73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
301s
max time network
302s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
17/02/2024, 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe

Executes dropped EXE 2 IoCs

pid	Process
5064	b2e.exe
5676	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5676	cpuminer-sse2.exe
5676	cpuminer-sse2.exe
5676	cpuminer-sse2.exe
5676	cpuminer-sse2.exe
5676	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2396-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 5064	2396	batexe.exe	81
PID 2396 wrote to memory of 5064	2396	batexe.exe	81
PID 2396 wrote to memory of 5064	2396	batexe.exe	81
PID 5064 wrote to memory of 5592	5064	b2e.exe	82
PID 5064 wrote to memory of 5592	5064	b2e.exe	82
PID 5064 wrote to memory of 5592	5064	b2e.exe	82
PID 5592 wrote to memory of 5676	5592	cmd.exe	85
PID 5592 wrote to memory of 5676	5592	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\F4B0.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\F4B0.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\F4B0.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FFEB.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5592
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F4B0.tmp\b2e.exe

Filesize
12.1MB

MD5
b3c45365ae7a2bfe1c81480880517534

SHA1
32da7e4dc34693c2aebe88c7ee984b3fe5ee1e56

SHA256
4945a34c0862bcdc8dcd35525c3125b050067daf9fddb7f9729bd98cdf697b3e

SHA512
027fdcbdf44c5b549531a0dbef35a621aa266a1ba37d544a52ea7428a5535c0f90b824059ec9285b4c300d3b5de8bd0de6847cf2d911de85280f891d71ca5d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\F4B0.tmp\b2e.exe

Filesize
2.9MB

MD5
7997f825e718c01ef7c4f3580cebff6e

SHA1
68d354856fff955a88e7b54cfafe6f7a691609f0

SHA256
583b10d21fe9e70c3d72694b191f9192eb9f3748b5bf4c731e122bd908915bbb

SHA512
e8713dc30025d687c03846a05b57f75f426d5ca1b233dd5824191f9b02821db77138199e168c030120fea7d25bf03db73e48bf25918ce53563c82cc31ff71f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\F4B0.tmp\b2e.exe

Filesize
2.9MB

MD5
9317cafb85becd9011ca213e7be3a2bc

SHA1
1c84c389734da0532809700191b96dc61527e382

SHA256
644eb7fd5f540a11f942d00b2233e715a40b8548294924fc054db1e08b293090

SHA512
65120a9f1410f4b9350788c5898557be3d3b195f03b3425895748764fc052048f38998bb455cef4f25f748c696821a9a4622c8f09f6ae4603dcd6882be451684

Download Submit
C:\Users\Admin\AppData\Local\Temp\FFEB.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
416KB

MD5
0cffe5cf24f069857084514f9dec966d

SHA1
abc2456dd1018547a957a12729fd38bd2e23c466

SHA256
98b25e4a437395f66dab6356384ed329dbb17f043a7ed92c743ad0f044fcc91f

SHA512
d33d0f20374daf91cb9a1aa5c04c2d3489871379c3425466918b80637b507945e13652e35cbd03cc0d897760c55c530caa8bfd9940752e0137fb7b10d1526013

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
406KB

MD5
17f92025a08b257ee9aa09554ae6a65e

SHA1
4ab75766b13c702a6727638c4df6e5ca5ed84574

SHA256
4d36be6afede9db62d7370d1dc3b87252b4b6b3298826a8c45739dbcc0fea9f4

SHA512
ffb975bfff764cad61f651d429ec826a5749a3705e589884b7c68ea4561e7bf457a942675f11e15e63d6b75a0bc19909b27fee751d7f165bc64c2f39659677c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
326KB

MD5
7ca8ca2fb249458032526d4afc211540

SHA1
adf26b5c9ad43e27ff7e9d1aff180b0d4ae02ec5

SHA256
ddb42c8f19f272edaa8cf03f006ad3e14a119341676c8301f5fdd69214e7faa4

SHA512
a587d7abbb5e7f95daa92eeb1b1a724d19fcfdd57628077294acbce621303fb9754a6c2e43c68057c7334723f4e276a461a9f30f6901c457d8bb5654ad05227d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
299KB

MD5
14f309e96a665a886f028aeda3216d6e

SHA1
927b41f3342eb5a1fe81f2dff96a6dfee6d097ba

SHA256
fe963466631bb372f94a371f8a1915361189ee8834d19f383e93066e711d6ab8

SHA512
822caa839942bbd56512f589deb48c9c161094e8eaa2489b9560219d32cd1a69db7def3b62f35db410633e1c32319ebc5b474bcc056d0e19e85523e7fff6bd36

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
384KB

MD5
b91f7bb5508b343188ec32dcc7880611

SHA1
fe2ae7ba4a1bbb2a5df7b73f21a0b8fc745cc11f

SHA256
47881756cdfcb302e63efb2016c122a1bb61574d81186275aef3d5a9fb72b84b

SHA512
a5b91bc653cbf28219b6f169d5d849fb53eced9a932b8edf468c9092544795ee8120d5c76f0c45f27b7a2464c328f5bffcabf3e83d2e7236263ea930cf92eea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
223KB

MD5
d5927ae93366ad138d4786c62af4cce1

SHA1
daab1408ead24125652ffcd0d8b2fd6e0ea84257

SHA256
4b14f63945efdcb2f3cabb8a22a464da9d4b30073db2ce17d4fdfc2a8516af4d

SHA512
09b371dcab21f5760c4d2be5402ab0f6e097fec61af1958c5489674c0a16da9e039133e52110becaa6c40e1ac4d529700bc2b13ac9f91e8688a7b745eeafb174

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
539KB

MD5
aba3dd8157818697fdfbe4ff8b3a0d36

SHA1
2bdd35d9f7455a116e1b759746817411afb15836

SHA256
d87e8ac17c5d496607f2d099bcb031f594cbe6f326b8f725e544e60d294177e3

SHA512
53c23842223ce05cd20253b0c78091edd38b0c87fb659c9b11671d450e14fe20fd233cb42643511c7793b8180129ed3e1e75ee8114e6415542df00fa6475092a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
187KB

MD5
d44c540e01c930f4f303266e40783498

SHA1
c404ced32cd3d58a62a855df144cafcc4744d73e

SHA256
2d5199570d40491e4305ee36e57fe4b2eebcb571bd69a5e4c847ea1ed13b6d46

SHA512
fc40185ec6af150997e35bc146c9a0316bc57595cb99b57f180b00a843aa2c7c806d9a7401b0030f65ab872407d88375140fe8ce347e264712a8ff8957a5a780

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
239KB

MD5
81f53e090471a1a9e0385654238aaf67

SHA1
3c24407c6bbe256140093dda360cd530a52b235e

SHA256
347e66fb83c9b8ec745453b54737356080d571702cb2f081ed3ae55c1c38d5b9

SHA512
82678745ce45a9874c76aae049e96f71ff848ba0e3243dfb7f305a393ebba0d5a19870e8589658fad0e89eca6de41ecb549040d0dda791ab4a6056982426f67b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
265KB

MD5
5d4a1143f7e0cb0875bf397434407bf9

SHA1
9c37063fe37d2529935254c2ad47688fa7689e04

SHA256
f546ba1db060be1f5800ebd52c19d490e330dd1ed21573190144aea34ef2849f

SHA512
14cf700a1b0b8096c89b0e1fdf3f059d84d7214be5ee407f35c045070f7e428769d501af0b6fe9a359edd86780773bce9258d07e224d23ea80a0267e23f714cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
192KB

MD5
2e1bd2f56e56c7f5027d82db0731bdf1

SHA1
f8ff09ee91eb71db43c9f7d3bc4f5d3cdfe22381

SHA256
61545e015663ba4555cf10d50cea9f7958cf5df3a5ee988f0730f4dbc8a69465

SHA512
faecd182c5b82dce08df302399068ef0de83bf25ff5d24088d334ba0192c3ff88b19635f2d7869db29598fb020ab42306df9240fdc55319ec44c778c4222c953

Download Submit
memory/2396-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/5064-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5064-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5676-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/5676-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5676-46-0x00000000635D0000-0x0000000063668000-memory.dmp

Filesize
608KB

Download
memory/5676-47-0x0000000001160000-0x0000000002A15000-memory.dmp

Filesize
24.7MB

Download
memory/5676-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5676-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5676-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5676-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5676-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5676-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5676-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5676-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5676-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5676-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5676-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5676-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download