73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
309s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
17/02/2024, 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe

Executes dropped EXE 2 IoCs

pid	Process
1340	b2e.exe
4876	cpuminer-sse2.exe

Loads dropped DLL 6 IoCs

pid	Process
4876	cpuminer-sse2.exe
4876	cpuminer-sse2.exe
4876	cpuminer-sse2.exe
4876	cpuminer-sse2.exe
4876	cpuminer-sse2.exe
4876	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2128-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 1340	2128	batexe.exe	84
PID 2128 wrote to memory of 1340	2128	batexe.exe	84
PID 2128 wrote to memory of 1340	2128	batexe.exe	84
PID 1340 wrote to memory of 2448	1340	b2e.exe	85
PID 1340 wrote to memory of 2448	1340	b2e.exe	85
PID 1340 wrote to memory of 2448	1340	b2e.exe	85
PID 2448 wrote to memory of 4876	2448	cmd.exe	88
PID 2448 wrote to memory of 4876	2448	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\393B.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\393B.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\393B.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4522.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\393B.tmp\b2e.exe

Filesize
7.8MB

MD5
5dcfa979f957e958667ac68d15a8c23f

SHA1
c0eed99b3ee1d692a59d767eb913388ce77b6136

SHA256
b3768ceba618334ab5c2cc2e573ae3d4400ae4771965b512cdc05b5c874e7b33

SHA512
4fe44ff47db9ec4333455281273f4b1f5a0fa8debab6e772f367f18a053a954226d924367398dccbe25bb9388b5474b0f88266c1607c7cbc16eef654a2dc6315

Download Submit
C:\Users\Admin\AppData\Local\Temp\393B.tmp\b2e.exe

Filesize
3.6MB

MD5
463260432454b8b81d06ea8082e6fd8c

SHA1
2ad240f32b42b776a397331665e7f52b46959f47

SHA256
16439b4db957a3a9eeb955e6adeaab6710bd4cbaa46da1a489eed4a346d4e052

SHA512
83ef9dab53111040326b3e4f61c51265240acea761eef343b2b4cd7e1e68e08a14482763b0c82e05212688eb291fae8cf299d7f95c1c4dbfb1cefb7ba6f561d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\393B.tmp\b2e.exe

Filesize
3.4MB

MD5
d71b8d3f4a5ed91f5953e22182d3545d

SHA1
0ae8b80eaa2350342ad465162167b7a7b2b708e2

SHA256
7784897651032862ef51e25f07a3ca75ec3ab562f2b948b986b9a77ea237d6a5

SHA512
72eb20f114423f6cf6d6f72ea3ec57196dca7de4de2ef190658a25091e9873a8fbee1919bb229bcb5b91fd5dfe19d46de632b4b6db7d8b3d281bf4ab91fc6de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\4522.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.1MB

MD5
6ffea895c665fa4730cab438590cdf72

SHA1
30a7690f7ebda541c4b81aa53ab96a94ef064670

SHA256
4a3bba4288e0dd54a7ade87eaec70fe3e96ddac97eebc3065b98bf768b751566

SHA512
95722c5c596d43c17614ae0e2d8236b1f5d85d9dae4df0d40f5ac86017f270c469473d78096f6d08e57f6607a2438ad7fe13fcc4239d42ad3ddf6ebdff281a8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
904KB

MD5
cc754f907612ed0e631ad2b75214834f

SHA1
4ea323ce7f2a1cea0983176aab189854b43c06f3

SHA256
8cc2624ee1bc6fafd6940bdd1fdfd944d0ba877377c11c3e4c83649081fae671

SHA512
b85dcb97ab024e903ff2f3ad668359e53e5e935108264871edd8910e2a6b6380bd6db25cd666f4c69f91a1ae4d595f4be405f389a64eb1d289ae8efc961b86d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
579KB

MD5
e0a428da8dda59e3942d6e0cbb730b49

SHA1
73223b959b262b52ff61b95d16493b540461b632

SHA256
8bb96b538e91802a7cad51cbce18da7d793238d329bf552af17673454b5d587b

SHA512
44881b7821bd422e5318605b8ba98c22ea8e6017f3d5d739d4588519baa3ff8a0e95cf3d44b645e24388d48ec38e211b074bf45e8cbb6a51cac1f4a93f9a5f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
745KB

MD5
3ea1a818ea673f887d232386a612d2b7

SHA1
dcf9bd9b288cca68b624a45961c95e9387f94f1b

SHA256
311b37293115a22214e1265e0301fa5a3331faed739e0f794e9472c0c7ad1035

SHA512
f656c3c97e48d67528be276af73130a5d863e24a636eac931e523315f88bad040ad1c74cc021582351e6e4a4ebc6b3cc9723b38cc403bdffa4b24cfe5a55512d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
960KB

MD5
c04202d27a40019b6a699c65c9a0ca4d

SHA1
9af641c8b836c4523ba780e09954369085e73e28

SHA256
e8acfe0c4452c40ff32ba0fa7dac6b8374e9e895be2af35dde5d59e72945a35b

SHA512
79c5716eaad6d216871478ee40adce25a762bffbaf0771a9057cad2e54a4df025035cb7d67f010026eba564790812c4659a261506caf361441d31661cf9aa71a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
767KB

MD5
6c565bca12ddca6061c63c6af4811ee2

SHA1
b24e3545ddaf2a09262f64e8f9ea14a30555c034

SHA256
9134e38bf2232317600564be9b73929f833bac2a2bb66b67f1c439a656f28373

SHA512
4514b9c88008879ee36d7ef03c6489fecbba512eeffc61d88e1b5fe58298adb3d57b2643ba9db1c3e705fbb7a31d549c94e489586ec1082e4f7193c3d0cc24d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
752KB

MD5
0b2f57790399f489c9bc8e6640416d17

SHA1
4c2cdc0165a68e435698c2ec1090788d85d18db2

SHA256
aff576a96d5d23bc182271d520aa283d09edc52fef72d2cd582c2e1619bbe187

SHA512
4f7e6ccbb7fef24abe0b62268367e6ea4712240a6862ebf8789767951d5955216e1b594a681a7212247f7e17a715d6d85585092118c31569289d10d93a84915e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
881KB

MD5
3c68d643576b701d1299a7c7d73bda58

SHA1
ecc8703dfc78f16f2d4b0597318baa4eabf8d313

SHA256
8e452656368e18a32e349f38ea113d8bc0258888a0f66916bf8456fa4b75a37e

SHA512
fda254236c6231c737c01d0199fe8d75811a9c6934e28aea80aadfe54e94e253ad2af927da6cfe4adb69bc2736e47a431245acb66136e931fe08ea084e65ceba

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
617KB

MD5
be8ff9e4c772a57bdb76cd73bf0bfe4a

SHA1
3ce740c45ed74f95a6deacffc73bd270bab8f503

SHA256
b4adaf70e1baa09b397fd40632dfaca2aba6f310d5d96649ef78614079d57e91

SHA512
e82262812b13e0793aa6e4d8b08d98ccab7009a4d7b732d94bc1300d036ab598ba2c9f93d6a48192d16b8f04fee3aceedf00deca6ac1da25abc71a609bba9cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
11KB

MD5
53550756a8309446353804e9911c63fb

SHA1
c0b356b4d8a6e414e1221cf95d4caec83e45fddb

SHA256
617826adfae68a3cea6475fbc96df0b057be3448fc22d37770b4a1dca82da79f

SHA512
de4f4cdcaa36d751e151ef3a0499dd4ffba0977628e71b69e2d49c38167fa1a420c053a79cf0c16057f4ab96e8bfa98d7070c591397185923dc571adba4cb023

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
64KB

MD5
6cccf65bd7d7ff5b53aeb882e15c462c

SHA1
a9822b63ad70c6085ed1deda0fbe4bc5fe555f3d

SHA256
1379cd6111c2c37cf16f2dd9b325118513e85c35543ba45e79deb504dd4c01d2

SHA512
c174b5f8615131c2b86c57aee166744ee1fe02ff7c916195f2fde06684f467545a3fa4f88083335e2045d12727d774279dc8672ec352de3095b729aa5d1dedcb

Download Submit
memory/1340-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1340-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2128-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4876-48-0x0000000000F40000-0x0000000000FFC000-memory.dmp

Filesize
752KB

Download
memory/4876-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4876-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4876-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4876-49-0x0000000065FD0000-0x0000000066068000-memory.dmp

Filesize
608KB

Download
memory/4876-50-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4876-42-0x0000000000F40000-0x0000000000FFC000-memory.dmp

Filesize
752KB

Download
memory/4876-46-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/4876-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4876-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4876-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4876-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4876-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4876-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4876-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4876-106-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download