73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
303s
max time network
307s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
13/02/2024, 23:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
5256	b2e.exe
5396	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5396	cpuminer-sse2.exe
5396	cpuminer-sse2.exe
5396	cpuminer-sse2.exe
5396	cpuminer-sse2.exe
5396	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4192-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 5256	4192	batexe.exe	85
PID 4192 wrote to memory of 5256	4192	batexe.exe	85
PID 4192 wrote to memory of 5256	4192	batexe.exe	85
PID 5256 wrote to memory of 456	5256	b2e.exe	86
PID 5256 wrote to memory of 456	5256	b2e.exe	86
PID 5256 wrote to memory of 456	5256	b2e.exe	86
PID 456 wrote to memory of 5396	456	cmd.exe	89
PID 456 wrote to memory of 5396	456	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Users\Admin\AppData\Local\Temp\3DFE.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\3DFE.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\3DFE.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4997.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:456
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3DFE.tmp\b2e.exe

Filesize
4.8MB

MD5
ab18dd65aaff2802ed45a9209589e4dd

SHA1
b5e4bd2623a902eed5daebdf760e5bb1030841aa

SHA256
52279450c8ac1a8612fdec78f8985b30ac59cf92ba78df47c014d2c9f6df0c06

SHA512
830bc311f131d518d459c09f30cb6e7e1e35dac27459012125327be5ef81531dfc5c376ed59d22e671ed0105a86568f4dba7ea9c98090f1c0319462145c41fd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3DFE.tmp\b2e.exe

Filesize
1.3MB

MD5
c43460ce96c6935578ae2efa85fbe4a7

SHA1
ab9def1acea7cf473d964eb659439d1aa257c70e

SHA256
adccef5e33eafd254eafa359d60833becb21c0ddc64df63ada46f70624918c02

SHA512
e69e75daa979dd1a043fe7f46ebbc683c783b04d5d766c70ba69ab94a018453a71f993289352bc6b5cd5b7e3bcfe519fa50cc02de911733ff05ed2149d3bebe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3DFE.tmp\b2e.exe

Filesize
935KB

MD5
941082bdeddd9953671a68193e3a81f1

SHA1
764c97b48abb0b201dca0eb2827671aad8537058

SHA256
12d763440b4b16361b88583eb3553a71c0ee757fb07652f1f58df28b51bb4682

SHA512
2d1672bb34d1a9601230566efadee63db546279a383a7b507480ca7bc6ca63aaef7ddde5f6cdfe0ddf667a8693dbaf07df9c3f794fdca282017d7665226e1197

Download Submit
C:\Users\Admin\AppData\Local\Temp\4997.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
386KB

MD5
39aeac3c9f87c943a3c0fd6475ce04b3

SHA1
feb67959cd0ff6ee9b8eb7ca2ed1c760101b7b3c

SHA256
401924cce1ba067c90ce7e71fb2ff2786341657b92c328ff9d13d59fff3a3525

SHA512
dc9915a0ffe3014115abd4f603b2fb91e4d321b8f8ecf0a02f7c01e137a45772b9c35ed920d5360770a2e304bf9df6b524293dad6efc7e9c202f980dc8821be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
623KB

MD5
595ed2ffe77a57017b1445dd5f2100b8

SHA1
19d98ab81db9d8c6da6e507136c76786d181cc61

SHA256
e7587f84dbe78c070167498836652e16a004ba31bee942c9737247405330c6a1

SHA512
427fa5b0f91e03991edc0e06909af0e40f31cd20436b2ffcde08ae79b2940aaec08fe754de33e3cdb90adb6fd67279eed89b77914a7fb9ad5a85a94238fc26ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
314KB

MD5
aaf7ac8ea457ead3572ceb0c309bef9d

SHA1
9ccc743b5a2a542dcb2370629cee035dcab537d4

SHA256
d8a8db8b72edde9ef52249483a0e9f3ecd91a4d7adc67cc8e39bee8401fa4b9b

SHA512
c72397ed26b5df4593136332878f54be8647c6a66e8a02e5242cab366c83afe356e587441008f59dfa6d97d4ad693d37908cbeefaac141ecaac3ead5465f525d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
306KB

MD5
22bd7ea9bf46e560dbb0893716177efa

SHA1
bb06a0ea47d198c90c76587da9fcbdfdc3f4c575

SHA256
5bc984aaa2aecc1aedf71eb163a6a2f5f94ec5bde619feb350ccdc036b661676

SHA512
d1e14d4acaed30be34dae534b68f485b1a704728a184f54ad9daf785c4e0e13b0e8838b611a9fc9bdaefcd47725db70e7f6efc973f9eb418eddecced5dfa2d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
563KB

MD5
b61d389186571097f7da966f0f5eb149

SHA1
55932962ccb25dc47d28bb21801964248464dc07

SHA256
aa393aca8b67ac3ce403d19617ad0885198fbc056f43289181c337a6c58e546e

SHA512
4ef7ce27cbc531b48b631d28c1040159d5b711ed8e37b94d85c793bab99bdb8110006fdd2a83b2f8b3722ade6c60e7be0a301df923e95af6f2113bab68e4409d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
64KB

MD5
7fcedb6e973c5df3b6652a2afafa6a13

SHA1
116728803559ab58a8127544df80b75a0dd1c6d2

SHA256
fd7191afdecd35b78a0c0ca0457cbbf42ffda1e52263cd785abca5f047b18825

SHA512
05c86bf84079a2cc13dc7a1a917a0839ccd2b18e0440c4bd419c99f65c4161ac69a9447f56bdf6051b2fbbc49b7556fc3717432d0e293dfae2921c0701fe64fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
452KB

MD5
528ade8b5a25c110abab1e1949b28dee

SHA1
3f784955b859e7253e792026306238d56500567f

SHA256
141193c7789075e5cf4e3e7209bdd67a7b3ce513bcabcbba208ec08732e55e34

SHA512
60a322d9d026ff87958ebeab983d49adb5bc5e630ee580afef1e56f9e28910dede81bcdc45bda94c011aaee61e530046bba8de814844842327aeb8b069de6441

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
329KB

MD5
9d8e302439c6f14523fcd293b078a360

SHA1
d272ec6a6299618551a2097fbdf91d8a29e437de

SHA256
1f1c882f6d5a7f4972f46f15e5a64a6c782451d22cbca071a75c5b044ff2f2d6

SHA512
76604c5b0cf0255cd6d7905e2e93d11d43078a8099e49a3e6c6721b14c80298b756cf83ac86d5a7b32075358bfc79b77e0a154c4dd2faa24c8fb46f6adc385bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
352KB

MD5
698565a74d801729bb9dfe640ec17f83

SHA1
235ca66631b16b7f02d7d5fe9d90663199dbb128

SHA256
f4be60150caa14ee3af4e7ce1acc330e141c676364aae271f3f6c9d2f7e636d3

SHA512
9400a9557397b280bdbe87dca936478296dc2386f58ee28ef29f19e724fef2229cc846b46a2dedcfd3fa3479bf6cd03515948fc5038d945b043fba2877edc0af

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
266KB

MD5
4e2add23b4e4140b4422781796b98041

SHA1
3ba868c76eeacf7ce2da56b8a122bd22bbd83e24

SHA256
7c8ba9e77d6024279ee4ef7a40ed1881945900d9cc603091653bae4762d20d8c

SHA512
9d4cb7d595f263f8b80e414ff22f2d64740d25d053d19ba761688d2343ecc07c2d6a7c8905b92b644d5941a61d2f0347043f17cdae7947ef9c047edce73efad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
220KB

MD5
fe3e12c8260d0a657d0eb97028065f28

SHA1
7bf8a3ee2f06aaf66887dbc3ab4938489a660bbb

SHA256
3093b84b3eb61bb48bf1d412aabb2ae240eb7aad2926a6c88fe37dd42f099f23

SHA512
571b020c9d1f6c0788001e9f8fd5ea37ccb06ca10caf8df31efc32b14807a474b8f7a5e5a23e73e517829f11e818a7bdc7b2160d6884679fcd4e282f54108cf9

Download Submit
memory/4192-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/5256-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5256-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5396-47-0x0000000001160000-0x0000000002A15000-memory.dmp

Filesize
24.7MB

Download
memory/5396-61-0x0000000065FD0000-0x0000000066068000-memory.dmp

Filesize
608KB

Download
memory/5396-45-0x0000000065FD0000-0x0000000066068000-memory.dmp

Filesize
608KB

Download
memory/5396-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/5396-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5396-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5396-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5396-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5396-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5396-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5396-81-0x0000000065FD0000-0x0000000066068000-memory.dmp

Filesize
608KB

Download
memory/5396-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5396-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5396-101-0x0000000065FD0000-0x0000000066068000-memory.dmp

Filesize
608KB

Download