73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
14/02/2024, 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2124	b2e.exe
2920	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2920	cpuminer-sse2.exe
2920	cpuminer-sse2.exe
2920	cpuminer-sse2.exe
2920	cpuminer-sse2.exe
2920	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5052-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 2124	5052	batexe.exe	84
PID 5052 wrote to memory of 2124	5052	batexe.exe	84
PID 5052 wrote to memory of 2124	5052	batexe.exe	84
PID 2124 wrote to memory of 1068	2124	b2e.exe	85
PID 2124 wrote to memory of 1068	2124	b2e.exe	85
PID 2124 wrote to memory of 1068	2124	b2e.exe	85
PID 1068 wrote to memory of 2920	1068	cmd.exe	88
PID 1068 wrote to memory of 2920	1068	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Users\Admin\AppData\Local\Temp\8ABB.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\8ABB.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\8ABB.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\920E.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1068
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8ABB.tmp\b2e.exe

Filesize
9.1MB

MD5
a97af40ec89bab099dfdaed9a14197fd

SHA1
2ce5555423105a103a6f37cbd104c7390306b177

SHA256
28d9e5696290334c5056d90cefe398119d92ed2b4e0ba7271169eeb12e95032c

SHA512
ac1ee551740014cc9827839470ebd141e02588d3c430d0f36b0a2226c3a16365c44c597ee8000501a849de3c27396e3f577fd4c0fcf655df9d8582c81b76d2c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ABB.tmp\b2e.exe

Filesize
512KB

MD5
e4d2817f5e794155ac4a8a1445b9d728

SHA1
07f6972ab84878cee3a3e158cf9b0b27c8ad175d

SHA256
24781b2a837565d59faae5eff35a839726a5aa2f952f46e5e5b593f53ab6774b

SHA512
9ed2839db8465f9eb07d9bb2d29e1a35cc1c2e0b8c8f52007248752df018c899135e6d3f944e7e1363b3d5fe4928ccb71725fcaafedfd3cd496307619cf164f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ABB.tmp\b2e.exe

Filesize
709KB

MD5
1dd4e02a49cda42c5cb8453b43e41009

SHA1
501d08d9184bda5e8bd2520a6f158cb7d8fa2151

SHA256
c62f7a088819cda62be820715847421c663b70b8acf285c573942927300457d9

SHA512
959bc852d063741671508509246f23c3774016275f688767dfe295795b1e4fbd6d4fcf0c29d5df73407483827af9dc37d68a364a5401c1a3276c6cf1aaf4eb05

Download Submit
C:\Users\Admin\AppData\Local\Temp\920E.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
431KB

MD5
58077f95a0cacc88683f920fde1ec709

SHA1
2d86f1cefced3785fa54d74c3db6164005ae5f2a

SHA256
59f70d6ee41029cab43e626890c9852ec7d7923b3d3cc92bace8ff4d03f14e50

SHA512
60880673062bd7282b96fd6eb8ab48f584ce7b614eae5101445446da882d9cb62899ea25faf38a7029e588b6a94489e7b94e42a1d06e01bedfdfbf306cb50deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
333KB

MD5
3882fb9c858f13b5b8e4a95a44175d8e

SHA1
7e6575f4c6ee8f9cdb359799787cc289018c8e04

SHA256
c7fd3d1d950c0cde54f0e18f6eda5e2e2ee423e0bd74b610596b5159aa0f8ec8

SHA512
fafdd37a6b75faee92c7b356eac926f69b46f7d30c4ad09cafa08ae4ba8956d9458d38087aa25b867b8cd189f6e4ad5516e2cddbeb1eaf0279578bba00a537eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
486KB

MD5
a578ae849afe186231463fbecf6e026e

SHA1
bea890f3d2c0bc393bd884f4bcf0f8670db45adc

SHA256
7f1031a0ecedb02926f7f86cc3b9b71dbc74b37f186e98c26448b77ac54f6e93

SHA512
a60e71c901c0d53ba369cb4a53e005447b1a54433525bff62cb6806d8aef67bb645a28c2e329977e84d096a520ad6a8fe1ef5e91347153193c3c52282ba1cd86

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
324KB

MD5
ff8928165e669118e65d23e4798103de

SHA1
28a4379e68de8d76c06e3a54d92139fdf755eae5

SHA256
c6f7236dd0f230bd2e752e00b0328118d833ac66617f94defc086a4bd3bc3d84

SHA512
68ace38917b9ffebf191262f8834ae04c4314950ae4b3bb5d0bc07ca6a730917212b81278b98e35b96c739edfef1c81ada92051b2c0856868a4283c29f63328c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
568KB

MD5
37a22aeec53039757ba667bc8b579cc3

SHA1
e70be6bcd8383bfbd99efa97628eb740b8473599

SHA256
453e419fbce9093f404ce75e153657539ae329f3c25bcd459c467a09875d8fb5

SHA512
d13eb7cd2694565c703da7a46a4e357ac06af684bf5e781787c56c1cadcd67038763bdfb03e7a6b251de2428e9821b0b879ac23804e8ba095f72b598d41b3e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
417KB

MD5
483c81e5ae7fe8ec5d3417dfe9f1632d

SHA1
cbc648bc35a8004eba887e133bed4f95dd85c89d

SHA256
2e6db99563372fad4cfc62bedeffcfd6fc30c49010bbe2b217977af2fae55e42

SHA512
a5f3eb6709d96bce2ed5f48e557b8f604685493c8d4dbbf49d5bb21adc087053fdcd7abf6e3670cfb43f3b173c557e1e070c7d7f6e03a11bf267e02f2bdc8494

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
355KB

MD5
fcafc90e2ce7f63703b446b78db562d6

SHA1
7ff4773784d3e96e743c1e430b7e8ef8f885ef88

SHA256
d03a81078045284eede18bf4443665a97df3c9e3f7c55affbda0f20fdb5ae599

SHA512
b9e759338311e8db6f4edfffa71ad0b0f2db49bed82787401f314fb5a9974d10297632cbd3d46c8ca5bf1ee1a01cf108a45bf903884387dca93c23410f7c9919

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
356KB

MD5
b75da660d6ee15fe1cbef2467a8b9325

SHA1
07b616d3ae4eff410838e80998fef8534ac6f0c1

SHA256
b505592029eea8cdc6235a3efd124049b3b0a5acba425b29fea2b8113c70ad04

SHA512
18886c212a1ba73a2a0a713d95e3d5145f06cebead9421f8809a77cb6c5d7b6c5effde9c0679dfaa3c44f9d91c9cf7a6ef3eec69f72d83f347d13591f4f2fb15

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
297KB

MD5
be930da06210b899dd131d2bb8047192

SHA1
7c0ddc5f5650e5ff1a0ef3497b2d47db13adad0a

SHA256
a107335b7be2022aff8dc5ac0b4d5a4b0c96fcbc214636a0b1706c426392b4ea

SHA512
01bd9bd823d9651f1945c3b3a39587fa716cbeb36427cee7612d04df6d0df187aee39be6fbe4fb7ddf54fefeeeca7938794e2afc7567bc3459d00263f640698b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
347KB

MD5
066ebfd973a8157062ae41e7ddb1d04f

SHA1
f9f378bf255f3129c21315667d47141b390064f2

SHA256
89a44fc8e1c1897d9df13b5e22e0fb6152fd28e93a5285976236ac847e94b495

SHA512
a7eebd7288c9bcd15a0c9780a11b36fb9968b0470c597247b54c0b79ade9966f23f132549bd9418f54538b4d328471af8a1acd5b5c5b44784a56fa6eac8b24e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
52KB

MD5
a9564bb8ed43f435d6ac03024eb87bb8

SHA1
5eaba51f0a44eaebc5f94a45e48d6fa92266516c

SHA256
9ef99c9a482b14947fe200777bcdafc4d85e204e53b616bbd7fa998b1913d6bc

SHA512
897266051bf0e510ac634cb7efc062b2f8e53d2037f572e13b116fd148f90d1c7d53cc3fc27e7d7e77de3ca75ad4efd506366afbedb2e447d9c2ea807f9b0c85

Download Submit
memory/2124-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2124-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2920-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2920-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2920-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2920-46-0x0000000073260000-0x00000000732F8000-memory.dmp

Filesize
608KB

Download
memory/2920-47-0x00000000010C0000-0x0000000002975000-memory.dmp

Filesize
24.7MB

Download
memory/2920-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2920-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2920-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2920-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2920-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2920-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2920-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2920-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2920-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2920-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2920-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5052-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download