73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20231222-ja
resource tags

arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
13/02/2024, 22:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
5260	b2e.exe
2644	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2644	cpuminer-sse2.exe
2644	cpuminer-sse2.exe
2644	cpuminer-sse2.exe
2644	cpuminer-sse2.exe
2644	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5712-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5712 wrote to memory of 5260	5712	batexe.exe	83
PID 5712 wrote to memory of 5260	5712	batexe.exe	83
PID 5712 wrote to memory of 5260	5712	batexe.exe	83
PID 5260 wrote to memory of 3580	5260	b2e.exe	84
PID 5260 wrote to memory of 3580	5260	b2e.exe	84
PID 5260 wrote to memory of 3580	5260	b2e.exe	84
PID 3580 wrote to memory of 2644	3580	cmd.exe	87
PID 3580 wrote to memory of 2644	3580	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5712
- C:\Users\Admin\AppData\Local\Temp\6BE9.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6BE9.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6BE9.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6E4A.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3580
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6BE9.tmp\b2e.exe

Filesize
4.0MB

MD5
41ab0780a6608002648113827b5e7c83

SHA1
3719df82ecc967caec5a154ae091e880e8bda818

SHA256
6cb28ccc3e5501ae6a1b6adb1c5238b25340c71172924d5841a945e80e56d99e

SHA512
aed5f7fdab5026377f773ac742cc740543a176528fa133b1fe75c3a2b4e10d14c6b8688ec82e24553da3ddcb5427061508bf3b9415d82fb3d71cc84758c5cf52

Download Submit
C:\Users\Admin\AppData\Local\Temp\6BE9.tmp\b2e.exe

Filesize
2.1MB

MD5
0ece74dc6bc890f701d244ab0a220ca5

SHA1
9d9325ddb2492cb1672a55710e9d86cc9e7f0a3d

SHA256
0bcf741b899594494d8364cf5916411faa28dfa6be5f2bacd2ad4a6353d3eec8

SHA512
63a551368bde845233065a05379b8c448d7dc79f071099c3c315144a82b68f37d9fdacd7f0fb214ecec248f85ef1086621593777dcc61129783b42ef72237ae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\6BE9.tmp\b2e.exe

Filesize
1.7MB

MD5
b94f51d3156af7d9c53b43ad76659793

SHA1
2730db25fd2b7971e00abc84b3f940642ad11d67

SHA256
1567ddafc29167646b7dcc21d4d4ccfb7deaca68460e2cb764f6eaa4454b360f

SHA512
2a8a8c816e0004e4ad09784b2b5537f330136c665e091f105c91ecb61987dd8a69d38ee15f03d1aa8ad515283fadb09d4b6247068d4bd6d6b553b601c0b3d3a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\6E4A.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
367KB

MD5
2c1a074bdbc475e84cad93ffea79ca67

SHA1
dabef90855c4600a128432a49d31a5ca42cdbcc4

SHA256
f0d3a4703fba11041ffa6ef1267e20b78b3872c59a4b743149621077bf7e0405

SHA512
90b7b3f550045848e6ec95df8318f22ca6e1beb7f1219f4c286d14c5ee1c3b6d02573f8c8970a82120a212226f450ceed75ba9661ac0ae13b3c62ea9650fb192

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
555KB

MD5
f3a1054261a15dae3230fa94f9e57126

SHA1
76e9abde3d4f84e1eb9eb91b3d4cd8a500443981

SHA256
8364db5fa712f0c7392e83e0d2007e2efbd7758c004dca5d1d4243fef20785f0

SHA512
c21af573e796d6a5a20e45da1d808d38ce5ad330515db9d3fa34ecd5684b94b41b6ad0edd877db6a168ce7b456a1b45b75084f19deedf7d3714144464cf3b8bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
477KB

MD5
d21c08d2b4cb86d04237de5bbab4e071

SHA1
19a2e08779b743bf84179f557d5fcc07229f948c

SHA256
dba8c142f06420a06b23c5845237f717541ee4a8ebe42e5e1f3447f1c7ade5ce

SHA512
cc7fe506270fcc053f9ad027b63d6e6475f28f7a8702f1f6a03bec6bc4ad2d6737a71af562f3d22998755d699b62efd1c30268e45b088fd71eefd3f61a8184c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
573KB

MD5
43d3dacfe4565511e5db794693e56100

SHA1
f55d662815d4405d1fb2f25c283f8349040f2c5e

SHA256
02ba39407cd0c9aedbfc05d5f9058d90e04206a75e693b70858e16f65de5624a

SHA512
e4967b2e6537bec2792c1c53d8b524be8bf34a339a41f1b85228053a5336c2ba2569b9e6847ecefadb177530a2eb0c33d77133620fd0726312ea945ad7e9e6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
468KB

MD5
57542c70de56f823befa7eb17f139011

SHA1
b59288bde9f10456aa2d87696ce7241ed48f410a

SHA256
4f6d12a77028e5bf2db7bbac29427a4a4ddeec08caafe91daaa7698e47770fe4

SHA512
9d080d40ea9dfa98df7fa53f03ec76b036a6c2996a2e4424529a39859d14b36b4594db38a1297da17a18e16cf48f902bf92a2820c7c0c4a1458eda46752b7c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
260KB

MD5
bca9e215f20166767cb28911857301d5

SHA1
cad93a0ebe504ab7230aa806c83ad1b041d1754d

SHA256
3a81d2c36e969cc7c223f00188147a70c0934ff317b9ea1673813a2f09f81d58

SHA512
e7e2dcb515d9b02930663aceb90c37bea8286565ba074981b9f6cf6663ec10eccfdb0cb1f95092d9c72ea3c6445ac5fa5b3954684e42798df95fb1c3e4b28997

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
458KB

MD5
6fd70223ea0d5a58d65aaa1323680491

SHA1
e0d09df8194f57499a474bd7b9884623ac2d6dd7

SHA256
cb97bdc76cd6d2a3e7d2b1ed18226cbe7251231902dc0c04e4492ef956b33d9a

SHA512
219e4c2add4f6f283b8e4b607b16d8111195de3708d511078bfc17f0bb06a21a72688d45ae94d67e01f80b8ee723690e963453828f795450e73e58ac4c1599dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
494KB

MD5
2d2a1a4a4277f9456e005496553d7f25

SHA1
e730c4277df18d33c3a9d0d63efaa091804fe77f

SHA256
8866f31398e8351a4b15e1ae7f6e4e7b1455d5cf1438f2f4887716194ca3c43a

SHA512
0fbac72f1f239743d971290ee9edf41672414bd33d86bfa9fa09fc2549f94cf6de067aae3223a74fa5c78cb00b018c2e396ce1eaee53660b271a1bf2f7ef34a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
359KB

MD5
cf6d804702b7d80eb5299437def7f98d

SHA1
54c73fd420e071288e0b40d4d85e5edcebbcf38d

SHA256
5073b2c984e1f60c1bc8d2f8e71a3e93cdfc2a083990db5d443975d65fe015ae

SHA512
cc93ec166fa9cdd2b1f6564cf6aa421d6500e2d04bcb80e97aee06ba6cabb15ad1ce04c68b1bf1c8476d0ba94d2ad3c1710b6e91a29a8900b0ca1ece612bf7f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
440KB

MD5
fd13c010629fe7b99bc0282f97542106

SHA1
7f9eb6074d1fd92eb51d95e477c096a7275aadae

SHA256
3bb3a02ac336a7d86c5a9dc850c6a91956111d533eed9c2c4c1a63633ee78522

SHA512
0bc915ba51d960b2b7534dd5991528acc2102091e559f289ed544899d4737ea7387f49f59f969725c64298ad6ff82ac400dff99a143611d1a3c105c0322f5ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
308KB

MD5
676b217c8ff6c8cf9f46d48abe4c5f27

SHA1
6535bc65908a5324320ef4de162121f39c205842

SHA256
5c6812478e65402c67a5cb031c6f867fb10311efc47daf8fde0215a945b7f593

SHA512
f400fe93d5efe9c5007cdbe599eaec433e57911f166aa91805b7588aa92b00c9c75f7dc9b20b62c8a66829568a13c806cda361466b82309663b20d73597f9795

Download Submit
memory/2644-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2644-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2644-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2644-56-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2644-46-0x00000000691A0000-0x0000000069238000-memory.dmp

Filesize
608KB

Download
memory/2644-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2644-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/2644-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2644-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2644-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2644-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2644-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2644-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2644-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2644-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2644-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5260-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5260-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5712-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download