73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
14/02/2024, 05:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
228	b2e.exe
4852	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4852	cpuminer-sse2.exe
4852	cpuminer-sse2.exe
4852	cpuminer-sse2.exe
4852	cpuminer-sse2.exe
4852	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2248-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 228	2248	batexe.exe	85
PID 2248 wrote to memory of 228	2248	batexe.exe	85
PID 2248 wrote to memory of 228	2248	batexe.exe	85
PID 228 wrote to memory of 1956	228	b2e.exe	86
PID 228 wrote to memory of 1956	228	b2e.exe	86
PID 228 wrote to memory of 1956	228	b2e.exe	86
PID 1956 wrote to memory of 4852	1956	cmd.exe	89
PID 1956 wrote to memory of 4852	1956	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Users\Admin\AppData\Local\Temp\6F54.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6F54.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6F54.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\71E4.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6F54.tmp\b2e.exe

Filesize
7.6MB

MD5
dcb0ad8092df1840c2ba83e989557ac6

SHA1
8d973f8d013adbe4c9a7db91097beb4f9fe80b3e

SHA256
fc6703b09f79a8783ae8dcc47363fd9b0ed58e4eb8d4315af44a9a092971b668

SHA512
1841cfc5351e50ce68d0d6ef1b7fcdc847af089d461779d5540db585702407667d4a5eb6cd729bef2059e9f7a1f2633ab47a4c9b348ea9045f98bd24de116375

Download Submit
C:\Users\Admin\AppData\Local\Temp\6F54.tmp\b2e.exe

Filesize
4.6MB

MD5
5f8ac534e60acb0174aa7a5279866c6d

SHA1
722e73ce6887516e83c3dcb52c251386863ecf5a

SHA256
d5e898d54b7cd50b03d58023b6ddc74c47fd35e02ca209892ba5c8c297515b46

SHA512
1757c36e772f1527b259b4e94ffd01ea6277c4a3f62e2c7b7c97707f08e4208fb017bd281db7a964a31d0f8a8e09e8e23e69214778b4d0f2d02417982723b2ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\6F54.tmp\b2e.exe

Filesize
2.4MB

MD5
49bc36a2d0a19941a832547efaa9a843

SHA1
8e409738bfb55d66f43bb86647035b661888651d

SHA256
58c4ed2cc4f5f5f47f630c79feb848c763d70663eedcc20c6709736044fb5e52

SHA512
96d1a229beb50f4b03c0ddf4016aba4f12af5cfd047338201f20e6b59b630953e8de79bcf779db5aa6ed80220dd98320226de04d8b28ea6f25782dc4f2ffc370

Download Submit
C:\Users\Admin\AppData\Local\Temp\71E4.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
644KB

MD5
12ff658d7819a67b26e3ca56777679cb

SHA1
15336fb6bc5b579ed5300a441e525d16edd543f9

SHA256
8c30ba60094d18dcd4be8fb3bff43810bf3a3c57383c27ac3499b42fe6f31feb

SHA512
25029f062b38b05f4fb37cc40a5c447f97ee74664c42737a1961469b54e45b8b1177fd501cb147c211e90c002f458ce2c638406bcb14c0e1d1a164b967b70066

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
611KB

MD5
9e6c0be8fd066943ad59f54cb77a96f3

SHA1
346314db6a5785278f50e26812f968886a10f4ae

SHA256
048ec6fe0a92b4f7bd26ce6be5b957ec0abcf7bf0e37ff78b6a8ca6440821d67

SHA512
91c792cd41eca202d3d0fee8338e1df22f5cbb5635cd93f4f96fc60f1dd83ca6f5f33ddef6914e538a7f67f860060e129a6d00e36649aaa3b52e923e769bac8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
524KB

MD5
570a0e800add237a7df1b48bd5b3c84f

SHA1
e5de900ce04d1593d0ff6cdd21bbf2766bfcb5aa

SHA256
4305d1dc318049d858981ab54287107749da3e4998ab76866e2a7bb80b802346

SHA512
6e5c4d9cad00d326671b3607275a74b788514b85fa426a9e50e0b453da401736b149649109feb4aa5c211a6a94f56baef03a38689dfe36265d1f1ff046ecb10a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
486KB

MD5
9db773cdbfee7fffeb399e8b812028fa

SHA1
d40575009510b8e6df982e0183dd04ea32823443

SHA256
68867d4d419e49066643ab85b4d28bf1180016564ab84510ddc26b74460d8b42

SHA512
4aeb616b43f53cb862a258654f0ad01531e91994f46cef6a7c5ba08db315d10fa9b76aea6059432b200b391b5b0bb9c883fdca7efdc587a1f9b4fd5f87b0cf8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
799KB

MD5
b83e07a457f0db162cbc6ebbdd176e9c

SHA1
cc22b2cc183d6606445453b5b06144a8cb792afd

SHA256
1c1d19f8252108c030465aa3db415a9e973c2775746381cc3fd8f1a4537d0420

SHA512
cb10c73a4aadf5f360059b094db71371584b15780ab964627393829fa62ec2aa00e446905691cca512150f1756d902f6e958a3e7343269bc9b3e3e9f736c3052

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
615KB

MD5
742a9577a8f305cc98847e47f58234be

SHA1
d1fe7f521093c94a14c8f0676bf5525b84108033

SHA256
1c9d19002c527249d18bb7e228a4dd66aa019aaf6c122a76b1d435c20bac2ea8

SHA512
c8d19277b3d2650f33ebc24625fef64e18f215138af3151757588d6c7ea750e21c1d5adca8bb98a8d3bc35fec487c6631ed14301d2a40eb5aaf31b2cc1dcb025

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
757KB

MD5
9c9c339ebbe4e30a632a36c69b2b6e7d

SHA1
535a6db7b567f28c21c060d17dd94b7fe631ee00

SHA256
ac4bc6d3014c08787b1d422e6b7755bb86694fa0ec5283f2deeb21589a82a11d

SHA512
8830cb3c8d90ee6bed5cf843641e375ac9fb665462f781ebcf034a6d9b8743fbcecc042fa870effc082222bb785953a5eb44902ec27d3dfea0f179c6b1581508

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
487KB

MD5
f5045b3fd779d9e05ee4f4ab3514ef95

SHA1
35d188fda555c162d53100434e4b2d1147c6a7a5

SHA256
8a56da2d3fbaf5621937b090d184910d03a4e58d0c124f4e88c81c2a0432d7ab

SHA512
ffb29d6491c839d65f14b0384f668218b8c1c7eead8214e71f45fcfdd990409d0e50254265d5cc407ff49af85ffd167a008e16f4aba2631989e49db00ae144f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
213KB

MD5
d53b678bc2b29c61f2e93c6046698da5

SHA1
dfb47851b3d135dba2981c35462bb23f100d00a7

SHA256
c6f935188ddbce1d08502363042e28b874e5fe74990679f9bad9be002e8ac973

SHA512
c048b07bad952c12be95b7c7c972fbdb9e72b67e70f1390b0f403af033a6437693284f63a4b7355801e8dfff39335c7365feeaa964b8eb8099fde4f378c2ebaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
305KB

MD5
339a6419fdd33e7d0b20411fa6c8ffa4

SHA1
4dc334ca0a89a55af8f05429c56d2ca488c739e9

SHA256
4b83a7914805a1005cef0e353e994a76af90c5f3993d04784f2f588db57ef2c5

SHA512
bb53098d6cfb2455d4c2792b70c418d6ff46ba632a267569a7ac718d229cd400d7910ece3fee87c76877fd82deae0a7d48c7b59a1bb2f6f2faaf30b53e5d1aea

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
248KB

MD5
5e7ce4bf966a7c2122821d7ff9a19a7f

SHA1
5bf94b4aa0ab12f40469187aff24f81f4924d0c4

SHA256
97146721f6526c6bb0a8a9989197886b266faae2a4e62ff8f70a77a13c27bc5e

SHA512
3a1aeac6632417c8ba4a1cb53f9df475abc3dda01838f2cecee60829366c5f332db144a2844f4291f7bd494c87076df5dde962d6186cc069ae2fdabfc97a752b

Download Submit
memory/228-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/228-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2248-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4852-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4852-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4852-46-0x00000000747F0000-0x0000000074888000-memory.dmp

Filesize
608KB

Download
memory/4852-47-0x0000000001070000-0x0000000002925000-memory.dmp

Filesize
24.7MB

Download
memory/4852-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4852-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4852-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4852-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4852-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4852-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4852-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4852-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4852-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4852-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4852-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download