Analysis
-
max time kernel
296s -
max time network
308s -
platform
windows10-1703_x64 -
resource
win10-20240214-ja -
resource tags
arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows -
submitted
19/02/2024, 19:55
Behavioral task
behavioral1
Sample
batexe.exe
Resource
win10-20240214-ja
Behavioral task
behavioral2
Sample
batexe.exe
Resource
win10v2004-20231215-ja
General
-
Target
batexe.exe
-
Size
9.4MB
-
MD5
cdc9eacffc6d2bf43153815043064427
-
SHA1
d05101f265f6ea87e18793ab0071f5c99edf363f
-
SHA256
73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
-
SHA512
fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
-
SSDEEP
196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2164 b2e.exe 4568 cpuminer-sse2.exe -
Loads dropped DLL 5 IoCs
pid Process 4568 cpuminer-sse2.exe 4568 cpuminer-sse2.exe 4568 cpuminer-sse2.exe 4568 cpuminer-sse2.exe 4568 cpuminer-sse2.exe -
resource yara_rule behavioral1/memory/2440-6-0x0000000000400000-0x000000000393A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2440 wrote to memory of 2164 2440 batexe.exe 73 PID 2440 wrote to memory of 2164 2440 batexe.exe 73 PID 2440 wrote to memory of 2164 2440 batexe.exe 73 PID 2164 wrote to memory of 4436 2164 b2e.exe 74 PID 2164 wrote to memory of 4436 2164 b2e.exe 74 PID 2164 wrote to memory of 4436 2164 b2e.exe 74 PID 4436 wrote to memory of 4568 4436 cmd.exe 77 PID 4436 wrote to memory of 4568 4436 cmd.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\batexe.exe"C:\Users\Admin\AppData\Local\Temp\batexe.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Users\Admin\AppData\Local\Temp\AB72.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\AB72.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\AB72.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B026.tmp\batchfile.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.execpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4568
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD587911ad54622f51ab0faa16dfe5a0e44
SHA15f9b533c10849c914569eaa6e7ea0911b446ed5a
SHA256cd35ad55bc1a31977b81850b236713800f1ae200640784940b9f9bb59513216d
SHA5122c6bfcc11116381306d84bc5910dff1fb6755dba9e30da79e218ba57d65384a24867752d2ff4e9ddd1aa605fa4b5e538c783d2a445fbcce7eea379978b4eacb2
-
Filesize
3.9MB
MD50e174c917ac04f1324909128dcea39f4
SHA1c8e2095c05aca81005da419ac804b479e6f00eef
SHA256471671c7eb6697c7948fd841395f5dc55df43ad790e96f4e255c05d5dcc2a452
SHA512b0608dfb7e2e2e844f41a7c6fea20ad8a1df9fa20e6fd4342a0929a737553ccade3c62c1d60aa9ea7b63f4c25b53d7b732df9120daa856e645bec6c0707f22f2
-
Filesize
136B
MD58ea7ac72a10251ecfb42ef4a88bd330a
SHA1c30f6af73a42c0cc89bd20fe95f9159d6f0756c5
SHA25665e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9
SHA512a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0
-
Filesize
380KB
MD5f5b34934fd226e7405e692c6b96f5918
SHA125ae90485aa1abf0f3926e5f9e69275ea7017b63
SHA2565bf5384b0db52d87dfdde0c3ef45db46c05326469b2d5ff48ce4b18201a946e5
SHA512817a725095d68e9e4f07c05232d9c2a0c4916993f8ab52fefc57d85f73b7310daac3edbb3e893b3334e3f189213134df287872aab1aaea2a5428562824395c3f
-
Filesize
359KB
MD5dfbee90b1d300f8429f8bf2ecda37e40
SHA1a9372dc9e6f54045ce680ee1d0b01824feedcb3e
SHA256d25b6288dace7e87e6f8f248f005f80f8e436be01ee9e2791cbaf8926bfcf0c2
SHA512d4803b29eff9551f02c2782f59fc26a9c6794401db320e3162b08515f8b3ad838b76c4fc42d8171d69a9e5b714c373d97db07e06eef33aceacd6561ade9d07c9
-
Filesize
387KB
MD563a6340fb781179423af30491e8786ad
SHA137bf8a2e4532cd254117f1b882212bd998d29c56
SHA256203f173bb7d0e54946a3fbd69b8078861f948497560044d2443c54e6ee1d6341
SHA512385fb90baad45556abe643ce590ef963034687cd7d0b54994b50f72cf62e5944b0ac8e6bd34a2a706e94b7a2a7bc700eacd33eec5ab02dc242068002065f0eae
-
Filesize
752KB
MD5a1d85ff78d515ff084f7bcf5518117e5
SHA17e325d2ce84e49079958994fab02204e2cc4c85d
SHA2563f566c1fd489a06813af3098eb6c42bfb8a396e235a787c0bb12d7ea33b07343
SHA512a21d8ce9b41fec1b38ca1ad7d06ed16690c86f24705745df31511d68dff8c9ed77f86576f6ad65bcc25543604882378a0aa201249152f59b2794af9dbbdd7517
-
Filesize
293KB
MD5a28af491b94aa55bebb8253c6e769e4c
SHA179b322a40b7fbee5fd24a982c6067291c1b34ad6
SHA25621a8c592fe3db0936d895405e60589c80edc85230fb83ca936af447a304a4232
SHA5128538c8d450b82a683cc11a94ac1c14532d8f4e8821cfaa18d1b14689df4b02f85720afd3c88b215f77e797675135398d6dd68d9b500c896118fe44eac7fcbff8
-
Filesize
318KB
MD5840a7a25079b490b9d8cfac5c8375e46
SHA11bf01c11bfdd1282c7eee77cb457b99684d3ae64
SHA256ad31595813e5d296730d99a3b392e265940dfce9a6b42b66a5086fbfcd6c2232
SHA5123ad303dd869ba1f5d8149e0966d939655acdabb5e82e47a037398bf5d09e8ea01a5f353cd83534812bd1eebc9267857a02e897799d16d90e451ae5ba65dbc8c1
-
Filesize
299KB
MD524cbb624a86413869bec25db2519bb69
SHA1f6cd9ba9c27eba4592303c9890cb940fd5944cbe
SHA2563a96b26dada728b54560d24cfd075258fed95ba2c5089eeb5ebc4b65051faed7
SHA51279030ab3aefdacaea84918a7881681811570a31d27ad3470ac87f8c70435110cb9776a7779376622379126cf8cfaaecb1d600abfca1297fb6c7e0825c322d868
-
Filesize
377KB
MD5d823f61e88b0d08f77430fb9a66b1733
SHA10940eee3104cfebbc0d9676722f659470ed80dbc
SHA2564dd8f63f08043d23ddb22830c0b4fe902bf38d053218bc9615205b347d693da8
SHA51259340608401fa1daa805f8d9acc710e6efb3d2017abbb4ba50348d6bb080d9e754c71b9f21cf995d9206643ceec67be1c7055e93ceab4ac0369f0a0d78857e20
-
Filesize
301KB
MD51018208f395b476df1cf1f3efa4088cc
SHA1df71931c1d16c4eeef077be390d6e2eac23b95bb
SHA2562e0cc9253ee49c9b95cf3f3f35c190c6cd0be74070b232ab70d165c0a8dee43d
SHA512a18c4c701f4a5c76d5f7abc762950782297ec6c8e7b1853c07b55b9349aa4a3a38e79c1b63b297a3b22e8b19f7fd38f41daaca7c0b2e5d5a6ef6b5419c330d59
-
Filesize
250KB
MD5a999d600d5f350c08fcd05c90fa70a6f
SHA1f72307106ad02a00c7b2c7624d0735dd6462dd40
SHA256e0610e0b643d5c269141b173fe9605d2d841579e012256d119ca2c5509fe61b3
SHA5127fb23bc723476a027c0c1d0028d54b7c0cd99908a5fa5ec85a7d73a97fda674e932079e2f2854005680e20b1b389c2bab4e72ce7172b866e37d8c4bf7c43211e
-
Filesize
248KB
MD5aa652e4e9b22b6bbfebd7b54ce878e81
SHA19dce8c82ea9088631e3d75a42642d232376d4dfe
SHA2563ddf61877821fc57ae5c264c01fe0acdfc955a25b6029d75e1a9b5bae817e849
SHA5120405ee80a7e1d26a55a93a3d7455d749960835761f8f76a444a98245fb200aff3d2a790e21f245fef936c88bf5780c8e7d8643100d0a22fa62b6ba56039666cb