73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2196	b2e.exe

Loads dropped DLL 5 IoCs

pid	Process
3028	batexe.exe
3028	batexe.exe
2004	WerFault.exe
2004	WerFault.exe
2004	WerFault.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3028-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2004	2196	WerFault.exe	28

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2196	3028	batexe.exe	28
PID 3028 wrote to memory of 2196	3028	batexe.exe	28
PID 3028 wrote to memory of 2196	3028	batexe.exe	28
PID 3028 wrote to memory of 2196	3028	batexe.exe	28
PID 2196 wrote to memory of 2004	2196	b2e.exe	29
PID 2196 wrote to memory of 2004	2196	b2e.exe	29
PID 2196 wrote to memory of 2004	2196	b2e.exe	29
PID 2196 wrote to memory of 2004	2196	b2e.exe	29

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\Temp\1822.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\1822.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\1822.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 124
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1822.tmp\b2e.exe

Filesize
3.6MB

MD5
2a58aa86deac2c99323c788735dd53af

SHA1
eeac6b8cceb22a47daa1590f4dbae8e3c7c27c92

SHA256
fbd061c4d55ef74a2b1fbefa8f244ffb9e63df4a7f16083d7a9920fee83a0305

SHA512
22598586f1fc5ef20ddc7f840402716a660917caa0f26628eb943928d458688f698e66094d3cf2cd6865baa1b32ba61d1e05103abfafe98e72d30668a6b7ec57

Download Submit
C:\Users\Admin\AppData\Local\Temp\1822.tmp\b2e.exe

Filesize
3.2MB

MD5
2db036d5c6ee14a03989ebdb7c3483ec

SHA1
b8a77fdc5a2827ded07b83dca5dff3273280381c

SHA256
2366fb0aa688f6c642f2fe33b1dcbd61e1af46f657a46704ccf46b471e1a628e

SHA512
a3c45337094c2a0c4f3e07237518e463b3dc927b1be9e764bc96b1e687e1bf3314daf4a9eb67edb5951101a6836491bf35fa767019a18b37d83d599d02df2900

Download Submit
\Users\Admin\AppData\Local\Temp\1822.tmp\b2e.exe

Filesize
2.7MB

MD5
841d8b14bbc14ee87605e6b63b63b3d8

SHA1
10bf4c0504741a180ce89fef22f99a1a48cae55b

SHA256
81887652cde8eeae0cad9cfdf2f9cd62bb5a592f77a9586a5152fd9e51390866

SHA512
7efbcc59fdf2b09f493abc09f59c81a4cfb31424171d12a741416bb76627843d05c446ef9709ef7f916b050d6000bfb5523e3ac7bc062c117b2e95b496b43a3b

Download Submit
\Users\Admin\AppData\Local\Temp\1822.tmp\b2e.exe

Filesize
3.0MB

MD5
df051cdd1a1f76131849f9d8b32ba161

SHA1
c4354ec67591093c3f02c987ecd4d4c8781457bd

SHA256
28f3e879833c4d7ecdf7952ad39f2212dd3a1091f5b86ae3cc4ed3f901b852b0

SHA512
8e8f3a49523240415b8955e59bc0155c799eaf0c59390e830260d04cf3036bcb75692fa0ef48feadd3a3a46a4102886139cba8aec5a314fd669009560e78c5d6

Download Submit
\Users\Admin\AppData\Local\Temp\1822.tmp\b2e.exe

Filesize
2.2MB

MD5
639aeac55d9fe73567b44e71f6f252e1

SHA1
3f6b261304f9f500007f683fc0e636988a41595f

SHA256
2b4638015cbe5d0333bd7e51400cbcbcc06a3f798d5bf2e1f6bf457dce874317

SHA512
850ee6033466ba44af874d459d309b8909da50e505dec9963725ffd074d7fdef9f8a4159da095a1b5bee9c4ab2398009e76cf3972e3cb18e85a326aa2a65b63e

Download Submit
\Users\Admin\AppData\Local\Temp\1822.tmp\b2e.exe

Filesize
3.5MB

MD5
cd08cc0d068680357557c1551f50af31

SHA1
5e27c82cccfb51a3803a99bbb48043304060557c

SHA256
aef0b2dbd0f3661faf795b10cd1f35f73467223b89ce4d993b082ff987b2d306

SHA512
21649db8832f443f814add680d9963931a88d8a0e316c098b8cd0b4840e721c0ce4f42b5802b9b71a83f6409f54b5b43c7584de40f0a29350f5238d62c026643

Download Submit
\Users\Admin\AppData\Local\Temp\1822.tmp\b2e.exe

Filesize
3.5MB

MD5
21c37319ac98393caae0e01eddfbfc92

SHA1
e17042e87fd11b4a0a7a6069c9e26f608d343f4c

SHA256
412d0ce621a83907a1cb0b7b92a7e6564048e290a5efbd40745f749b09a9d6e8

SHA512
9953d5e4fae2349f7041251a748d909ea920162ec282f7a00f2839951351381c7fc4c8bf0c24752b3bc6a0e206d6cacce7a02b43b33d815dab85cdbdef54987f

Download Submit
memory/2196-14-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3028-10-0x0000000003A70000-0x0000000003A75000-memory.dmp

Filesize
20KB

Download
memory/3028-13-0x0000000003A70000-0x0000000003A75000-memory.dmp

Filesize
20KB

Download
memory/3028-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download

Analysis

Sharing