73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
292s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
13/02/2024, 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4740	b2e.exe
4204	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4204	cpuminer-sse2.exe
4204	cpuminer-sse2.exe
4204	cpuminer-sse2.exe
4204	cpuminer-sse2.exe
4204	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4072-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 4740	4072	batexe.exe	85
PID 4072 wrote to memory of 4740	4072	batexe.exe	85
PID 4072 wrote to memory of 4740	4072	batexe.exe	85
PID 4740 wrote to memory of 1140	4740	b2e.exe	86
PID 4740 wrote to memory of 1140	4740	b2e.exe	86
PID 4740 wrote to memory of 1140	4740	b2e.exe	86
PID 1140 wrote to memory of 4204	1140	cmd.exe	89
PID 1140 wrote to memory of 4204	1140	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Users\Admin\AppData\Local\Temp\7692.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\7692.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\7692.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\80B4.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1140
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7692.tmp\b2e.exe

Filesize
6.3MB

MD5
7e97c2c223376a3e770cea8d45a9acec

SHA1
6b737c70bfc4ea51ed84c9268bcbcbcb9b58f948

SHA256
2dea7d9cc1b048f66f2325489298e761b79d5ae0e27c7768fea359c01d3e2550

SHA512
fdfc879bedf6f1921e9b613c1099209d6f0b21627e48eabbd9f5465bb4e7b4188b48f760ba1f6ed9217fde891e0ba85dcc7c6ffe0b9114acb1bacf27c669ea8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7692.tmp\b2e.exe

Filesize
2.1MB

MD5
099e18cf84312ee05add20eaed01b2c0

SHA1
3aedb8f0362d50274ec7bf1e79bbd3923b47cc13

SHA256
8856beb3ce39073034ad1cd1b72251224cbe3b2861af9086947470096666312c

SHA512
70c26948eecb460a2c035d8bec9f100588244a0c621fe26c13826bef00464051b54e200abfd73cb07bbe76c6c807317dc90b4974a739be718e37aa2621c134ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7692.tmp\b2e.exe

Filesize
621KB

MD5
d6ae84108d9279ad05dfcd97e2c6ca89

SHA1
84d9c5a2b7fba1a32ab6cdbbc09199a4c6c9bae7

SHA256
dfe37ea5fc937a03f4f992655086cd9670dba64f83cd3d47a907e9b979b30145

SHA512
d39f153adadd145b5292e688e29d404353f96c50a75d6dde15226bf9f20796916da0b342fc24d05e53ea884b14f2e06d14a1b3e862124b6ca3dab541f7431954

Download Submit
C:\Users\Admin\AppData\Local\Temp\80B4.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
532KB

MD5
ff2743bfe1cbc84c1d091ffd4c89e282

SHA1
e7ebeb341fbbe2a198b77bdbac70f550e01e0a14

SHA256
095596725768fb49b88cdfb3f4ec429ad992050edb85230251ccc8eeda2a3b16

SHA512
dc805992ff6b9befa33b9edf02e09a422417fca5900e1709409640886c3ebbedc8ddd1f5f11f81aa3438a75201ca0ce2e9d78fe9691e4e81188a4166c74c40e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
386KB

MD5
f78501151bb4226191913d0707f88886

SHA1
5d1b3bf4bef8b505a5c9e5e9a22fe6d3e11e78a3

SHA256
c64b279608e19dce499ef0901add8260cdb59f579888d8a456c86b8bfaeac04d

SHA512
86b3f5a5a07c3fa36e1965dd8faf43d0f043174991bee1814d42c999c242eaf729e44b235460ad6dfe36be309017c699baebb4e4f6b3993d4386fda9dce8e070

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
384KB

MD5
d1d1f36cdbccda3b96e8c164afb74526

SHA1
91bafcd404c8568c9a195ec8cbf9592ea9e17e8b

SHA256
ea6e726150aa9a8dcf9ccb6a991440b451f9f2dcc46d93cb35971556879d1d03

SHA512
2306e6578ba2217b4f32913e1ac35e0547723b873c11244e96affd05457945373c621ea16a82e1e3aa1a177e3059efc40c8585118c63a3ea145524c51d1d18c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
64KB

MD5
e7317a0a343dc63f3fa3bf9ca6e93ff0

SHA1
0d48881feb76cf81fc46614bebfa3c134cada128

SHA256
277a43f17ccc4f0fba87c710212de61a41383bcb94410fa093b50ebd50347a63

SHA512
84ef51472db00cd4e90df3062a3cbc29a994c5cf470e54300d4a2f103ba8fb8279ec87b0561625ea1bccd80a7ad664c63457831b4eb919a7608099430b98a3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
441KB

MD5
0b66a4c3896a8def1fcb3c8841ec6002

SHA1
559f34132b88812c8f5280bc1aec1a3426c8b3ed

SHA256
b620662d8400ce5900d39b91dcb332ac0aa93d9242917ff06f40dc4d7366c4a8

SHA512
38f3f54770353e2d859a93cb295503a77b85a181cb4e15b24742fde3b8ffd2459c300451cc4296303e96fb07566dca43effba614fb5e935fb95d3e095d848a9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
256KB

MD5
f8edb8dd2fb15f1887ace09587589dd4

SHA1
cbf7cbfefc0215d9500a98d9064deb9e86787152

SHA256
0465270288d69a0ec9beb7114707bed76756c14148293237d0d35423abdfc67b

SHA512
aa993112953225280c0bedb1ebd8288298b9c22a6a884a952ba60e48cbd21c4ce60724b7adc961a0528d7c569596e3420fec2670fc47c3eb6c00c691e0378abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
361KB

MD5
57e1f50ee9050464cb576dfa8fab6695

SHA1
9cf08f58e65042a3f81511e814421dbf578fc805

SHA256
44795c3f80a277baeafaa9bbd07276ecaabdd2dbea2848bae2595336a3fb0fc6

SHA512
2dfbe5125a1fe4bd63d72e192216740558b19de57ab5c82554b217b0515164c729bee6784893d47c229897c778f03d7f6461a25fb332985733d89549a42f5e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
313KB

MD5
c5269e9051cdd66cb0aa479fe4267547

SHA1
803a56819efd712d99149c3da8ed0d111b29c99f

SHA256
b3510c83e49d6f2dc44080549a9a5e8078dd121d4aa19986ff69516741ed707a

SHA512
717e61ddce0ad5e4630a389d4cf71c6f397cc13a1afe6ab94875d23585068eace105ed7b7fe92f7d016dcd9df20847703d467404c3095ec44ed2c3a13f8bb18b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
349KB

MD5
a984b9c59c79f8b240c2427102ea9084

SHA1
c29ba4dbfeb2d8ffca281513c35cd9fba4aa9147

SHA256
7ff6fbdbe128390f810a0cfa3a905382a1dfddd2890d5ca8be8bcfdd42c12981

SHA512
a5ae23d8242ba7503e1154455e62712032fbe4a46d21002bc2a96c9ce0f0986fbcb21c4e9cfa04f44e11931e157c432dea9048da9ffed7fc98453e271dd08bb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
496KB

MD5
a6633fc26e399c7fb9f0fee61789bba5

SHA1
1b838e8232e496008ec67f47c21a437a559779f3

SHA256
15d6aac3ef89518ea4f3b8fb1c3624af2bf482e22918d94c8fb499257f5b91b7

SHA512
09094bee1686830d47fd4da5590ed65dfc77c667b643214d249cedadd2757ac0453bb9a67cdcbf41c87e0b0d4cf575f8e7ac666d68d32eca32e0b01408a050da

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
326KB

MD5
a1c1101f30e699aee859b3f3e5437da7

SHA1
f553fa0cf91aac9f51d23a4d982ee53ac1a572bf

SHA256
b2bc3f1089cf8af5dc1cb1f1b8ed8c5dc3ebaaef3e64cfe855f6d5e5d123c1b4

SHA512
f087eaa4884c961f1da1ee7f46fa5bfe05d0b6caea09062e412eb20eff807cb9f48f9e503d845c67c4a4f190fabdd9a58590fff627ff7468403994b9dfdc9912

Download Submit
memory/4072-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4204-47-0x00000000010A0000-0x0000000002955000-memory.dmp

Filesize
24.7MB

Download
memory/4204-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4204-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4204-45-0x0000000051D90000-0x0000000051E28000-memory.dmp

Filesize
608KB

Download
memory/4204-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4204-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4204-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4204-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4204-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4204-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4204-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4204-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4204-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4740-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4740-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download