Analysis
-
max time kernel
295s -
max time network
292s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-ja -
resource tags
arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows -
submitted
24-02-2024 02:18
Behavioral task
behavioral1
Sample
batexe.exe
Resource
win10-20240221-ja
Behavioral task
behavioral2
Sample
batexe.exe
Resource
win10v2004-20240221-ja
General
-
Target
batexe.exe
-
Size
9.4MB
-
MD5
cdc9eacffc6d2bf43153815043064427
-
SHA1
d05101f265f6ea87e18793ab0071f5c99edf363f
-
SHA256
73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
-
SHA512
fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
-
SSDEEP
196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\International\Geo\Nation batexe.exe Key value queried \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\International\Geo\Nation b2e.exe -
Executes dropped EXE 2 IoCs
pid Process 1176 b2e.exe 4004 cpuminer-sse2.exe -
Loads dropped DLL 5 IoCs
pid Process 4004 cpuminer-sse2.exe 4004 cpuminer-sse2.exe 4004 cpuminer-sse2.exe 4004 cpuminer-sse2.exe 4004 cpuminer-sse2.exe -
resource yara_rule behavioral2/memory/3276-8-0x0000000000400000-0x000000000393A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3276 wrote to memory of 1176 3276 batexe.exe 89 PID 3276 wrote to memory of 1176 3276 batexe.exe 89 PID 3276 wrote to memory of 1176 3276 batexe.exe 89 PID 1176 wrote to memory of 1452 1176 b2e.exe 90 PID 1176 wrote to memory of 1452 1176 b2e.exe 90 PID 1176 wrote to memory of 1452 1176 b2e.exe 90 PID 1452 wrote to memory of 4004 1452 cmd.exe 93 PID 1452 wrote to memory of 4004 1452 cmd.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\batexe.exe"C:\Users\Admin\AppData\Local\Temp\batexe.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Users\Admin\AppData\Local\Temp\5D33.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\5D33.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5D33.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6021.tmp\batchfile.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.execpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4004
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
347KB
MD52480a1d3f5050fd06d102b70e666d2fb
SHA1ee969a56a00b921b1c35adb262f2cf9884f444cb
SHA25646c2e0d6ff61de3b9c1abdd32d573bedda5a30860af061ccec4ade5f54383b4e
SHA51219210b37d639060d8ff2b27739ce9ebad550a68f11559c16a9dd0cfa2a84b9d2b1b7ba7dd2eaf9b77e95db945f738e700820b5c1c166f3d8845360f142ea3a51
-
Filesize
1.0MB
MD5134af9b6116205e55552989fe423d1fa
SHA13db4270bb53fbaab6a116206951028278417723b
SHA256cc35c8f635a2f40434a4f188d80bff65e6a1ed85d58cb96422581531c77d7d70
SHA512c13bf6ebeb0814ed95a2dbd2c760aa1ce03117406d895f8aa80b3ea84afa5cc1579d35f539849371c3d8f47ec76c820a2d75a8b7856e8c9be4129a693f8eac3f
-
Filesize
118KB
MD5999d53e299aa6fd7c76158b66f9da6f4
SHA1aae301e833de99b7d78d81a4e91fe9a58a678b1c
SHA2566b653ab840562dfa3b39af129780bc518e84614e4dbf4336cfa77c1817e32ef5
SHA512177441b5b49d9a1136f59c60b1d01b92cdbacad4bf1fd9b80eef19b18c84b812de6c3879aacf3faf881f34a5aa128d092356abc401f2bd8a709d399cb0d3b267
-
Filesize
136B
MD58ea7ac72a10251ecfb42ef4a88bd330a
SHA1c30f6af73a42c0cc89bd20fe95f9159d6f0756c5
SHA25665e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9
SHA512a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0
-
Filesize
421KB
MD591054993dc9b259e7b2328d353754f4d
SHA166f13c6425abc80166239ce5479e757bc9c85957
SHA25638cb00c3ee647d65a20b44b5455bf65af55bc8f4aacd33d0afb4befdfb02b641
SHA5120fd9bd0256debd979a8420ca406869cec5de35dba6b0f94eef84299cd963dfbdd7376157f66f571cae9eda26ef1768431a219c38bbae72ec8f17aafcf5eab81a
-
Filesize
544KB
MD56b37f24c818129af9cab0fd684882fef
SHA14854e7ad793f06bbf23637e15eabad5ff8d55103
SHA256429eed0274f0510a777447ef6e908b9c5b2466bbf1d8e816bd91be00150a0d4e
SHA5123ba8a3958befed7f2363534eb1f7aeaa96518a2880250107158572318a7f17eb71d8c17cd32e08b11cc877de079cc8ba992a303651e996eb09ad739bed176800
-
Filesize
288KB
MD5440f62687a94cf31267ceabaff6c67ba
SHA1b54e1a6fcba9c94fbc8e6615d8409e5037982568
SHA2561b252d070c1a1796ff3d3c41519307f2ae1e70c5807ad77baced0856167a7e1c
SHA512a81ca0dcaaf2c6a4cae583c18c64ece88cbc97d310b4d78176f4da13328e57bc2b4e5a98db785248003bdcdddd012cfca6d0f99fd328db55d86ad054285c4c77
-
Filesize
367KB
MD555d316990758667548222bdd324f7ea9
SHA1e37e53b34c885508667c7624747a12b44c2d5b2b
SHA2568fc652507e52db4ab7f93ac92d193754d8ae6cea46581335d82c0ae6591e69d8
SHA5123b37a15db2da3556d4d1972dc86b4245e50ff6fc2f33d55d843be4d9c8d36427b2010c06c5935029ea3443165c1275034d1ccb00338e36d7dcb087fce38abfb2
-
Filesize
479KB
MD5fae45462baf0cc220373f7cf246af02e
SHA1409f9335dc088a5807d29def8e45ffa90ad0ca2a
SHA25687241181582f29690f66e3837963dcf0cf9afb5e34de1b6418b7d024f1f3c648
SHA5121455e79ffa1d7cc8fa7d6fbea425034a173c08903c167d80b45fe8047dda2ed7aa4caf62ef6a969cc0c3b30a8992e77777d9aba2b068a1322fc4405eba3d7bf2
-
Filesize
395KB
MD5603f97fc74fe2812ca971323e62a6c2b
SHA1549d707f65d95846363da0d29db5a3b3bcdd2829
SHA25649a0f240e3d8dd70aabe8e92ebd75dcdfdc7940200a41feb144d2ffa02badcc3
SHA512336e2bef0f0d7384d9d7f84ba9e040b8015fa75a411669db92ad68d2b7e3361cda9d64ebfeca466eabce1d433170685d88dcc8a06275cd8c6cd077ed4a5593a4
-
Filesize
328KB
MD545cdafbbc3f85d25ec55540b27cd4e44
SHA16f3be5dea2fe9a8f826d13fbefbdc54df1a02aa2
SHA256b3cf1aedc84a4caa58c1321011e87da05ce507b26a83979ad29128cbff64baf5
SHA51268afb0706a697766cd7534dc6f6cbe8702d7bef381a7533508bc7a22a56c05fe65bae9a5ec048c29a1d65443eeb6b3c6fad2c4eedd9f979d9f11a4097958a14c
-
Filesize
418KB
MD50227fd663a48dec3a14f17690dda16c1
SHA1f88eb7b2ff4fe16021df42d9084b1faff1a466ef
SHA2564a5689cb679dc4257077f28ac0aa3958f3b4ad4dbb8852e380cab1c852a015c0
SHA51290bd30fe4c65d5bb9ba5f8000fd2e709e8f519d79d4367836c9eb5fcdbcc967b32119b99441eddb4ca07c08dcd61783628aac5d1062cd8f7f29451b27beb91c2
-
Filesize
560KB
MD58704095c1423e6ff78e61729cb900976
SHA1958a8f2e87092cbedbbd84b60afa018d6f12219a
SHA256715ea28f565842e7617671056fbdb3798a6ed644b122b1640b44bd81eb5d356c
SHA5127c43a901e405c0a7428b46c6d8ce40855a57443dc50b4c63ea8ced65a2acd47e4b7df645f7dda7eda73885990952a0171cc80c8d81a75f5910954319bb4ced05
-
Filesize
592KB
MD5ebcc75753eb1f331bb560c524be9d9e8
SHA1c0989dd2c0a2d46c640c5ce84399cfbb68e06caa
SHA25650a4142dd6b5857ef283c8392d54d6ea430799512bb5f1fa1897ec13d0062360
SHA512dc26b5f877730fa1aa08037067261f158596bcf77e34ef7317abd2907626c4dcc31acf060b34649ca40792c5e136b17ae7fd6fa194c150580b3a150d9b35506b
-
Filesize
319KB
MD58a7bcfac65b363ce5c9d3bc763f048c1
SHA1af67cb11ea7ec1964e4b821ca5b34ae1e44e7c49
SHA256c33a40fc69fcbc79da83402beff0da1922e37d09a90662e83d960ec3f803f6a9
SHA5127f96203474c2c27aa9974301d8d03161cfc1a8cded6287ace1a074e8b74903f452347156719e602f9cab8542dacc1d903f3109e832495c65f80f5512821172e4