Analysis
-
max time kernel
300s -
max time network
305s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-ja -
resource tags
arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows -
submitted
18/02/2024, 03:21
Behavioral task
behavioral1
Sample
batexe.exe
Resource
win10-20240214-ja
Behavioral task
behavioral2
Sample
batexe.exe
Resource
win10v2004-20231215-ja
General
-
Target
batexe.exe
-
Size
9.4MB
-
MD5
cdc9eacffc6d2bf43153815043064427
-
SHA1
d05101f265f6ea87e18793ab0071f5c99edf363f
-
SHA256
73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
-
SHA512
fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
-
SSDEEP
196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation batexe.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation b2e.exe -
Executes dropped EXE 2 IoCs
pid Process 836 b2e.exe 2368 cpuminer-sse2.exe -
Loads dropped DLL 5 IoCs
pid Process 2368 cpuminer-sse2.exe 2368 cpuminer-sse2.exe 2368 cpuminer-sse2.exe 2368 cpuminer-sse2.exe 2368 cpuminer-sse2.exe -
resource yara_rule behavioral2/memory/5240-5-0x0000000000400000-0x000000000393A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 5240 wrote to memory of 836 5240 batexe.exe 85 PID 5240 wrote to memory of 836 5240 batexe.exe 85 PID 5240 wrote to memory of 836 5240 batexe.exe 85 PID 836 wrote to memory of 2604 836 b2e.exe 86 PID 836 wrote to memory of 2604 836 b2e.exe 86 PID 836 wrote to memory of 2604 836 b2e.exe 86 PID 2604 wrote to memory of 2368 2604 cmd.exe 89 PID 2604 wrote to memory of 2368 2604 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\batexe.exe"C:\Users\Admin\AppData\Local\Temp\batexe.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5240 -
C:\Users\Admin\AppData\Local\Temp\3CF4.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\3CF4.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\3CF4.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5C92.tmp\batchfile.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.execpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14.8MB
MD59b09c129be2b578cb0b77153f9773970
SHA1ca614ad00f31c2edacaa3a1f1a71b6405e991f30
SHA25647e21900706aef859211893d9f8251bf01134e0ed9a91af3f9ce831b3b8565bd
SHA5122cb7bc5c5c3e4087120000c4e929b103d24bc452d5ae6b995257990536ed576409b975800e13da8b09715cf7a88390107add2a2470366153bba945685375efe6
-
Filesize
898KB
MD53e22f41c1121437c170ec22cd3539713
SHA16e9369fbf7634339e65487417798c28429eb9609
SHA25646f6907fd26468e923d22ea93c95eaee3ba030bbac9db749aea989bf37d9baf6
SHA51282b039d418d4c8fb5ab0dd8916009cedadd072ea53aca64aaf6ad186f5399680a7f23169a4f828340041a51572d2f3a2b4814e754787a07aa2e25de1fa52a500
-
Filesize
78KB
MD5affc542ded9dabb0b582cf2bad98bb67
SHA114cfb2da0f8c0d2f12f22cddc7c0459eb1de37bb
SHA256e001293c9abb393c501260b545c356577cfc1322e341559dd904a2f4e9b41a17
SHA5120e6746662f1f8fd0e6baf5f5d36f547c8a0f7b1bafd5ca62220cee1f3e79cd7f6c0785f0c2671ee49af04cfe9fd2c1a3ca57f5b7ddc0e3f5e221a8a0e12c36ab
-
Filesize
136B
MD58ea7ac72a10251ecfb42ef4a88bd330a
SHA1c30f6af73a42c0cc89bd20fe95f9159d6f0756c5
SHA25665e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9
SHA512a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0
-
Filesize
1.2MB
MD5ed2636f6462778ba1696ebce004dda34
SHA1f6d3823901a4913ba99e13c4a71a2bd27838d31f
SHA256359d243e78e4323e8b049bbb1cde4c8511da0dcd1b7f8cae3e4bf6fb894ff091
SHA5128dbb2b866c6a1b4eefbede79cce4e7c3e329fe2eb231f9f057bb9d5f843d400e5e7e6e3b5a91584cfcb1ce52209f38041d5cd605f487b078709ed6a61433d96c
-
Filesize
1.3MB
MD5f03efe7c4a1e0e6d69d20618c830e6cd
SHA15d48330237332c36ddf568104b3505d0cf8bfb19
SHA256f2069113c30f06beb00f2ec316eac7a5dbc1717d304ad715ec678d654b0a1b66
SHA512c1ab69fe273855efcf547573d77c34240a33d54fa912037fe2dbd736343f0b0e44f05426bd27e774c48f7ea37d9ae8b845001cdc00d0369d50dd56d5ea8a29fc
-
Filesize
603KB
MD55e9fca14d28765410d1662a1ec9ae42a
SHA167fc89edbdc5b1e6a2de1a4518f630adad160186
SHA256f32e5505a964d616070ff66e8dc90ee03df20309e045875238f26790aba42187
SHA512b324933c610e2082dac95ce543dcd2e5090be50c7df3df7b0b6b4e9948c2256fdcd518991380eee99ec24aeae9e15d22cc5eb33a014783ce68fe824e864411be
-
Filesize
699KB
MD5c01746b5a2dbe7f1f3f39eef50b1a985
SHA1482a7f2d37eb496ac341e1b109e3c9e3a26658fe
SHA2565c974e18a7d702595ff6ac1e3165ff83f0d29deb772e865e19243d99e4c5c5b4
SHA512cf36bb737f0c94cc520a5f7cd4a2a6961c5e8d97bff6a5e21808a67e55f080d863b0d546f2255c1fadc7b949ee9f5c67fb0931b5566c871bb35f6e17f4426d5c
-
Filesize
1.1MB
MD54e2d1c598a06933d59213aa1f1eaaf83
SHA155a9ad84d71100c4fb668f6212e0d073f9974a9f
SHA2564430ce991405e97221076db15fd3ebf764c0553ad21f5a0b47abab01f1ff6a03
SHA512507a002cfee776dc61a0a46f6bf5938977b691a23a799d5dbcd16f445cd2cdbbb964f4f08ca7c562995ebf8b5e85e25508a57c7807b6f04f967e1b4a76c858f9
-
Filesize
875KB
MD55715b2129e16aaeaa4bc93a5706dced0
SHA1ef139deff2a9325a8f59dcbe9067a0edeb22b398
SHA2561d94213df65bde510f227c26ee7fb419b523594a4f4b3eda66273410700f6e71
SHA512ebe6504c564a2907db923bc9082772caf8d2707207c13eb07f5dc8994438adb743b39dce4ef743b333c0421f8ac59aa2faf711521bc982828f0bd55e6dd15b10
-
Filesize
1.1MB
MD5fc82b0b7afc489fdcf432586b32f0656
SHA1b20cb680ca1067f82695a7e744381db3943e96d8
SHA25684be72b3c6b71b2182287be83ce3957a56286d26236474e1a6c15239170c1225
SHA512d08197de5c13285e6d3bd57d9011be3aedaa9acaafeaee53c2ea5fcb7b982acbf1170169671c957b453e9e60142e3e3c06181219bc4812127c03d94677762613
-
Filesize
932KB
MD56c31b7bc9578c43a460690a743709c6f
SHA10420ab83d3ead914601e737333bc34aa7f57eb64
SHA256e57dacb7f7d9bbfacc495ece7567f6fba7865239d957e86d73135aaf41f4ab51
SHA512d8075529870b6838506567315e1e370da1939755d635e1d3c7a089d48a05b62bbdaf0137756d9bdcadaccf3a54dc59b561eb16d303879c792294eb0ed4dea179
-
Filesize
830KB
MD5ab91eb752617b6d80a8907939fa3acc8
SHA1eb235e12b78e57a9ca9a50079cb1a34ff8ea558e
SHA256ed45c90854a2e7a74f03d19f7700be668ff9786feefd08f6c2972b1ac015e6c6
SHA5120ff911384afcb9f14365cb75ae5c142808a0d1938bc16d291910b71ce6f90f81cc35b60109b603f0356a0d6e7eae4428ab4e4a9cca135e673f75d6cc536b00ac
-
Filesize
513KB
MD5d28f6c24fd786975eab6ed849036b1ae
SHA15553b5a3fa7eba289444a24f28631a4d8c5aa493
SHA2566e8104752ae37768ec28acd0862c310ee88a091667c600138e88cf8a8f150e7c
SHA51205eea4922364d25524b33ca0f6a5c542988166b15d513225d4a0b5747d9cea6a3b66d54a17cf0d8f68603cdcc23e16cae20613c5a86ffb7948302c0f068fb6ac
-
Filesize
547KB
MD504f23c2140364f62a9e06e9414bccc4a
SHA19f9ad5b03d7d7ece82ab19d26dac43bcaae7cd18
SHA2564772e820661a0bade809e86747fbefb9606c009d17199c11f11e9ebed4283557
SHA512a1afeb9b8b1957e64746b28345f29349e9537cff2777f3f289f7e7a2cf30d52867489e4ef6aaab7fe4a96eb618e6be9d65d8145a8f68275670705877ca6e39cf