Analysis
-
max time kernel
293s -
max time network
303s -
platform
windows10-1703_x64 -
resource
win10-20231215-ja -
resource tags
arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows -
submitted
14-02-2024 10:01
Behavioral task
behavioral1
Sample
batexe.exe
Resource
win10-20231215-ja
Behavioral task
behavioral2
Sample
batexe.exe
Resource
win10v2004-20231215-ja
General
-
Target
batexe.exe
-
Size
9.4MB
-
MD5
cdc9eacffc6d2bf43153815043064427
-
SHA1
d05101f265f6ea87e18793ab0071f5c99edf363f
-
SHA256
73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
-
SHA512
fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
-
SSDEEP
196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2288 b2e.exe 1336 cpuminer-sse2.exe -
Loads dropped DLL 5 IoCs
pid Process 1336 cpuminer-sse2.exe 1336 cpuminer-sse2.exe 1336 cpuminer-sse2.exe 1336 cpuminer-sse2.exe 1336 cpuminer-sse2.exe -
resource yara_rule behavioral1/memory/5000-6-0x0000000000400000-0x000000000393A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 5000 wrote to memory of 2288 5000 batexe.exe 74 PID 5000 wrote to memory of 2288 5000 batexe.exe 74 PID 5000 wrote to memory of 2288 5000 batexe.exe 74 PID 2288 wrote to memory of 2312 2288 b2e.exe 75 PID 2288 wrote to memory of 2312 2288 b2e.exe 75 PID 2288 wrote to memory of 2312 2288 b2e.exe 75 PID 2312 wrote to memory of 1336 2312 cmd.exe 78 PID 2312 wrote to memory of 1336 2312 cmd.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\batexe.exe"C:\Users\Admin\AppData\Local\Temp\batexe.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Users\Admin\AppData\Local\Temp\B0C2.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\B0C2.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\B0C2.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B5A4.tmp\batchfile.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.execpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1336
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD5ea792ebd772ba0e254a81655cfdf1d79
SHA1a15be01c4a827fa16b6bd35b1b5f2031ee755e9a
SHA256fd661fd36a27fb5db475ff3453523bc9cd03828e829c0edeba08ac0c6cc9825d
SHA512ea0e569d93ca4a609e97acdddb47172a9136e6963b2b0f65360fedc24865b97f5a55714ba07c88c43e5900745ae72ac236bdc44262ea7a404201004df76b9499
-
Filesize
2.2MB
MD5b6a558633dc13e01c86f714214bdd894
SHA195921cb72467d2a69885d7987fa6990ed3756e81
SHA25685cd30b679653b5cc0ca0c6cb9e56e841122391168a2237121da79b28b9fd507
SHA512d55e570830a21e8ffe9d7a769576afce67fa05396d4450818bfa45132e1f10e5bf8f10026e9fa621f0451f8908d7c9bff9590f64a85d5048af173f5e529aa7c2
-
Filesize
136B
MD58ea7ac72a10251ecfb42ef4a88bd330a
SHA1c30f6af73a42c0cc89bd20fe95f9159d6f0756c5
SHA25665e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9
SHA512a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0
-
Filesize
960KB
MD55f088febb9167d9fa27631de416c40d9
SHA10e7cfc61e5cd1bb82c846c939d71388e2f9d5086
SHA256869740b99a3d66f9e9decc133d9c3c4a2c14c3e7c62c512248da76f002387fce
SHA51265e4cd0d550b852f50e426e53ff47bf1419a5cc1aaf07010b10b96f392148525950fd11dd3b1e8acda0916d288414629cde845cdc959ed7092e565ccb8ffa920
-
Filesize
640KB
MD50f6af9e19fa927d88313e98d54420920
SHA10aff9c72864126107d6c630aafb9ed6512042afd
SHA25671661d7077b93e2a5e53d7093e532bec1b66d34e3929bcb314eab7f431b84734
SHA512bba078e2f4eb5ca45956657356f7419767a81679f34d9991bf28a1d44e412340d1002517f74a15583ffe20b32f1f25b60c47f4581100552dc1e651b3f88547be
-
Filesize
704KB
MD5903e2cfee96d720dd5200a922b637d07
SHA1f6d639d7b6bb586abcb5f97b1b212252ed6c85b2
SHA256443ef0fe0e5e9cff04e267b1bbbbc98b547e5bd38a853eb79d06a43a8e7d17f2
SHA512c9c357be28d1d97bd5255d88bc64255f452867407c3aa4c99b286913286780da1204691a0344514f070b8bad391980a88b165eb1e8e9ee97f77ef02eb85071c2
-
Filesize
64KB
MD57fcedb6e973c5df3b6652a2afafa6a13
SHA1116728803559ab58a8127544df80b75a0dd1c6d2
SHA256fd7191afdecd35b78a0c0ca0457cbbf42ffda1e52263cd785abca5f047b18825
SHA51205c86bf84079a2cc13dc7a1a917a0839ccd2b18e0440c4bd419c99f65c4161ac69a9447f56bdf6051b2fbbc49b7556fc3717432d0e293dfae2921c0701fe64fd
-
Filesize
512KB
MD5a3dea3777f14f1235327b648410a9406
SHA19ab139a0c947962b3c471c36e8b9cca4d750c889
SHA256ff432926dd375c44e9a86cc2520c46e66be2d212e35fb73f16ebc4b48b98b6d1
SHA512b6cacf9e5d8adebdb3c4ae9b6eaddda6a90d9eae32bdc4cf6eb36ad7cf14d02486ac0c32942e3bc504e943a544fa71a6c9e2fec8fb07c456290646107b4edea2
-
Filesize
448KB
MD59d1a04f05f75671a5a3ffeb995176c52
SHA1a45018bb6a5dd52b310c1eb77262354365925a76
SHA256c777e9d786f5d1d13f78a925453804bf53ee430a38f893f115c2d1ac0f2f07ff
SHA512d19ea63c26c1d41edd5947d0c5ae70e2461c876563c2baeb1fd4a3986254f7919f8d4c32a9d6b9f4c51c4d5a23ffa90a2011d293a106a0a8813295b2bee06e1f
-
Filesize
448KB
MD519a61444b6e2d01755ede80960bca19c
SHA1e0c7222784d3e2b3329ec3280648b17fd60ef209
SHA25613fd488b38f3b75438e9ad0a033df005cd397f3c92f43275714a0a7eb3fb4db8
SHA512bc02c82bdac19f10f3e3a93d3f507bb7838c9255b7cff5af6e3a7f3b471dae9c45c52728c3c23857b3402dd1702cb51a20f225a4da992c26a997c26d86b6b1d9
-
Filesize
384KB
MD5b91f7bb5508b343188ec32dcc7880611
SHA1fe2ae7ba4a1bbb2a5df7b73f21a0b8fc745cc11f
SHA25647881756cdfcb302e63efb2016c122a1bb61574d81186275aef3d5a9fb72b84b
SHA512a5b91bc653cbf28219b6f169d5d849fb53eced9a932b8edf468c9092544795ee8120d5c76f0c45f27b7a2464c328f5bffcabf3e83d2e7236263ea930cf92eea0
-
Filesize
256KB
MD51d86b9560854472453237bcbaa2e253f
SHA15a03a7902d250377a3e9f746badcb696e2c98228
SHA2561493703a430c68bdcedcb4078486daca39a02820199e7b72017c7b1af66e1c8d
SHA512afbc3d7f8e06e41db25d666999f4d162af7054a66b17a651ac8a7f092f83580a067bfa2f558be65ace5966dffaa8735fe7a579e88bf42b34eaa3e72cdec96699
-
Filesize
287KB
MD53d2fccf6fe9071e5d60625ceb1a20bf2
SHA1c798c3dc670d49e37229e4d5399fe66ba3eb0bba
SHA2569368ecc157839426a98688181408fb212cbd8262898ef4c67c56f1d507118989
SHA5127204cd54cbbd33cb48fb7282bec52b6b913cebcb3ebd8c9da9aeeea62c30caaa95bc5b930c31d014b9ae2dddb1f0ef37f17b14c9a5bcd4675289a9810a95748a
-
Filesize
384KB
MD5eec15153c344f43f1919cb379b9ee2f9
SHA13e4a09390ac885ea2797209603bcfa1ec6ff0cc6
SHA2564e4d7ecae87e8e656c61af89ef17146baf33fbf09ffbde6ae971d04e8e8f9222
SHA5127cdf3552341d14979838f8fedf9ac63482152f193ab8f7e0af281ec50b2a43312d78c0e22e79989818c5041538fa69769350e1e6cf0789a165be1eb11ee29908