Analysis
-
max time kernel
296s -
max time network
317s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-ja -
resource tags
arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows -
submitted
19/02/2024, 18:23
Behavioral task
behavioral1
Sample
batexe.exe
Resource
win10-20240214-ja
Behavioral task
behavioral2
Sample
batexe.exe
Resource
win10v2004-20231215-ja
General
-
Target
batexe.exe
-
Size
9.4MB
-
MD5
cdc9eacffc6d2bf43153815043064427
-
SHA1
d05101f265f6ea87e18793ab0071f5c99edf363f
-
SHA256
73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
-
SHA512
fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
-
SSDEEP
196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation batexe.exe Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation b2e.exe -
Executes dropped EXE 2 IoCs
pid Process 756 b2e.exe 3228 cpuminer-sse2.exe -
Loads dropped DLL 5 IoCs
pid Process 3228 cpuminer-sse2.exe 3228 cpuminer-sse2.exe 3228 cpuminer-sse2.exe 3228 cpuminer-sse2.exe 3228 cpuminer-sse2.exe -
resource yara_rule behavioral2/memory/3768-9-0x0000000000400000-0x000000000393A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3768 wrote to memory of 756 3768 batexe.exe 72 PID 3768 wrote to memory of 756 3768 batexe.exe 72 PID 3768 wrote to memory of 756 3768 batexe.exe 72 PID 756 wrote to memory of 456 756 b2e.exe 86 PID 756 wrote to memory of 456 756 b2e.exe 86 PID 756 wrote to memory of 456 756 b2e.exe 86 PID 456 wrote to memory of 3228 456 cmd.exe 88 PID 456 wrote to memory of 3228 456 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\batexe.exe"C:\Users\Admin\AppData\Local\Temp\batexe.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Users\Admin\AppData\Local\Temp\7280.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\7280.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\7280.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\76C6.tmp\batchfile.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.execpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3228
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
237KB
MD5a4459532ada4d86269dcdc7028bfca9f
SHA1d471e83dee11e12607b954f18a208b5163673cf7
SHA25633f28abb1a5508541290685e02d195a116dffe1caf6264bb3cb9a2098cfaf7b1
SHA512f32fdb18763d4e922896ad023a9a017a130b51161dbe57b2116834feee2a2ed0800b348d55465d5b8bf031ee383c8f35eaf5824b7fe04b0f736a3448d3216b34
-
Filesize
135KB
MD58353f768c3168b6b306698015d9872f0
SHA105d7abbb088b865da54be74d99416a01bded0cbf
SHA256d6fa349e5b29998d7031e88e9e3ccfdae4d95bbd35f7e389c62334fbe81b95d7
SHA51248e7e5f5f9cf4ddea377b123166c20342fb4c4c86c163eae200661eb4de9c4df899e285f27522344999a8f8961d1adcb46e0e82ce2fbc0f68610cc513937d7e1
-
Filesize
97KB
MD5e24f72f9089f3dcc0b7fee42c94cca88
SHA13aa2eee6cd7ba4c466769c09e49e2e1908a9f88f
SHA256ca78d8c6e64930446085cb752cb9e205630f7855f81e4cdd6da3670071e60bfd
SHA5126a4f826dacc815a3720baafb476f2569492f925fee9b7fc852ee6e88dc6728aa52fddbf7458751064b3f320ced043a112a124c98f1c3cd27c2595c03f1563221
-
Filesize
136B
MD58ea7ac72a10251ecfb42ef4a88bd330a
SHA1c30f6af73a42c0cc89bd20fe95f9159d6f0756c5
SHA25665e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9
SHA512a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0
-
Filesize
124KB
MD5f0065c6ca504d90d84ad04db97b0e3f7
SHA16809f5d6633cd9c5c34b02023302f02356432a46
SHA256e0ea209aa1183a57a440907898906541d500247e4b4a313a01c5a7a259394cac
SHA5126e8f508b77ed98d10c93f90cd1a3ae64ac34dc331aa22f76a648395f73f534c628d94ab67243d9021bf0e85a3056d4c64cf7170dc8ebb80654b83c2fcf9c2e62
-
Filesize
617KB
MD5dd73bdd600e91643db5546aa64720765
SHA1c5694d6d0c01fbd35263d17427e5d561335688f9
SHA256d0989dd8f8275b68d3a5edd21ea971112f5855778ae0e389d6e07754c4fb1bbe
SHA512f418cf186b9fe56bbf038cf5a633e82a6dd02ad059cdb77bb978ba4ba47879f67be42bc3d5a40fbe0afe14bd6de66282ff03a5fb0d5475960b1157c766932c41
-
Filesize
476KB
MD5335c3fb1d1284c77d72f73ea1e5c553e
SHA10fc5a381444c7b4f49f9cf4bb683a31adb027d86
SHA256fe907a414031ca366f325d9f0b63ed7bad24b88af37db30485186cb8aad367d6
SHA51233224f64538dac259893b806e78ee8068d162dcf1b78c0c3fd5610e5952bff60d60eb3f06729dde810025303b729dea5300bfc042194ed052598145d077f6200
-
Filesize
254KB
MD573bff4c5a1a57b38fe8fb261fad3b738
SHA1e4e9905bab66a6d2282c1dfecf386d8701a07a9e
SHA256c0eebbade279c04e594dd6bc40e8e519550cff2a8ab80f0c71b7adedff8a85d3
SHA512e35de1f7ce1ce707cfafd5ea6f91d9d634c7401c3860b5fd76e80c407c69f23d8bae67efff37644c58a1ef8590b33e904ca32591753ebc123f7e34ba9f57ad24
-
Filesize
289KB
MD520b75b8c91733d27ddb24ee3d5388dfd
SHA1002f9011a976de6c1146bfd5993f27cf659445b3
SHA2568b4511a922538b725de1dfa04da9e0f55a5fe40e98b019f127fe2c89399c3a5e
SHA512ee9e07e98a396956e48ae860b2e748764943e8ee31a2873cb26fa743bda7ebc15ec48c7751e3ec70ea12a70be349c5de7d7dc6edf1bcfd3deec6daa1698167eb
-
Filesize
383KB
MD5ac8d8e204f2068104b6f4405a48c55a3
SHA1f3bc407fe4e02dab4724bdfb01ee8ab939b4808e
SHA25626a482d31ce800cb9246195222588ed5ff306ec02404d9994b96ddebf6eed006
SHA5123496845be6ddf293a45213a08b48c792ee5021de628c17a19f07f3b1191f679090d6e089dd817ace001652401d18534cd9077f2e6f8038bf910003c550ca03a0
-
Filesize
290KB
MD52c214d8a910581f70ef366e0aa8fc39c
SHA1af7608eaa05523ab560d7bd8646333e910580590
SHA25694e897c14c38d21def63b19c3ddbe882410a8e751be10bdb8d5a85c433331841
SHA5122cf078119b32690d88f3421b8ec24181a73c63d1a200737d78411763d0e35883d96934e43d06d0f4111415cbacb7846764e4c65fd948c2110d64eeb54110d180
-
Filesize
128KB
MD59746d1ac79c8b499d8b2224394581fa7
SHA136b1985eabfd8131ad9f2b7f69c903a3fce67629
SHA25677941fbe96e0c797e6cf5419ee32bd3fcee69629cba37750146656a660c37182
SHA51261a6174e2aced5b85cd614ad2f9d3da24c6b91e1fc04e10ff818222c4323cd043a59708bd35af0de84b004bf492fbc157d72907cd1e7ddf7082fc2a3563ef183
-
Filesize
315KB
MD5e83fe1bc2176996436534de52d3682be
SHA13ad9be5db735df44796abb22f6540904b79ac239
SHA2569b418d9616399f764a908e9486c89a9e9bccb9d97d0b3cd6161558985f6f6e6b
SHA512b0b7ffc0cbe31f5883825f94f7018238c1e024de77347f15f8ac3da985b2ea95ecf7897edb4696a6eac095bb4f8e84a465b251cf0bf2e8d1022194e155ead432
-
Filesize
346KB
MD5d29c40b22bb1408dd0ac4f79e517ad47
SHA1bd894ec8057b4ccb8b7f447ef65e5cf328925606
SHA256701f30637a652e14512be3831c38f9f089c816bac4d4ad66e60442b810dcec34
SHA512129841b96699ff87a230d785562fbd9413f50dcdff1c51e7c3271332e96248c83a3cb1ea1062575c21165f235b6e3e055522bfa466a209cddcd87dfbb581ca19
-
Filesize
288KB
MD57685f787ca00a2f0b429ef17d47d4ade
SHA180e07e0c5cc084b43c420ee021f6906911092c5a
SHA256134db8967708c561eef1e045029d8e63029e795c342700288aec4c256aaa6f59
SHA512bf378a06abaff26f4847926fd051ea9ece7f44efff39339bab71879e68338def64ed4d77746c9750cbe7e26a5a09586dcdda94f1b5eea2dc63d57aa33b6e64c1