73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2632	b2e.exe

Loads dropped DLL 5 IoCs

pid	Process
2624	batexe.exe
2624	batexe.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2624-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2744	2632	WerFault.exe	28

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 2632	2624	batexe.exe	28
PID 2624 wrote to memory of 2632	2624	batexe.exe	28
PID 2624 wrote to memory of 2632	2624	batexe.exe	28
PID 2624 wrote to memory of 2632	2624	batexe.exe	28
PID 2632 wrote to memory of 2744	2632	b2e.exe	29
PID 2632 wrote to memory of 2744	2632	b2e.exe	29
PID 2632 wrote to memory of 2744	2632	b2e.exe	29
PID 2632 wrote to memory of 2744	2632	b2e.exe	29

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Users\Admin\AppData\Local\Temp\816F.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\816F.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\816F.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 124
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\816F.tmp\b2e.exe

Filesize
256KB

MD5
18c91665349cf71648d4af5d21843ea9

SHA1
6be582f8587a42e96d73bf174cb6d6345761c192

SHA256
979d6a944f61f2cde2dea724ce5e0297005602c15fbbbcb917540ec1b1f3f937

SHA512
544d110b9bde470b9411a91f9195bf5e6914c1e5c59ec4485be08acaecd0e519d1c932181cf5a76d5241dedc362beb56f2fb407d808d554e43d408b34a621d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\816F.tmp\b2e.exe

Filesize
307KB

MD5
d94295fcd2cd7be35052f3c160a5f41a

SHA1
eceb4800bdfe96b22fde724fd4c0d1d5e7c971be

SHA256
643a3b7f772cbf3e0271dcb85bcf478eeefe48afb086db895d763e954765edfd

SHA512
c15fbfc1ab45c973b803f558370fc8a2f8f20b80ae852f1ef265682a80159d9a1a4c3c0600388112ddee5a0f945dbe8a54cce4bd918f10467df8d642f7ed60c2

Download Submit
\Users\Admin\AppData\Local\Temp\816F.tmp\b2e.exe

Filesize
740KB

MD5
4f83d1dd9c18fd5d29f608c8df48c5b3

SHA1
0ca1cf55ec1bab5af0242a2eecdab52f6c450ff3

SHA256
3a85833e7e562d31fa151626f217227723ec515c976d6ba626229d87861703da

SHA512
b3d8d58adbd6727218fe2fa0cbff649c3b9380822da6071a76e8ae3c83645c67d1834ab42312ebd2959b0251334f8d5c6e26226010348c5b462f74cfe667df18

Download Submit
\Users\Admin\AppData\Local\Temp\816F.tmp\b2e.exe

Filesize
1.1MB

MD5
c8ddb9a1b99b955d28ce987616dc783a

SHA1
6a50a41aac042de84cbe5fe9cfa8ef171c1a15ba

SHA256
d42d045c7eaec84a0576fa2d1e67566cd65686605e6f66217c2da6ec9faa060a

SHA512
8804aa717bb5d9a88543175afd4ed3363ae6d1ff9846379f9bbfb7ff1b49cf0031fd6b1cbb0b1491a94d1158663021c8bf56c47050f3192b62a0c5bb5499d397

Download Submit
\Users\Admin\AppData\Local\Temp\816F.tmp\b2e.exe

Filesize
1.1MB

MD5
76a4a072ddb711617a45521dba24dd60

SHA1
4fe25dfedef2ceed1197a1a79e7da9f2ec65d632

SHA256
260d399b5402234989a0414fb57e4b689aee3d3ba3ba80229aad1143ef0a940c

SHA512
1ea53ce737fc92a293b96b016e768e4b16876c7206dd984431dbcb8f379c115c067c3216fa1d9cffc892701cc25e1c245c76add9f6c2f45a7ebb518913242b1e

Download Submit
\Users\Admin\AppData\Local\Temp\816F.tmp\b2e.exe

Filesize
753KB

MD5
e5846bfa9dc2238062612f8b178bf9d7

SHA1
6e3aff8dee23aa021edafb8931d1a035f4f0c1eb

SHA256
8a37e6436d881522994c7de8577ae9d2c0f02f1004621baa278a81e6f8e8ba26

SHA512
bb9938f3ce643b21a1fe6ecdfbd43d4c1b8ce08c87d3d73b4844bdbbfeb6002b9904cd25f530be4fbcac1468123e9f0570e75b0842c5176c9eea076219dd615c

Download Submit
\Users\Admin\AppData\Local\Temp\816F.tmp\b2e.exe

Filesize
320KB

MD5
88364d3a1722b83013616c5ae51fd6d7

SHA1
d6727613607431104a14f30001a7e1af8e2bf026

SHA256
70ea586c99e68feae0fd4579a9d93d4e0fd46b623f35b3cdbcf4fca2f6e3e6d4

SHA512
ba46a975471bad7f3aa1f333317fb152eab233934af7d648454cfbf2bd852d7745906fc407c5a4a6c60d78368486587f21aeaf9f12dbdf684de818c8e06a9e43

Download Submit
memory/2624-3-0x0000000005960000-0x0000000005965000-memory.dmp

Filesize
20KB

Download
memory/2624-11-0x0000000005960000-0x0000000005965000-memory.dmp

Filesize
20KB

Download
memory/2624-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2632-14-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing