tmp\b2e.exe

Filesize
1.6MB

MD5
1e9446ffe80055b0d0681a975585d4f2

SHA1
e2b13091250549c39e6156044d3d826cfa7cc936

SHA256
6a5e65eb48e3c9f4a594a64b60d57436418cec87e75c9cf93d55746ef761e17c

SHA512
fc3ca72c1070ad153cb9f99b6a1665efb80d83005f575d70437af8d87164bff1c689305570feb80d84889a31fdc0ee1b375576fa9594ee303c2ab0776bf0e2fa

Download Submit
memory/2344-11-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2652-3-0x00000000059B0000-0x00000000059B5000-memory.dmp

Filesize
20KB

Download
memory/2652-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download

Analysis

Sharing