73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Resubmissions

23/02/2024, 13:44

240223-q15f4sbe2x 7

23/02/2024, 13:12

240223-qfv2yaha39 7

Analysis

max time kernel
120s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23/02/2024, 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2312	b2e.exe

Loads dropped DLL 5 IoCs

pid	Process
2212	batexe.exe
2212	batexe.exe
916	WerFault.exe
916	WerFault.exe
916	WerFault.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2212-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
916	2312	WerFault.exe	28

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2312	2212	batexe.exe	28
PID 2212 wrote to memory of 2312	2212	batexe.exe	28
PID 2212 wrote to memory of 2312	2212	batexe.exe	28
PID 2212 wrote to memory of 2312	2212	batexe.exe	28
PID 2312 wrote to memory of 916	2312	b2e.exe	29
PID 2312 wrote to memory of 916	2312	b2e.exe	29
PID 2312 wrote to memory of 916	2312	b2e.exe	29
PID 2312 wrote to memory of 916	2312	b2e.exe	29

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\6ED9.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6ED9.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6ED9.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 124
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6ED9.tmp\b2e.exe

Filesize
91KB

MD5
f464b6e4fc13772ccf5dfd17a449daaf

SHA1
3412a562838c57f704ae40a2c4fbba5abd60d27d

SHA256
0aba3c5ef34a27fca1e3333461908f82f66ca92f2fceb85a1e627e68ccce4c08

SHA512
c8db982351a57fd08700461098ce46e72d4151b27a533e1522b219ae954bac12a66da5b95936df6a3ff573b8f7a3c6baa63338ff53e901a299b4751517b79120

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ED9.tmp\b2e.exe

Filesize
4.6MB

MD5
7d7868459691a2c328873b785a431e5c

SHA1
6c3ff9e0d21a95df0900c498d1bd6b29b6a780d9

SHA256
fc1461f288f8798085b382f92a49c1f41127d18a15ff96d5c772f58a34c032c5

SHA512
e6cd8ff58d9b05ea241678f213047b679b1df9787d5f3608015764a4bf3b46bfb6c76e6b6c7407cde0c1200d5c95720a602a857710b3fe615990f4cab5269b63

Download Submit
\Users\Admin\AppData\Local\Temp\6ED9.tmp\b2e.exe

Filesize
331KB

MD5
468261090ee9f344b82af5f3f203ec67

SHA1
985001f38f221e7fb1b35d9194e3d36fad0b063b

SHA256
2c085d47e87f6a396efb96808f668f4b57c099bdebf62048d58b2887bcea53a2

SHA512
f2cd259856b8dc95ae7a222c8a063c4c2b573ce4a3238d272fbc67637e001063bf3ff741b50a8253b38b16eba201e631a1737e27f3628204716de7fe8bd5b941

Download Submit
\Users\Admin\AppData\Local\Temp\6ED9.tmp\b2e.exe

Filesize
576KB

MD5
119b67967e9fb70b35b10846a211451e

SHA1
a53f0b93594f8a1a98dbfc74d9618e75ae25fc0e

SHA256
4cadf7e8122358ea260269b67f2c45abd114ee61349ac9a859f26ede9cd873ae

SHA512
eecc92eaeb53ce2bdd5ebaab56ca3a6b54f8eb1cf789f3af972ec2d0a16ddf2aedc08bda97f7dd765ae46f9d506bc397dc2aff1f9fedd74e3e042bb48459ed5e

Download Submit
\Users\Admin\AppData\Local\Temp\6ED9.tmp\b2e.exe

Filesize
42KB

MD5
f617217da7d5b32711786e02bc114045

SHA1
b10f54f48ca26502ed5fe8aefcd2e75e0a0deef4

SHA256
84e34ca3918b29d6e8bca22cd17858c6def01165d118e98ddc82fb93540ec45e

SHA512
012a83eb03c9a28596c825b044fe821379cf441da3486e54489d8faf900e1ca61ad13883c25ff2a83ce29ab88952d164e416633064b824468e20c18b1f7f84c6

Download Submit
\Users\Admin\AppData\Local\Temp\6ED9.tmp\b2e.exe

Filesize
384KB

MD5
3c0bec088d86bb620c8b42308d6098b3

SHA1
f486f2b80f76da0966fb3ccbc33fb96a4f890835

SHA256
1dfda8d76528af8231198a0ad4cbb09b05155c5e35f565ca78f81db527841d07

SHA512
bc4a62dacaf7990d21cc1bc04412acdd80659371fb4205065e0e917885076be8615d766f6640683642603c1c0e551efde0236acb3d6a772dc1af263cb1627414

Download Submit
\Users\Admin\AppData\Local\Temp\6ED9.tmp\b2e.exe

Filesize
5.0MB

MD5
72d9b7f2eeac27d69ac861be4a4e8fcc

SHA1
e5be26aac105e0798572e5b201b4a91f1299586b

SHA256
977b567b21ec9f5f89cc8d11b70be633634a1c9953f34b206059965a548de849

SHA512
9b5a425e3cc1b971e776c477625d5e14aa397ba58f0e631ee0247a7b633c49ef400047a0508b897e4ac1ab9b6eadd26436e75f21dc8681ecb62dec47ebb98dd3

Download Submit
memory/2212-4-0x0000000005AA0000-0x0000000005AA5000-memory.dmp

Filesize
20KB

Download
memory/2212-12-0x0000000005AA0000-0x0000000005AA5000-memory.dmp

Filesize
20KB

Download
memory/2212-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2312-11-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download