73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20231222-ja
resource tags

arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
14/02/2024, 04:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
860	b2e.exe
2196	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2196	cpuminer-sse2.exe
2196	cpuminer-sse2.exe
2196	cpuminer-sse2.exe
2196	cpuminer-sse2.exe
2196	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2016-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 860	2016	batexe.exe	84
PID 2016 wrote to memory of 860	2016	batexe.exe	84
PID 2016 wrote to memory of 860	2016	batexe.exe	84
PID 860 wrote to memory of 5088	860	b2e.exe	85
PID 860 wrote to memory of 5088	860	b2e.exe	85
PID 860 wrote to memory of 5088	860	b2e.exe	85
PID 5088 wrote to memory of 2196	5088	cmd.exe	88
PID 5088 wrote to memory of 2196	5088	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\5EE9.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5EE9.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5EE9.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\61F6.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5088
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5EE9.tmp\b2e.exe

Filesize
5.3MB

MD5
1a6adc3692c9dffc8596edbb22259cbe

SHA1
306df07658fc52047485402887f3a9d83dcd81e2

SHA256
51d798f0b42cc12eade10c1add88f7fd3e76e8fca6662f59b740ffa4a04d237b

SHA512
1a45198222e20aea0299fff07f2de884819df076939b0bfc1de05156fe31a2c9353ca2b99f75dc8f988ff0783e06c3fe74e8a9e13afbeed6c81092a2b775ee20

Download Submit
C:\Users\Admin\AppData\Local\Temp\5EE9.tmp\b2e.exe

Filesize
1.8MB

MD5
fed226671f9daab029aaea0c1bf6c527

SHA1
bacded51e7bf4d82a756351748d561b93e5d56ba

SHA256
e7bed9d6ba6c3e79ef43fb8bf34f6748645e87d47c743fc8ead2ad2003a41304

SHA512
d25d032e623e053e35bf23ba71a5432f3ac3b31eeaf9810352d0561d05e8335837ed0afee8cc0008fb1915646912ca08f134ef9e4aac9170aa63d6a254b57fa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\5EE9.tmp\b2e.exe

Filesize
1.8MB

MD5
e77b8cc3064abb184795d6e825aeb8b8

SHA1
cf296e57a04a42e7b759789aa62527218cb3ca4c

SHA256
47970cc638b2473dbb7760782deb8072eb892f9553254c2ffa3d643fb0d6a85f

SHA512
bcc821b70f9a68f65d7982c5ac3fc240ba101395ecffc4b3c4dab05f9ca7cd5d5270ae3de8a9dfa6127f63520fa9d0a429e9aaddb2f1cc9afce39748a86619f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\61F6.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
194KB

MD5
a9f90fd07c385b73aa9b4368660274b7

SHA1
a93b3f72eb9cbb9d0c1588563dee5a61e04af2e0

SHA256
efce355c38ca4881705ad3dbb6dc51146e523d80cbcc5bbf29f5567956f3fad8

SHA512
8bedca1bca3a83bbfdf42b570e1a39678bde14bff85c1ec792300673b073eec142b088919c440852fc8223867140cec7514125154564f3b73199c374cee9975a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
89KB

MD5
3b162c5f64b0d173a17bce64c644cbaf

SHA1
4b73509e79edbe82d5f0e11dced6945798b3cb61

SHA256
940505c37c71ddb396c830589b0945becd47cef14db1f78a615bb5d8202ccf6d

SHA512
78a6cd6b4877bf305bb675eb4c182d5a1bd81ba997e851d068d9e249840451d3b2ce1e55f69ac65502da57a6409cf3f1712da35b42865e4fbb381e0ecda77cb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
95KB

MD5
21b6a56fe3bfd78b0f20b8b7813a4d3f

SHA1
beecb356d2fa6aaab014e116284af6d095583d45

SHA256
b535c53ffea6a5b2b218842804016983f9b8c223dc4efdbd117b55b3a7ee4161

SHA512
de04b2659b501e722e5c0c3353a38ae1d09437e8757a5898e82a0061aa0a2f60f3ef7a3c3c6ff7b51e36324ffb51500facf1866c00e21412151b0e5df1ceb46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
61KB

MD5
7e28e39f780e66a933b6ffb53d9ec28f

SHA1
cf70a499aeedc011221a3e4ba85a92d1a6e23be7

SHA256
a49017d06c3b33aa2e83d3518163e89ba648da612f968d234534ed83f92aac48

SHA512
024c646c40a6fd2d0c28978d1e2302a41c86e174c9c4503f2903fad68f2e720ffa13f24b674c7a841705b7f52634434c86295c7084ccc5991110330148c64925

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
61KB

MD5
edec2ef2ed422884699a16ee3f4fb1a1

SHA1
340fbe415ccaaa26ae4f61d57020cdec09c2a745

SHA256
4ef38afed895fa59426a12461e8586b0dd2de75db3e45f8472b16009f40f98a3

SHA512
27db0d0a92746eab17df9f2ff7757301db4a86eac6fce7efd518c7c0d841d320905ea6ea73971ec2e80fe3db8f3b0a84d76a0d5611058638fea4469f26389251

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
24KB

MD5
e1496858adc6faf4a745582731bd7070

SHA1
742c53042887dc6d9335cd9689bb7ade21c651a5

SHA256
e0bda1f034de8862abd04af43c6c49d775d50da083d0ba72fce22f0ba9ad818b

SHA512
b1db82aec367c4330be9d787c6ca4f5ca6c404e67e36e1c9e90cc245e7f2f1d8e8662988fdbb83390f705a7007bff5a312970335dfa280789cf402fabd06b0ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
51KB

MD5
efddddb757b20b701c28ff34dc1cbdc9

SHA1
26ce77eb12a704d9ed12c9e6091f36f6ad3c6d8e

SHA256
b90c2a7b60b37c6202259abd5d426972ede1a40160c0b182121a89ebe8066e3f

SHA512
9b6259a7e538ded8c96227addc5ec98a09726f763b78da5fb1240af5f0a47ca6670dd835945e41c0b699cf4f72a5d53dd9b84e58445757299675e14e9f626dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
59KB

MD5
ac420f2d949ec4db7ec11c9da0a4f8fe

SHA1
c9c6bc0c9ec7f6b64fca3c3b818e6ab3b9f524fb

SHA256
11c288e6c6cedf0dbaedb5b5804922028f94d9b4a41c9456bb9563554d7ed153

SHA512
650d6633809bd1931604c038e1724dc834c89ad63fd2ff4941e8a758b7ebf7241c756cabd110278e1a364dc3c88e296526ce0feb20647222295f17f787bb0718

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
16KB

MD5
88be74b1534be9cd62a633613bbbaf37

SHA1
6cc3bd2a449520457ec586cbccaac9b62b5d300b

SHA256
5b98a93999649b0c3e9165f638646aec47dc280c88561a12447d7691d64c8471

SHA512
38284fef71fd40139cb3f2e08f0fa24b14ed417d5072ce62cd01b7d4e3c76a26a803f61ab62b5bca1f729c07a31feba7e3f88f6773b772ded978fcfda401a69b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
33KB

MD5
b0a8b7b8c40d846d8cfba7a40e314bd0

SHA1
f6aec75e6af841d6d8a3b520476b138692961641

SHA256
8494fc7feaced5c8990cb61c15104c7ce4dbf3498cb9ce56e373cc4cc3f5fc2a

SHA512
4c5743bb594d648dc81ba6f7d05e30cf270c9715c9d166894e514a5192a89cf8998ef390c0c9907b1674b0b4dae54b8d815ec037d91296d835b3025241026195

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
50KB

MD5
983dcc472a4cc237445d5bc6504fe8c0

SHA1
d59972062ce17417c3447e71df94d02522ff9956

SHA256
99a95b66eddf806edb39e987b78af37b0c0cbac60cb1dde5e8cf04db82a4a6c6

SHA512
903a3fe24aac561b7c0e24e50961f4a9b7fbf861db6a0d36aae623bfd0fd83e2748b9edaac993e916718eb6789c1612d1446fca857dc175b87ec67c5c95bbd59

Download Submit
memory/860-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/860-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2016-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2196-47-0x0000000001150000-0x0000000002A05000-memory.dmp

Filesize
24.7MB

Download
memory/2196-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2196-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2196-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2196-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2196-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2196-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2196-46-0x000000006D880000-0x000000006D918000-memory.dmp

Filesize
608KB

Download
memory/2196-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2196-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2196-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2196-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2196-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2196-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2196-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2196-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download