Analysis
-
max time kernel
301s -
max time network
306s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-ja -
resource tags
arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows -
submitted
19/02/2024, 18:52
Behavioral task
behavioral1
Sample
batexe.exe
Resource
win10-20240214-ja
Behavioral task
behavioral2
Sample
batexe.exe
Resource
win10v2004-20231215-ja
General
-
Target
batexe.exe
-
Size
9.4MB
-
MD5
cdc9eacffc6d2bf43153815043064427
-
SHA1
d05101f265f6ea87e18793ab0071f5c99edf363f
-
SHA256
73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
-
SHA512
fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
-
SSDEEP
196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation b2e.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation batexe.exe -
Executes dropped EXE 2 IoCs
pid Process 3240 b2e.exe 4012 cpuminer-sse2.exe -
Loads dropped DLL 5 IoCs
pid Process 4012 cpuminer-sse2.exe 4012 cpuminer-sse2.exe 4012 cpuminer-sse2.exe 4012 cpuminer-sse2.exe 4012 cpuminer-sse2.exe -
resource yara_rule behavioral2/memory/1168-3-0x0000000000400000-0x000000000393A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1168 wrote to memory of 3240 1168 batexe.exe 85 PID 1168 wrote to memory of 3240 1168 batexe.exe 85 PID 1168 wrote to memory of 3240 1168 batexe.exe 85 PID 3240 wrote to memory of 3260 3240 b2e.exe 86 PID 3240 wrote to memory of 3260 3240 b2e.exe 86 PID 3240 wrote to memory of 3260 3240 b2e.exe 86 PID 3260 wrote to memory of 4012 3260 cmd.exe 89 PID 3260 wrote to memory of 4012 3260 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\batexe.exe"C:\Users\Admin\AppData\Local\Temp\batexe.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Users\Admin\AppData\Local\Temp\7BC3.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\7BC3.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\7BC3.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\98A1.tmp\batchfile.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.execpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4012
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD53abe1b0559beb7a5d25785748af4dd6b
SHA19feec58916e224274cb91f5f1242ff9847104f8b
SHA256c4e6f6a8c4133ca0d85270cc0f9eb892d6c108752a61f4428717ed63cf434804
SHA512b3e75a7d8c9f5797617551c5aee4e5beafc05b9260c8ad4f8cce30be152a67f8fdbbcde5c2c0f98b5bb0cf47332102b290188611813e117de24383b894203a17
-
Filesize
5.2MB
MD5c637490b7233fbfa98a61c8f9bf06f85
SHA11c1b0b609f0b7778fc203223e4c5e33165e5f632
SHA256f2e9387a25bd1799cabcf17c6e6aca0fb94983c31df6c20fa6748e46ba2f3bee
SHA51205250679ecf519bb13f019b62e66ad0cd5cf1e92fe87b03cbc4f4d4290aa084ae60b5723a2e5ef22852a0896b7d5934deb57ffd3a3ea10e1665028cb15bbca73
-
Filesize
7KB
MD5ada966fd37654fe18f22b8cadde70649
SHA17fb9b18f9b10757b7678a30bec8b1272592834c5
SHA25603c54c585de917c64ca50dd76cf8835bc0c942331dc96a6759621c48dae7c215
SHA512ece7c45c2600693a63113a5a1e87c885d1a1da0aa20a12ea8fc85de8ff8930e50b58691bff76104d93d1527f3b1febbf700eb38836ede7e6e45906f2acbb05ba
-
Filesize
136B
MD58ea7ac72a10251ecfb42ef4a88bd330a
SHA1c30f6af73a42c0cc89bd20fe95f9159d6f0756c5
SHA25665e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9
SHA512a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0
-
Filesize
1.3MB
MD57bdf66fe9b3f5e169cb397c67f8e3525
SHA15dd6ef8402a61b4197d8c805f010bc446fac7d71
SHA2569e54ea61e626b07165482e1485f217beb0e1182358a231c7cf453f0ff2250ca8
SHA51271be8a1e269b5569e0e205127b3e6fa2478c988f1322262f4e6b74a06cdcd810ac9a9cf7392180a77e8a6f159ac39be1238b5db89106ede61072b2e5c13ea25c
-
Filesize
696KB
MD57155b36930c7ad6f889cfe06948447b6
SHA1607520a092a631c8b0eb6b29f33b43616a919988
SHA256acbc1cd131ee3e4fada7a1761acf7d01cce22e15d07ff3fe219d5b40687d3525
SHA5124d2b42f65a29109cc07d0d043859d568a155474a70430e15628d82bf68d9033083710d68b76a5a723a1a5c3bf2ecbdb8576044ccccdf80878d126e271a72a801
-
Filesize
836KB
MD5aeab40ed9a8e627ea7cefc1f5cf9bf7a
SHA15e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8
SHA256218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9
SHA512c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8
-
Filesize
674KB
MD5f0b02b2b2d2549f4ea86511a0c08223b
SHA178f1a00c82fbafbc687fe7e18754243d27ba80b0
SHA2567cb665ef3d9ef870053a3939421264ecc1624314aec268a7931a4cf7f705def7
SHA512d730161172b05a818206ce628b9a183b34cfb274333d0aac3f83137d6e15398c65b52e364aa6988a3f89cc4876927c5b9ee22d53a5e18a51e711ab7adf16c99f
-
Filesize
682KB
MD554f390a2d9d002b31be566fd74b59122
SHA167618c75152a5960ac81c6776680279950d74ca3
SHA256be0495ef432bed30393fef10263bbf40f7b4708d86560510664ef9785bf0e303
SHA51265d23ab710170bad494043519722f6cdadc2a6d7214b1a9584f272a4d0dfdd1612aaaaf035c88101f6381444530caa85e02000cfef82f63d3ba2f97e46b287ea
-
Filesize
503KB
MD5970a585a899173701ba50ee7f8a2807c
SHA1b6e33293ac48d7a8f5fc4a1eaa8f355b704671f5
SHA256cc9a4523c9c8a8cf1e2a0c567e28573d8158e1e0b1b8f3f87439b6e60e63d573
SHA51280feac905b29b1efe29e85efb824f54741871e364d43cc6a7e57d0252ba8795f490af91f4dc0a5f5033da93ca86b106d01e7a46c015141b1df29564e515d4ab2
-
Filesize
693KB
MD5b32e4484e7b5e9fb69425a09b058688c
SHA13e6fb136368fd6c9d9474c00cf56c60c455fda45
SHA256adb979d9b0fb98065cd93c8a7277d8eaae7f43cbc14c274d845b5b2d586b381b
SHA512a0f110b98aa635f62736919e228619a32f67f4c351e53855f726a17dd87cc99d6387224997e0b62d22a8f606f2e2d326da8a5cdf063338626b4de60f88d5a153
-
Filesize
1.0MB
MD537cb17d2470e004d544bf1165e90bacb
SHA108dc8a4e4e595a5f95209952a8506ba031daf3cb
SHA256070c015dae37e1f859adc340966dcdeb1a968bcf0e65b0db0c147268b3c349e6
SHA512433aa054d05ea19241f7804dfd57c9cea545ed90817ed97b45a3dcf83b35e538b9d5a3880e4c3e4aed8e5cc613a3651f700a85766ba89dcab45e544307ea62c8
-
Filesize
1.3MB
MD5dd5b5764776ba34b49df226799e01c44
SHA1276863a6ad7fc72e6215903cbf6946fd0aa07ee4
SHA256f571eb5dd945d33364f88d2972d0e28df12fc1389b1a77c24bf60fd4248a6a03
SHA5127677d2224282f01356848610e5d1e2f71b5ad0c2352a1d7b3b3b571cdf2d06964b9d54048d4f49f28f95a8ead022854c88d443b8516e60c989cc4cc1c48ad2ab
-
Filesize
606KB
MD5585efec1bc1d4d916a4402c9875dff75
SHA1d209613666ccac9d0ddab29a3bc59aa00a0968fa
SHA2562f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232
SHA512b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770