73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
298s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
17/02/2024, 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3576	b2e.exe
556	cpuminer-sse2.exe

Loads dropped DLL 6 IoCs

pid	Process
556	cpuminer-sse2.exe
556	cpuminer-sse2.exe
556	cpuminer-sse2.exe
556	cpuminer-sse2.exe
556	cpuminer-sse2.exe
556	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/708-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 708 wrote to memory of 3576	708	batexe.exe	85
PID 708 wrote to memory of 3576	708	batexe.exe	85
PID 708 wrote to memory of 3576	708	batexe.exe	85
PID 3576 wrote to memory of 4204	3576	b2e.exe	86
PID 3576 wrote to memory of 4204	3576	b2e.exe	86
PID 3576 wrote to memory of 4204	3576	b2e.exe	86
PID 4204 wrote to memory of 556	4204	cmd.exe	89
PID 4204 wrote to memory of 556	4204	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:708
- C:\Users\Admin\AppData\Local\Temp\2EDB.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\2EDB.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\2EDB.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3A74.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4204
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2EDB.tmp\b2e.exe

Filesize
4.4MB

MD5
6817714e04354a199e62ac01b6e06f03

SHA1
66550d231ce6fd69a1c26ba144c42a848b1bc4f3

SHA256
42ff8a648e686c200a1e06670dcde1f6a9cfc68502b22e926eb8c28cddd49e48

SHA512
22047de875bb689deeede284a092c6fc23de6d1733413c5ca0ac25503b41c86c2374d5af5a9778620fe9b49d75ad39549355f273095bab65981213f49f1e2e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EDB.tmp\b2e.exe

Filesize
1024KB

MD5
55d3fcf113506e85b6cf485f08b11290

SHA1
539d601fdd7e37fe22412d8c73023e21293ac62c

SHA256
519083ea4de496637895b9c3dd7fa5d9fc1140325272570f09aa0d2bad46f2d3

SHA512
62c0dc6a36ef819eede73c8b041fbdf579ec0ae399654a73a4628555bb84c4e1fdcf314deb659f41986204e2d92acd886dd8735a24a150a309d4035b58a33ee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EDB.tmp\b2e.exe

Filesize
1.1MB

MD5
c8ddb9a1b99b955d28ce987616dc783a

SHA1
6a50a41aac042de84cbe5fe9cfa8ef171c1a15ba

SHA256
d42d045c7eaec84a0576fa2d1e67566cd65686605e6f66217c2da6ec9faa060a

SHA512
8804aa717bb5d9a88543175afd4ed3363ae6d1ff9846379f9bbfb7ff1b49cf0031fd6b1cbb0b1491a94d1158663021c8bf56c47050f3192b62a0c5bb5499d397

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A74.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
557KB

MD5
f594ae16b27c47144f7f99dd15af7a7b

SHA1
5643844eea85686bb86fa1bb91668a71287cc4d0

SHA256
09defde5e5df38807be88dababc6d4f21679583732ce6f14c70273f1240a5ba9

SHA512
d1fe5ef50ce73840b4b278abcb10671898e630cda3e8d15a7230ba5299e7534eaa80fb18e4c4111402538b5c511a3bbfe9591654f339bf4b7088704753fd2aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
412KB

MD5
b40cefdf655c078ba11da6ebd687ccaf

SHA1
a413da347d0fcf1df71d95f77acd984232268218

SHA256
a64e0b36a152d247187d50fc4e76eac6173b755e35019b2fb8e02c50ab42ef72

SHA512
e82db41d1eaa02dedcf62347f4d3b2ccbdae62e2ccfd6f7793fc6a133aac2117b7977655a699b72a2544eccdee18206d99554c32fe44895155e67feddd16abd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
346KB

MD5
8fcd573e209928721ca3746f836fda8f

SHA1
81351ee7954168d1838dfa04d1ab56fbe1af65bb

SHA256
210e79a7a24e5c54ef107f79072670048290661ab38a96cd4ba565e587804105

SHA512
22119ccd7289d3e55028e76cf852f36fa6642a7dcdd1525589f7ea8abe2ca200b66955dd1f2538ae13e30bbb9dd352e5a876f8c89d2614ab00d7dd56ec1431e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
338KB

MD5
9d4cfcab221430d592cf8e47d66d5329

SHA1
4189dc8a8fc6017c38e3c9aabf81e6181c7dfdd0

SHA256
c1b83cd450ee231f912c3cbbfac60ae26586bf7a6bdaf68b90e73e498a520dce

SHA512
4d7bfee1c72e99fd85ab87a7b62df483e2eacd2f90f82f98644032acfa9003465c5c21b7b2fe967fbb82da3e83720034c803a226546b1f8e27bac26c7454c79e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
490KB

MD5
a1e9fbe42a935ae7924f7f7859619446

SHA1
b2e6e32c46182d7840007a97b8767a014f0fa68f

SHA256
55119321c87e48517df08896de9f23cd40f7d4971e86d697cdbf64e2277ddf72

SHA512
2b9e83333044b3a0976d2c965df4a901619e696f73a4c856bbacd0ecc775785fcebaf874105718e11b4e0d1819d8e6c5f99f61de813ceef22c3f10fa447ea901

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
264KB

MD5
f6ad695ce0b818d77f806297f3577891

SHA1
2c8825576d9d3fb36dea2dbdeed2acf8f37a3b8e

SHA256
88c1e59e983cec4738be5d5ad2586ca9509a5afcccc68b4fb617497a3c6dbd5b

SHA512
45615532017a13bb71fe207b4695b746b2ccf694266719550fcb9918a2992019b18322d43f70daeeda4affd28873e684eda073a8f5eb3ad657cfae76a16c1940

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
366KB

MD5
e05734c12555c8779fcb88473eaaeb28

SHA1
c59399e62aa65f0bfe527b46b0bfd4daaf86db34

SHA256
c87aa11a8de0216c04e71c3f18c0daddafe0a7ea92bdcf7892a7a20cdf8d112d

SHA512
b18be75242e8efeae4bcc8c87a5c3ce51ceebd8d37f4ef769e670b9593e0a9bad85ba3141fb4c6c8b22cd4544f7d88c294061e323fcddf772d7f5ce7b35aa350

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
602KB

MD5
9554194cab0c7371640f5ab3566bdf0a

SHA1
515a808831489f3e31bab0637dbcbca19e386014

SHA256
a47b8fbb4698a9ff305f92d76e56b07eefd8d0145937346a8d7a4c8468cf5811

SHA512
d43fec6894eded5e41727089549bc3a1f8b3fac91bb18b99c40220fcf63a47f4ddfb45ae38fd767effa51cbc2e34eab98cac87e1dbb310d9b0973537d5c35b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/556-50-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/556-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/556-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/556-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/556-46-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/556-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/556-48-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/556-49-0x0000000065FD0000-0x0000000066068000-memory.dmp

Filesize
608KB

Download
memory/556-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/556-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/556-42-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/556-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/556-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/556-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/708-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3576-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3576-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download