73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
308s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
17/02/2024, 11:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2068	b2e.exe
3748	cpuminer-sse2.exe

Loads dropped DLL 6 IoCs

pid	Process
3748	cpuminer-sse2.exe
3748	cpuminer-sse2.exe
3748	cpuminer-sse2.exe
3748	cpuminer-sse2.exe
3748	cpuminer-sse2.exe
3748	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3876-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3876 wrote to memory of 2068	3876	batexe.exe	84
PID 3876 wrote to memory of 2068	3876	batexe.exe	84
PID 3876 wrote to memory of 2068	3876	batexe.exe	84
PID 2068 wrote to memory of 3824	2068	b2e.exe	85
PID 2068 wrote to memory of 3824	2068	b2e.exe	85
PID 2068 wrote to memory of 3824	2068	b2e.exe	85
PID 3824 wrote to memory of 3748	3824	cmd.exe	88
PID 3824 wrote to memory of 3748	3824	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Users\Admin\AppData\Local\Temp\754A.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\754A.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\754A.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\81CD.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3824
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\754A.tmp\b2e.exe

Filesize
8.7MB

MD5
60a9cb6af208082f41efda67a0f638d6

SHA1
b89065c6fb6495d012a2e9d00fab5a5331d953a2

SHA256
863eccf2614d125e12372377a812f08d286d9bee38bc65818849dbce8e20331a

SHA512
095365a4a81aa368fca59c65935475be7c744d771b0b89544da570ef2b937c7c8a8b39ac9c8557a3917f8d9a8601dc1eea1753efc911df476a820dfa08c62998

Download Submit
C:\Users\Admin\AppData\Local\Temp\754A.tmp\b2e.exe

Filesize
5.0MB

MD5
02291c346badd66e7892941f71ba8e5f

SHA1
598cc14553ec6d30c2fd497eda48665fd0f30ae5

SHA256
720042194deeb73df6c528ec2fe67b64580ad27a2515ef302718aa176a998a4c

SHA512
972018ae83af7d0a8d625a99712ace62964be83e729b4ee05f9fc6c5ca93446ff7d1cf3dabf9c7866e04b61b601cb6101f7eff83d30408c446ae53175683f0bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\754A.tmp\b2e.exe

Filesize
3.7MB

MD5
1159e61025af4499c4aee245391fbaa7

SHA1
6941af22b356ba5b630cd97791029006a9ac5fa4

SHA256
09acfb4f01e9780934a8a94c5fc693816d92723dbcad062494742a9d0168ce8e

SHA512
4413550ea82a8f3ffccb42094a208abfc0c4b033e646e7766ed6610e82eadceec6961af17c5302770a3cfa7185b72e9170a0f21de157628c4f7303cb03c452bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\81CD.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
724KB

MD5
20f217aa7e742ee68c465d49f57324ba

SHA1
5aa5d5a042f7a126d163a360415c28391f2c1218

SHA256
3f8dcce8f5fe39aeee562da1d801c558c6dd032dbc9387d2f348aad1c47c0073

SHA512
a413ae19448c19de4ba976d8d22e07d96313366b8478d5416de60534f7a10628b9fab8a28fa1e0e40bb0fe2a41e6231fd73e48a5cd00bbe56aa0832731fb6465

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.3MB

MD5
23d79e5c9aab672f8f60c5eebe49095a

SHA1
a104fcef7239607ddf1efe7b2c23e746dfbd0dcf

SHA256
698e05c0e81105d7f7175ef33574ef428340bd4729564a58f6190349283e636a

SHA512
03fbe3b84107563ea0e7b6b345b4cb4a3bd09153068643c1a96e53bf7504b004458859dfea0c66da065defc293436f3449e568b922f1796f33850f145f8a07eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
771KB

MD5
81f721d3cc5003e46e6fbe1022218800

SHA1
a7b386f7ea5b2d1e514620228ad7e3c84eb2eff3

SHA256
d92213b4b91922fa2ee67e48890f63b741b71f9a9319ba6d0a86cf0eeb98298c

SHA512
621684f3f39b30098a2c71bc1df72d18f1e6e88cf144e7c46054f2270d8de294e04e0737c4803f81d53f55d9f87c71af019b12e97e42492ed18c5514d8616cb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
372KB

MD5
5e59ea1a85a6d64e7cf6fbab81a431bd

SHA1
6f001a032484121555cc5ae737db4f23c349d164

SHA256
ec25e300797460c682448d22695e7c826f5c91d5fb16a6934ec2119022d47917

SHA512
e094860c36838cb8926fabd2aef03a0932f56c7c678134b1e25f786a4d4a3bb0452c333fa15379ae0a432f3b818431da8495c87ca5efeda4dbd2a8a97bb0389b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
256KB

MD5
11e8812bfa1d698cdeb73a16c1d7c963

SHA1
e8708fd452ab5946b380d0c353ac26acf289e548

SHA256
e0f9ddf8afd30511763f0cf792369e32c955f15d9529c00c5fe9298a80d74402

SHA512
fd54c9c6f3520b2ced6b42235ebfce6d8b622c53f1fbf810baace657a7d44430968b5ff90cd1d860dbdf7550dd8cd467636c862ff0dd0832f25145efccc7731e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
512KB

MD5
6162b21c54b88c5c990e82aee951ebb4

SHA1
477384ab8ebe5f5a5d5a91603736d9ef53c12fd4

SHA256
462eb68967c7205145d0b92e4f3b69297f616187b07a189178f35f288063aff4

SHA512
6264ee49c4b8a6eaa69241e10ff9ab39445f85a57b756b8bc0530b45d77827d05e669dc06b689d4693db34e4161ef11b2cfe6f1954b0b90bcd434e81a938a40d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
417KB

MD5
aaba77c70417f6c2498bd7178a789a29

SHA1
665c1ec57a79bd3b88bde080a221388e35c45ead

SHA256
6a42d6dd0998c30f076cf86a0a05c07c9584509ab401ad87e71b4da8f1a4c84a

SHA512
4553aadfd306ec2dfe4d702f57b6ec719dd51a812c809ace7ddede1d20102216589dc562c7ac87c1e4d8ae08fdb3ada6e69dc112594fe2a37a01c22a7b381667

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
513KB

MD5
a9d2ad3d82c5dcdff4a527634decc529

SHA1
3b1f8731622f2739bc5d90758ac3d82820bbc88f

SHA256
5323ebc3f47dcfb6993d3471ef52cc1eaf08540c2a15c107532c24182a771704

SHA512
152cf6f28009c8422e1114818ffb2e81f1f871449b5f0b5ac85a0e62033b4eefb2becd1fa4b145acfae38f249e4a33530b12c695dc5c6f54ded28ceadcf58fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
699KB

MD5
fd3c1d699eedbd8d652638191bbcb945

SHA1
52b26e454c65cc88429b3fa6a2e709d4d1a0546a

SHA256
77f9591c36c46d7211d1cd9ca259d2cd3760cb5b8b5687a6eaef12326d2515a2

SHA512
7be46272f80bbcde24e1e68a030353b8fa18c55895400d1e3d1a2836bbaff0a75e375fbcdae357495abed3e7cd9100e00de3f7d772b9aa1ccc20779eee419d19

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
681KB

MD5
f61bd21765e35ef0de1ce91922408c9d

SHA1
38c47a48a8aa9f5208011ff2fa8e550617d5a6e6

SHA256
05f5924a07586cf253babbe5ee864a9dd03225bc74414bf2957ba86b712e6fc6

SHA512
902ba61ff0824f95b24496dc929d5b7a50e6121d371629445e54f567b740a04a7c19b46eac60ffff2bbcc104126e6be1af4249989234225ec6bb6c0df3fd2352

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
231KB

MD5
f025bb08ef4a214274b217ce8114a8ea

SHA1
c396f76d6f4c5e242acabb83bc4ba4ba4f0671ea

SHA256
cc0dfce7b3230d3265517beded717475b41d5aeedb5ab6f8335b63c6bf87c44f

SHA512
c26b1f5a88702927fcd3fa5fd84df2e7737808e1f9b27d1929857013e4474093a3c1959171758e182fda08954d6639f1d76cf757b0ecf13f7e37683bde29e30e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
175KB

MD5
e64409c752d8a04191b56634c6254fce

SHA1
f9ffbeab516f219b2a744fbb4f4641f91b0a0855

SHA256
f5d9a5809b7f076d6b0e0bdb3167aa1a12c61b20c702ef8e38728b1d54df5479

SHA512
5e054f8cbb073fb634e77127fffeb9e8c6b6404753c1f668be3b73088cd3c8e915c33c60eebd4f06f7815b5eed6fe20cec724f1ecc390aa79b7d550812b1df7d

Download Submit
memory/2068-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2068-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3748-46-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/3748-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3748-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3748-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3748-48-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/3748-49-0x0000000051D90000-0x0000000051E28000-memory.dmp

Filesize
608KB

Download
memory/3748-50-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3748-42-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/3748-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3748-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3748-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3748-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3748-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3748-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3748-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3748-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3876-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download