73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
301s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
13/02/2024, 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3028	b2e.exe
3768	cpuminer-sse2.exe

Loads dropped DLL 6 IoCs

pid	Process
3768	cpuminer-sse2.exe
3768	cpuminer-sse2.exe
3768	cpuminer-sse2.exe
3768	cpuminer-sse2.exe
3768	cpuminer-sse2.exe
3768	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3316-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3316 wrote to memory of 3028	3316	batexe.exe	85
PID 3316 wrote to memory of 3028	3316	batexe.exe	85
PID 3316 wrote to memory of 3028	3316	batexe.exe	85
PID 3028 wrote to memory of 1940	3028	b2e.exe	86
PID 3028 wrote to memory of 1940	3028	b2e.exe	86
PID 3028 wrote to memory of 1940	3028	b2e.exe	86
PID 1940 wrote to memory of 3768	1940	cmd.exe	89
PID 1940 wrote to memory of 3768	1940	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3316
- C:\Users\Admin\AppData\Local\Temp\845E.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\845E.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\845E.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\966F.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\845E.tmp\b2e.exe

Filesize
5.1MB

MD5
e090922ebe297ca1316bacc23ce0a052

SHA1
8544f7c9c63ed92139579ccc9e8fe7ac35315ec8

SHA256
83b01fa6dd555f2180fa6136a273c1ab44f03d307534294d8d5d995b220414b6

SHA512
aa3ab73b8f0367279e1075e005ff042c475f2637c9eb8911014cc907c902c4d41ffc30c6e56b468cdd6f529e626d1be06a5c517115b7bd4ef3460b4b621b87ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\845E.tmp\b2e.exe

Filesize
2.8MB

MD5
d86b0ad2cbe43d7762735aff1c5825a2

SHA1
0270dbb06055147f36027521ad0aff1e7c0ab60f

SHA256
6f251bd43352dfbd58feff5a1ce34e7d67270462b57b06115fa8ef17b8e17c19

SHA512
b14df8fefa4805e676cc663582e8dde28852381a2249ceffe1468d0a373127b558b20568e3f6a649096d40582f78d30229f30a7f5f23eea287494c4865a193f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\845E.tmp\b2e.exe

Filesize
4.0MB

MD5
46cb2fd2f34fc5fb4b6fa0cd9bdcbcbb

SHA1
df8f22ab310e335c25a93c527f65512184123399

SHA256
40191e0ebaacff18c54fb551395ea345a24d323bd23931ea464eebf542787519

SHA512
09bab8a4de57d7b8fc3d5f7a4cacdb748584f3ffbefbd48379c64e70fbffba1e19b978f9c1f77556283df3fcb845b9555ea27c2c7a1b3b913667f2d6e7991f26

Download Submit
C:\Users\Admin\AppData\Local\Temp\966F.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
304KB

MD5
7878606a892803655535e8c312afddd1

SHA1
064ea4665ab5bc51298ba3eecf580e58c2e25c2f

SHA256
bb328b2aaf7a6ae8f10c25a48b36e210c0aa1131f9daefb99fac151b01d440ba

SHA512
2bff1cfa4daa503323e78ed0473ea9836bd183485d82f2b1ede57a74093db49a2082f348a589b37ef5fd1c944da08de0eec889b2e4b32f741014c4f315e459ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
238KB

MD5
f3b4c8fe3733a4d8d798b4db235cd26d

SHA1
0964ca8674f5c1e0b3e33eebce6ba5b724dc4e2e

SHA256
86af767c3659c59a1261f37c255c674ddeef183f5d6543d4f02ceef0e2182b71

SHA512
f1f6a2c0e1394ac2e564f140811b9bfdeb56622b81933ecf45e7391fe38e7d26b388b1cdd4f8d001ff3d29a3995ecc087f5f45a98339595d14b513c246401dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
704KB

MD5
1441b49cf75f96e35f769cbda0a79573

SHA1
814025a940b9e19972c5d4cea33f8af1f4af043c

SHA256
d2097120b416c1c84a403a7564d2f99762f564d04f89640a559bd44f26cad49e

SHA512
bfbef5ef28fe9b84e2e8b2becd6f588c32a3f7e0ccd5b4d23ddc05ac1b49b521f01036fe7979fe056e509fa1f8b7ab3f2fae8466e24ef06bc4516bdde8d7987a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
679KB

MD5
b404ff6cb537f6190145ee165d61426f

SHA1
47296ab7f35fc7ab00e70d72d0677f346b690b19

SHA256
acb94449161fe581fad38813c8b6434818c43bee2cf75d8bb2febd8bd05c165c

SHA512
10b483260d936f16befc0bfd786251449c5ab76355c3e5450a046f6d34576175887cae2735efbb161fafb9784422d18231b1c908df00c8836e6babec4b64ecad

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
294KB

MD5
4d7c23c28cd1b7c7e52ae7a7817b9f15

SHA1
f4f2afda9af789e65aa3b646c4c3c4b7e0888721

SHA256
fe5340faa25d81dc356b43d22ca058833bb2810a690c1069878288c87138b08c

SHA512
3f5da4be5f3b5dee893f4eab9f67561ad589fce405bba983f145d2f7b53c22e2318ad8a78337840603e76e70e1acc5897096667691b2b07931ed485b7e15d2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
857KB

MD5
c9105726eff9834d0a4c84c35539f042

SHA1
f78fcd3120b3e828360935ef81069792f93b86e1

SHA256
b593cfd552d6ef851fe548fc6e2ce692b798bef3de17134f3abaf6968854d72e

SHA512
22d44c61b482ce6affcbc03625c24a92dadd06ab6ff528559798c53b937e34b674c30c453510d2edc739155f34d0c109a3ab8ecc8bde58412e202295deae7f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
798KB

MD5
7da978d5afda739897787fdf6d0a46d1

SHA1
88dd2e4b817bd0010a29f4cfccf853226a825716

SHA256
919d1c1de314cdbfc6e135eee7fc0a4ab1a95a0dddedae9e6334747b052814e3

SHA512
4c7a8d8327b34f03c76c73fe73e15120e0170a081cbcacefeb92bedc0280dc54c3df77e26c14b8391ca432ac5677b0996b28044b3ee33b41f0aa20b06e4460f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
256KB

MD5
52e2e506901b3efc4b50cb54e837e8e2

SHA1
9e14bd36aeb778e28065792d730d5312ac9da717

SHA256
9960504430a88c8c0f84ce43026ff5af866c75469b617eeb59cff60f02f1e589

SHA512
6c8089a70d5ab1846e8ab736636e77240e3df4f1aca16ed1a05553f2a6b54ba2dfcb8dbe33e10c844bf746db1aecc5433c75cbe431e115da1ca7df08b9598397

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
105KB

MD5
877ecfefd7abcba05a11df8f272b2b72

SHA1
c92d82ce7715af1a5ee15af92ced092655040112

SHA256
01938aea943d634d3124e0af0b36b818aee4f0aa8864dd053f2eae92a8185d1a

SHA512
b9ead917816111b04830af58aa0653b59c801b6c7bbef4a896a33431d2b09e5eb7c229d118161ca4399049bff029a44e5e33f78c32b25ed0ef05d68e7b715560

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
138KB

MD5
aa11bf6118899090b92afe418980d3de

SHA1
7ad89b37557a5a0cfea594b76b3b5cdc2fb784f1

SHA256
f2b1ed8ccef7fd8d3d4a8296e661c7fb59ebd66c10e607b08ada452535b52a9a

SHA512
828a4e3ddb3953d24d33b5fdb0b54f7286c077f81661aec6ca4130576e846b3a6ad768a94e9a8b70cb6055afc9047cfb5b1b892df07637274e6c0512debe7228

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
169KB

MD5
ba839216ef4f412ab65e547dfa06cfc7

SHA1
6e8155a9c28179cb85f5d72256363e0e32edc009

SHA256
bbf1fd40e6130b59fc1f8bb6e89aa645820f8eebb00f9a83e27cad428b90cef5

SHA512
07d76fe5997696a70756eeb370a519ac2abe293620f65d42c61b8c57c8291c238b0d8ef9c269946d17894d76f21b419d9b48385a86734681fed58168c7ade094

Download Submit
memory/3028-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3028-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3316-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3768-49-0x000000006F190000-0x000000006F228000-memory.dmp

Filesize
608KB

Download
memory/3768-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3768-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3768-48-0x0000000000F40000-0x0000000000FFC000-memory.dmp

Filesize
752KB

Download
memory/3768-42-0x0000000000F40000-0x0000000000FFC000-memory.dmp

Filesize
752KB

Download
memory/3768-50-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3768-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3768-46-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/3768-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3768-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3768-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3768-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3768-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3768-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3768-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download