Analysis
-
max time kernel
295s -
max time network
300s -
platform
windows10-1703_x64 -
resource
win10-20240214-ja -
resource tags
arch:x64arch:x86image:win10-20240214-jalocale:ja-jpos:windows10-1703-x64systemwindows -
submitted
21/02/2024, 05:25
Behavioral task
behavioral1
Sample
batexe.exe
Resource
win10-20240214-ja
Behavioral task
behavioral2
Sample
batexe.exe
Resource
win10v2004-20231215-ja
General
-
Target
batexe.exe
-
Size
9.4MB
-
MD5
cdc9eacffc6d2bf43153815043064427
-
SHA1
d05101f265f6ea87e18793ab0071f5c99edf363f
-
SHA256
73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
-
SHA512
fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
-
SSDEEP
196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2884 b2e.exe 2868 cpuminer-sse2.exe -
Loads dropped DLL 5 IoCs
pid Process 2868 cpuminer-sse2.exe 2868 cpuminer-sse2.exe 2868 cpuminer-sse2.exe 2868 cpuminer-sse2.exe 2868 cpuminer-sse2.exe -
resource yara_rule behavioral1/memory/4888-6-0x0000000000400000-0x000000000393A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4888 wrote to memory of 2884 4888 batexe.exe 73 PID 4888 wrote to memory of 2884 4888 batexe.exe 73 PID 4888 wrote to memory of 2884 4888 batexe.exe 73 PID 2884 wrote to memory of 4524 2884 b2e.exe 74 PID 2884 wrote to memory of 4524 2884 b2e.exe 74 PID 2884 wrote to memory of 4524 2884 b2e.exe 74 PID 4524 wrote to memory of 2868 4524 cmd.exe 77 PID 4524 wrote to memory of 2868 4524 cmd.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\batexe.exe"C:\Users\Admin\AppData\Local\Temp\batexe.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Users\Admin\AppData\Local\Temp\AE12.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\AE12.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\AE12.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B258.tmp\batchfile.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.execpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5f51fe7ed64e17eb639e2b77a503596fc
SHA19de36c8a5bd8a21c006aabe8c222294852a802f1
SHA256706fdab761081f7c0cbe20066009c226b25636178215be354891409ae09eecc7
SHA512ffd4c6f3d081da80edc1bdcc52052d9965c854f7f4fe83e655da803a0fc5f9c261219ec8e12b45ba432cec0d740d314e2be5700a592e581b9f057bccfe516fca
-
Filesize
1.8MB
MD5fed226671f9daab029aaea0c1bf6c527
SHA1bacded51e7bf4d82a756351748d561b93e5d56ba
SHA256e7bed9d6ba6c3e79ef43fb8bf34f6748645e87d47c743fc8ead2ad2003a41304
SHA512d25d032e623e053e35bf23ba71a5432f3ac3b31eeaf9810352d0561d05e8335837ed0afee8cc0008fb1915646912ca08f134ef9e4aac9170aa63d6a254b57fa2
-
Filesize
136B
MD58ea7ac72a10251ecfb42ef4a88bd330a
SHA1c30f6af73a42c0cc89bd20fe95f9159d6f0756c5
SHA25665e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9
SHA512a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0
-
Filesize
1.2MB
MD5fedb45c33b855f69f17d7d3236a59ceb
SHA174b11012c1b38f5630764ba3bd1a4c5bab1ea89f
SHA2560154b97f14f5568277b6b648d656e0c0390171dd5d91866cc28b7d74bfe81efa
SHA512e7d986ef6a431b509fe1173a25a3df52ef97f52156be4abce18204fd578233e0d09e7a6e7a2ccb46dd1cf4c73a7cfb1d95f1c126a32dd60a1fdbcb785067b820
-
Filesize
768KB
MD57511ee8c66d17030a4f24226caa425c7
SHA1aa5bb6b2306f01ac82133f54ec36ca2491fb1911
SHA256e9ad1acfa96a3be152713809498617dacb74878ed3ac3ed4e5b1455cf1fa5ac5
SHA5124838197b397552aa7c22ca54d27ec420df0629689e111c40068480f5e37879bfbc89c84245ae8b0a6b4a16ee7d75197403153151eccbbe468b252f508e8466ac
-
Filesize
576KB
MD5bfba8ef054be5bee0da072ed080beac4
SHA1090e6e60a6f0f1e351978e91b99e8dce8e63413f
SHA25681f3865864af4f5ae909e3cb60ec0e0fd028e37909315b0e3de8663a34391be4
SHA51285a8d0b74341c10b3563209566415727a1d1503433908c26c3e861592c397a66afe3cc25bcb31119ec64e15fa078db361bc308474de1ec3f1a8c367d37c622b6
-
Filesize
640KB
MD51bff0defeeb9f4bc5cf01e916a8d1379
SHA1bdb668928be0a339e01e3aeeac813fd26b44b950
SHA256d7f49e1dd346940049b753b856759608013f611624432c7ea57b0872239d35c0
SHA512edb3e22bb4d6f3376d73ccd538a61292c5a086fc8ef9b8038b663c93d9ec991bdca297e3c6febb9d18fd16f5304e4fa532d603c68739598f4b65af320ffb3878
-
Filesize
576KB
MD513746f79a51eb8ce3107de99ffc6b56a
SHA164a00c99a805f8775f08cda4e4d06e1150195347
SHA2562c04d5960f13e859d49c78a8858bdcb0c53914306eba52746105a76d98f5d205
SHA512d0e69c6cf0078c858e8258a4038098e644d611b544b6588b2b1c9d2d2937ade0472edc96257545f5935514bfa18970f5762eb393def612c5a7027727397ca8d7
-
Filesize
448KB
MD59d1a04f05f75671a5a3ffeb995176c52
SHA1a45018bb6a5dd52b310c1eb77262354365925a76
SHA256c777e9d786f5d1d13f78a925453804bf53ee430a38f893f115c2d1ac0f2f07ff
SHA512d19ea63c26c1d41edd5947d0c5ae70e2461c876563c2baeb1fd4a3986254f7919f8d4c32a9d6b9f4c51c4d5a23ffa90a2011d293a106a0a8813295b2bee06e1f
-
Filesize
512KB
MD5a5993c0dd7587f1716037dcfe1f63091
SHA19a4d23ce36f5fc5791692b47d977c0bf92842879
SHA256568cec1e1bdccf401232a78c8ecf2081fdaea221f0a7c777a69ec61307cca3e3
SHA512c5457590162dc1a0fd6b179ba94f19e6265e2ca226ea1ec553358f568690bbc158335ee92c297ce699b2928d44702733269f82640d86bb499c1981a5903afc12
-
Filesize
512KB
MD56162b21c54b88c5c990e82aee951ebb4
SHA1477384ab8ebe5f5a5d5a91603736d9ef53c12fd4
SHA256462eb68967c7205145d0b92e4f3b69297f616187b07a189178f35f288063aff4
SHA5126264ee49c4b8a6eaa69241e10ff9ab39445f85a57b756b8bc0530b45d77827d05e669dc06b689d4693db34e4161ef11b2cfe6f1954b0b90bcd434e81a938a40d
-
Filesize
12.8MB
MD50705f8f428132532187fa72948f5a803
SHA10a72c0278b0604b16ba9446b50ea149346a6d736
SHA2565ff8d87005a5202c5d8ec5ce1841a7a8b75add5dcab3a1a069bc2bfbb8e59e80
SHA512eb79a2c1ea2d4aa96f87ca3b7cab6c819711b2eb8f52770ff0ceb39b499639832c5bd813aab0047fad660fd6004d6ce779a6c2000a7bc4af913f314353715a27
-
Filesize
12.2MB
MD5860b792c843daf70002c849146d3775f
SHA1b938ce9644cc076a0967199b490f6bfab4061cd9
SHA256422b99eec32e98210b89383df1120c9d2c095d7e1ab8651d60289b1c474adcfb
SHA512a07d5cd18b87f5180c9ea4c9d9955456af62f7bf333247799cbf5bf62859f9b0e1b8f4e61bd582e4bedac811f97c12a59d0aaf0859e34cdae28a1368e157cbc2
-
Filesize
384KB
MD5eec15153c344f43f1919cb379b9ee2f9
SHA13e4a09390ac885ea2797209603bcfa1ec6ff0cc6
SHA2564e4d7ecae87e8e656c61af89ef17146baf33fbf09ffbde6ae971d04e8e8f9222
SHA5127cdf3552341d14979838f8fedf9ac63482152f193ab8f7e0af281ec50b2a43312d78c0e22e79989818c5041538fa69769350e1e6cf0789a165be1eb11ee29908