73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
17/02/2024, 18:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	batexe.exe

Executes dropped EXE 2 IoCs

pid	Process
764	b2e.exe
3264	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3264	cpuminer-sse2.exe
3264	cpuminer-sse2.exe
3264	cpuminer-sse2.exe
3264	cpuminer-sse2.exe
3264	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3128-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3128 wrote to memory of 764	3128	batexe.exe	84
PID 3128 wrote to memory of 764	3128	batexe.exe	84
PID 3128 wrote to memory of 764	3128	batexe.exe	84
PID 764 wrote to memory of 1388	764	b2e.exe	85
PID 764 wrote to memory of 1388	764	b2e.exe	85
PID 764 wrote to memory of 1388	764	b2e.exe	85
PID 1388 wrote to memory of 3264	1388	cmd.exe	88
PID 1388 wrote to memory of 3264	1388	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Users\Admin\AppData\Local\Temp\95E7.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\95E7.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\95E7.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9C7E.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1388
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\95E7.tmp\b2e.exe

Filesize
1.1MB

MD5
1ef06efe31db405b797d40036eee851c

SHA1
d3f445595799b3a183ad957c23ce41c11707849e

SHA256
2366ed8269c52a26ee411df9e23db387b2c4bf306753590f1eb0ac4a62bb873a

SHA512
865b7bcc47c6eebb6d2e7f2f4ce1e16286223bc4e14051b5c971b6f3dc6b3c4fc42640307020ef3a61e43870760a9e11e7f3f54d636dbacc3bcf58bfdfe6ed80

Download Submit
C:\Users\Admin\AppData\Local\Temp\95E7.tmp\b2e.exe

Filesize
2.2MB

MD5
cc41f3d02f6413c35a1f5137ccacdb06

SHA1
dd316646ddfc95a8d16aaac485f5ac734d2868b7

SHA256
b4b12cb0978ead251c4af5f4b95df87b348dba4401b88ce79b5d16501def376b

SHA512
fd569aeb79603cad9f53c651c094a725174d183bc300c78f846e3dc010d5da6c03f98d17e00873088f60dc4c85dd83d942fbe4b26f5ab8204ade7461557c475e

Download Submit
C:\Users\Admin\AppData\Local\Temp\95E7.tmp\b2e.exe

Filesize
2.1MB

MD5
6c657db8a6b4f42ea636d78852d60184

SHA1
adaff3a1d818eb34103526352f0df5960cb3d12b

SHA256
b116273844880106b128b2392743c49f895ee5bbf39091ef0f65d6ccb80def82

SHA512
98c5195256f129879441f8289ce0db63a151c167ca7a7afe11905f79f6f0aaabcfa4024070e40b5078c31fcb9b49e4fb1c8fb9698c7936429a801951c9d7962c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9C7E.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
74KB

MD5
84ce153c89716ba09a695922aeff18a6

SHA1
763159617e176341149eb046732578d9f96e88f4

SHA256
540d9189dcdb90ed141393c7ce6f786e42a37d02635319fc617b7fda5dbd2d1b

SHA512
65bf901711b9c7465609284ae2f59a750e0fbc768cb1470762b69b4f3d615430baef27dd724d832dc9ef7f9853b98d8ad2802f9fd9a5dbb74e2e88848b8a824c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
208KB

MD5
3dd95d16c5fb5d55024d5a828d61495a

SHA1
3a91ff61d420cb8e860909f6ab6131210b703745

SHA256
327ce221a262b5be4d416d51d6a50169d5212aa3f582ce2e92f8d279f1fc165e

SHA512
1f6e7f4a83e37a5c1199df4013b72b40ffb534d4efeeb032bd026a1538bbb9ab610fe519c4d7253ac0014d92b56e578704843b25cf72d5bc909182dd4db6e400

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
67KB

MD5
33380974e828d25cfbb5bd50f4652768

SHA1
8310629aa11567a076566b2b3dea5fd0769c4761

SHA256
5b99da5a8d32160a7aec48d7e8e8415cab0bbdfcc0acaafe78695f90d5ba8e64

SHA512
f75ae85115b34510649ed6506a818c940fa28d565c484cc021501deeb26f32766ff5c0c59b4802e0d867f23faabc882ba4e3169f291317d3a4098a47cb3f473c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
48KB

MD5
7f1bc6c6744f8a9f7d6d636daaf44a45

SHA1
6de3ed56db4c2079c7296650d1db16082c14eb7e

SHA256
b775763de891de9eabc31ee8a5cf2297d329e66e9cf6a6300e5934bb9e43fce7

SHA512
42f68c0a5897a6d94963f3ebcbd887ca3521758c1effc4caf24812e8001c70cb8dd0760db91e1cfceb00ca6a06afba3fd803ef58289935d2670a8612d04ac375

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
117KB

MD5
78af7c75d32f32c5b7db4edd02c484dc

SHA1
df6a5bfc50c6659cad3ddced28c67b05f9dace09

SHA256
ddcae9a1e6078f910e56eff73471ce7057db84afbb9efd963b09404a5e6c8683

SHA512
0a3f79136d0bb77ba6eef3552f739a9c84a5e8c1b74061f2d7c248ad37c7a5d234cdf588a8c45eaa74ac7de041b6be8f743acf4ebaa8e1329f6e835cc7b2cb7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
61KB

MD5
ba711fba3f3203f4a942aa0a1df0d975

SHA1
11bba962d980d323d76a44fb93a332505200fdbb

SHA256
e77d9c0f3f0346b1ed16a89bd6db98afaa82e270a5f9d4f5ed0231c75202f94a

SHA512
d11639aeb92d96b7539c20cb80057936fa4231fb0f9f84ec802363126ec1bd0302633a7d6ab2c9da3dad7904235d42bc90cc111a3c73f571f76c7fca52bb1916

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
37KB

MD5
58f3e6db8c50f285739381fc1a6b0f22

SHA1
f7aea7d7dd49d055aba85d2e4969e3058e83912d

SHA256
e7e6d54bb5c4bcbfb5f15c035943611166ee986193473abdaf0d1d1fe8f40b13

SHA512
c5d6e146b5a404761af6a3bcad2dabdc36abff84ebaae05bef3c0760ea454a1833722b160bf59614211c5d809236fa78647cab50e9fedbf422657506a4ddd601

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
27KB

MD5
30f0ce3185f3759fc1fc4ba770d1cc56

SHA1
0fb498a1146f4fbb1f73c1594b6e69c3d9dd512f

SHA256
7c8031ad95e28461dbfe13b13817e95a2b382d6e585f5ef409996b9a637a78df

SHA512
de09a4d75032afb8128c5179f93329ffc148d5946270f4bff41f67586d92a053d121487c22d7a32a5f7ac7a877cba6162374ee6a3c7c171652a0709eb746cbaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
15KB

MD5
9ebf037434fcd840dcf0685241728b9d

SHA1
5b43f067277564fc330eadcccb7f4feda9ff5b2f

SHA256
2a2a9b76ca8f3573d0beed65b8cd8f6bb98bfa24a62c4c3e2be6c7da65009f12

SHA512
18f96dab56c002dfe2abef5f283b82133da06c2c0c9d3db2c70e3a5ea3f22c46839b418ca2b19af5ac58925f5bd12ca3b7b40e0e6f58bb6f2c54ea06ec638e30

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
10KB

MD5
077e2a6bdc6966e1c8a84ac6017ac5e8

SHA1
7731c46424683ff9f6d4fe8784633cfcaa14987d

SHA256
4490517322e8138433acf40dfaad18b3566f9e7a5037c0dcef3d959cb418dfc8

SHA512
77314b9bc03a1636291496bb630814e47c9d7e5ab04ee71c39a5fe42e40a8fdfcdb257826bd0cc2dfd9e3fbc3b27ca2f9dc220cd67918767487eb269a88100e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
110KB

MD5
985f3e8c746d3074bcc6fc989cf87bca

SHA1
e004444d239642ac5eb0789b4da7644c403bbc45

SHA256
7ced2b106273fac37fc9787b624e44c374336b92dd06bced90aa51bdf602d430

SHA512
9cdd6da62ee7b2b828c27483271d464ee1297c740ff3c15074d3f0e3a5e719db759ae88a811c7060c347e8b25a57ed0a2dfa487f2bce23b4afb979264a7ffe7b

Download Submit
memory/764-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/764-58-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3128-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3264-53-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3264-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3264-46-0x0000000061140000-0x00000000611D8000-memory.dmp

Filesize
608KB

Download
memory/3264-47-0x00000000010C0000-0x0000000002975000-memory.dmp

Filesize
24.7MB

Download
memory/3264-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3264-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3264-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3264-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3264-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3264-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3264-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3264-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3264-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3264-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3264-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3264-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download