73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2968	b2e.exe

Loads dropped DLL 5 IoCs

pid	Process
2096	batexe.exe
2096	batexe.exe
2624	WerFault.exe
2624	WerFault.exe
2624	WerFault.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2096-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2624	2968	WerFault.exe	28

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2968	2096	batexe.exe	28
PID 2096 wrote to memory of 2968	2096	batexe.exe	28
PID 2096 wrote to memory of 2968	2096	batexe.exe	28
PID 2096 wrote to memory of 2968	2096	batexe.exe	28
PID 2968 wrote to memory of 2624	2968	b2e.exe	29
PID 2968 wrote to memory of 2624	2968	b2e.exe	29
PID 2968 wrote to memory of 2624	2968	b2e.exe	29
PID 2968 wrote to memory of 2624	2968	b2e.exe	29

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Local\Temp\3F.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\3F.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\3F.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 124
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3F.tmp\b2e.exe

Filesize
3.0MB

MD5
9124cf18db105e69853f9697dc1ac795

SHA1
135d2045ac57ea5518eff85ba446d2a8584aeeee

SHA256
e2b068c758011b6b8b1f0320741aa16f702e9a88f9719b00fb5b34d0ba364aec

SHA512
58c7a40b06ade2612f791e89a88d680eda910306f035aa151444c5f98b76182a6395c6b38db02c0c19b8ee2f233be0088cb4f6df28ab7cceb57612bdc76e9080

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F.tmp\b2e.exe

Filesize
3.5MB

MD5
fdadcc6e8b19a1d79e82467276245827

SHA1
e80f17ca7cebcd87eb19d30ab7c22d7793e7d070

SHA256
6e9730a7d90ca121f2a4f6d19be16d6a0b692684fc813ba47c052d311c562482

SHA512
73c84428e15106b6ba5b1e5dcf7e1d39af1fa20546dad506d466e2f99df7eff67e41a533bca21b0a458488ee42c72c836f8dfcd10cb8e7ea2b410e8c95665759

Download Submit
\Users\Admin\AppData\Local\Temp\3F.tmp\b2e.exe

Filesize
5.4MB

MD5
66091f44e63bbc16779eaed3d6e0561c

SHA1
aad8f2791fd7749af0f59c2b5c4998ff81749145

SHA256
d568f7844f45f190bda4ec0260a7053209dd08af1c5409fb0cb05b20cf122f10

SHA512
37ebc6dc02d0f46231bfe39b3a7b9f9edad4a2c70702668460e2da6cd4501ee52c1f58a1708b8d39ad82b9ceb7afe120bb11a8b3a820662d09d2f7902bc7f793

Download Submit
\Users\Admin\AppData\Local\Temp\3F.tmp\b2e.exe

Filesize
3.9MB

MD5
0e6541e0cbe781797e22bc71d7f18342

SHA1
43a8f83c27418d20c8c4ac1649c363a8e28b2f64

SHA256
e28980358ed67cdf77b70ac672ff82181d11390bd76d661c623e52548637992c

SHA512
7c9efd4586ebbff242fa55cbaf36ffcfe715834b3659054412857c0f7a2452ddd92b09eba5f9b3d01e49668a35d484e5b7700d91db5209fe8497b41310450b3d

Download Submit
\Users\Admin\AppData\Local\Temp\3F.tmp\b2e.exe

Filesize
2.5MB

MD5
c9635d28f0de460c32ee37c68c804b82

SHA1
5270793cb23dfd38f8ccaf0703f542a262e5f292

SHA256
f83552dff0ccd64d01b50e082e3212a8011bbc75c3c98c95c2d5e5e0cf7886d0

SHA512
60d61244ceee6784d83ba931fd7e0656f19ef84465dfb70b0787b620e976b2d3a28d8883fdfbd1068d3c7e123e27463e8a27c1c7d61ba9d65c6ea6de9d2be245

Download Submit
\Users\Admin\AppData\Local\Temp\3F.tmp\b2e.exe

Filesize
2.9MB

MD5
4bbde7dce5235afbe5cfb3f2ec5488ba

SHA1
81ef4313ee9776fdb737d401646568fc0c7c0972

SHA256
d5365648e2a091ab6fc02d8183cce099c249bff23cd49ceb635d95cb5b2ac72b

SHA512
04348043bc56f92c9c454112234235bbcc30ac5c4c7bdb2d2f414fbe8059c5d4236d2d46fb48047f130d25a5eba09ae323d79b1bca01e0942c895f0f924ad871

Download Submit
\Users\Admin\AppData\Local\Temp\3F.tmp\b2e.exe

Filesize
4.4MB

MD5
cb619ce8e3bb12dafe2aec312e563396

SHA1
bc123e3b41bf7a54c04dc1196e2a3b4c0e55c32f

SHA256
e9cfc708c204a4b90b8a2c2f4d01bb9fe997e21166e80efae5aa1eed4523d776

SHA512
33f93f006961cae58a85f2bfc01f674fa3033003312ff671677dd301f0853f1fe776bfb777b15d31106385d50bc54f3cb8326519f2746b827d7d484e4254324e

Download Submit
memory/2096-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2096-14-0x00000000059B0000-0x00000000059B5000-memory.dmp

Filesize
20KB

Download
memory/2096-3-0x00000000059B0000-0x00000000059B5000-memory.dmp

Filesize
20KB

Download
memory/2968-11-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing