73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
13/02/2024, 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
5036	b2e.exe
2536	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2536	cpuminer-sse2.exe
2536	cpuminer-sse2.exe
2536	cpuminer-sse2.exe
2536	cpuminer-sse2.exe
2536	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2320-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 5036	2320	batexe.exe	85
PID 2320 wrote to memory of 5036	2320	batexe.exe	85
PID 2320 wrote to memory of 5036	2320	batexe.exe	85
PID 5036 wrote to memory of 2324	5036	b2e.exe	86
PID 5036 wrote to memory of 2324	5036	b2e.exe	86
PID 5036 wrote to memory of 2324	5036	b2e.exe	86
PID 2324 wrote to memory of 2536	2324	cmd.exe	89
PID 2324 wrote to memory of 2536	2324	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Local\Temp\55FF.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\55FF.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\55FF.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\589F.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\55FF.tmp\b2e.exe

Filesize
4.7MB

MD5
29fe8b88a2def1ffab518190173e6212

SHA1
f0d9cf58e9c17d9ce24ea803536e4690fd4b59e0

SHA256
bba20db76346588038317939f64f6724297858be6a068130223547804563f305

SHA512
52fa74057fd96ceb3eb3737af27e5062c0a622539e3ac7769a26b30cc7c3d4b17545dbc04601fbfd255f50297b793b570bbf8f87115fe28cf53e3d36e28baf03

Download Submit
C:\Users\Admin\AppData\Local\Temp\55FF.tmp\b2e.exe

Filesize
1.8MB

MD5
c8bd6e3b4886404300454cf174c1fefd

SHA1
13b7e160d36b8d6605639c5e813e05ce928e4f58

SHA256
28ec3385353067881d028daa382c96512df8e5b6ca97cff10a6b2a2a341c1bd9

SHA512
cc273bde6e01739819a646611f59c9c79d97dfc11d17c5caf27cf3b35c1aaea20fee11782eff58e62ea153851e07937a4241b3999d79d08e8f1f8be86bdbefcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\55FF.tmp\b2e.exe

Filesize
1.5MB

MD5
7e2caa4f567beba47c8ee493ddc872fd

SHA1
500652d290f8cadc3599bb8d11445d7c9642db94

SHA256
4f86388ebe63c5f1827705b2e6f486eb09c8f5046d2831c8adf5dbf3fd5dbe04

SHA512
7c2c2dcc0aae1eca6f723ee150b8ddf8e0d41cc7a5124dcbfbe936c9f4f9969b0ab7de50e010a6b2c752343140825dc9d474a8fc76eeb8cf2bfeae9fc39aface

Download Submit
C:\Users\Admin\AppData\Local\Temp\589F.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
404KB

MD5
4d40b3ba1e06a820a6ac02c4b287422c

SHA1
3dac6ad3fa7c6631c8638b771b65fa16322fe676

SHA256
1ec43eac7492ab3e5a3604c31cadd15e6edddeb5a872b971727dc0546d857e48

SHA512
f759f4888295d310f666a52f70d5a3a8565bd194c08e58a07b85b5762523ca19e5f5503523e1eb2c7ef14101ac5c5f2dfa8e0182aef15e4cbf38bddc2b20c27d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
333KB

MD5
3684ba279e5655996e0774d59ba0b800

SHA1
4af8be836e654c0079082b61ef345b55ec3b2076

SHA256
c25575a7847e68df24d1b907691d33a3b85097e9845c56bc41e4493491f29398

SHA512
af3391aeb2f8d9644a99d2b7bf05f9402f0babf9b8d17614ef7e731a6e89177460e73cc49532dcb260cf0094af9d2917b60cee40750d1f8aab26ab57524c230d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
323KB

MD5
b6243cb58985c09c94ccaeaf461114aa

SHA1
58562f599d1927c8a4f804d100142aa8186afdf9

SHA256
f9ca2599dee8ce594eb58580cbf75fe5c6f6c4ccd44bbf8df752bb959c9b6e42

SHA512
da566b5492f3b7b7bb1a45a4292b334891c7babe1ab4df744901aafdfbe352349a83eb211c96f7040cb00194626fc8ab6875be54714c4150ff08a0d335c58379

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
256KB

MD5
11e8812bfa1d698cdeb73a16c1d7c963

SHA1
e8708fd452ab5946b380d0c353ac26acf289e548

SHA256
e0f9ddf8afd30511763f0cf792369e32c955f15d9529c00c5fe9298a80d74402

SHA512
fd54c9c6f3520b2ced6b42235ebfce6d8b622c53f1fbf810baace657a7d44430968b5ff90cd1d860dbdf7550dd8cd467636c862ff0dd0832f25145efccc7731e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
350KB

MD5
e144c91ff38eb3e1801a35c5fcc2e203

SHA1
f9bffe8c4aad6fe5379ce81d322cb47d48dfb15c

SHA256
d2a795f20ce042e0a0daffcc478ad5a33661d13de316dfdf0d55a5df257f5cd5

SHA512
a584313a3b049f30c92e30fc5ac230b744a71346c2d1e23f640e7b446e1dd45fb0c143e18d02d39ab85760246a458a12ada362ba39e9a44eadaa52428cf61622

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
244KB

MD5
5a29589dc1d8f69338996c3492a12ccd

SHA1
6c626e6d0323dbb021a788be91ba09da4057c221

SHA256
c8f3a6ba3092ef9bb84a603bcf868463818a670692bdf00fb8db16bf0a1425e9

SHA512
d92921cb57c929b28d9a15a5c9ea28a0b402d2eb2f54aa9e2c64a0acc6a5e239850673c05254f0591a0a9858380d1ebc98244c1989dcf9d8d194793f3422612e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
407KB

MD5
6ba9814899dc893ad1d12e03452b5acf

SHA1
637c39925bad228b0a8f4ac0bd89a3498cb9bd3f

SHA256
60bdbabacbc81ab2870a9b7a3780a3ab9fa95dc04fc8d55595e5b2b9294e8893

SHA512
76282a5e93955d9f506a05086dc1f617e1b179dd8f53aa0292d4fcd1e9349ddab7f8d177b8a4fa542c175ba0e3c06e1ef8be33215589cf28ce4b5256d621f545

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
268KB

MD5
d285b1fc0c41af5bfba630f5c7c1f320

SHA1
d089ac64fce36a700ea5468aef5e68c4a0184dc6

SHA256
87544849b4121a82c14389704c540d09c4cea23966993f55d66a66b6421411ee

SHA512
bfb0ecd30a635ec7fb168dc50eeccaa3d9894dd8ed65eb9ba328e4a50fd268f4f161616ca4f9b97d1ef19cf8800d32813e1e1249c94eb66ab3050fc91df7ac70

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
264KB

MD5
af59db45027627aebab5bacc16b8fe6e

SHA1
9949594bd920c871c03c9a2aaba5e2ad9143c980

SHA256
2ff23b21dbfbcf50f553a33cbe76eeda25e7cc178e033c0e1f454c18cb69c990

SHA512
2ec2f620cc9a934d64bf61882b5d8c42146dcd5bcffdc77a99a5d785f43d4ff34dcf5aed265e7b94cb237d299464cc178f1787d29c5411bf9a73ea370a6fc92b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
312KB

MD5
f30aef4bba7bd997394a79515097ec80

SHA1
7c86f07c18bec7db83f485b5cebd58710aded502

SHA256
d9ef2a8d26969ce757d6e4746db2b308a03d107becf789cea860c7758eb91f33

SHA512
bfeb59e470ec456e1f407cc2b72a6702cdf51361490ef421c3c72db55ce4795f39e782be8d5eed2b4b8d5078c9bb2bd5af73bbec4fecea0c0ce6fbff6b83d460

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
517KB

MD5
f03c84d5b1ed96fec864bffd827bab4c

SHA1
e51c4818beb80dfcc1661890631b89d31202c3e7

SHA256
42914eaf696342d1e262ca0f7a74c204bffd79f3fe93e89f25be88ab60bf53fd

SHA512
76f49c0c2a94708f56c3cd20d6d21698d326664bc3b2c16fb43ac13f9604baa852f793837f8aee0ad4f81d8f729b2a962c4048ab9957bff6b6261c1369ed8ae4

Download Submit
memory/2320-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2536-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2536-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2536-45-0x0000000072210000-0x00000000722A8000-memory.dmp

Filesize
608KB

Download
memory/2536-47-0x0000000001110000-0x00000000029C5000-memory.dmp

Filesize
24.7MB

Download
memory/2536-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2536-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2536-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2536-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2536-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2536-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2536-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2536-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2536-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5036-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5036-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download