73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
17/02/2024, 18:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4740	b2e.exe
1704	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1704	cpuminer-sse2.exe
1704	cpuminer-sse2.exe
1704	cpuminer-sse2.exe
1704	cpuminer-sse2.exe
1704	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3804-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3804 wrote to memory of 4740	3804	batexe.exe	85
PID 3804 wrote to memory of 4740	3804	batexe.exe	85
PID 3804 wrote to memory of 4740	3804	batexe.exe	85
PID 4740 wrote to memory of 804	4740	b2e.exe	86
PID 4740 wrote to memory of 804	4740	b2e.exe	86
PID 4740 wrote to memory of 804	4740	b2e.exe	86
PID 804 wrote to memory of 1704	804	cmd.exe	89
PID 804 wrote to memory of 1704	804	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3804
- C:\Users\Admin\AppData\Local\Temp\6A43.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6A43.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6A43.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6D8F.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:804
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6A43.tmp\b2e.exe

Filesize
2.1MB

MD5
270db38581c5c592b8152e8e30ca064f

SHA1
b947f0b428323beaae4d678287aa0976c1b61c13

SHA256
a59f07cb97d565bc050a116c6600eaabb57fe4590b1dc57ac7d4c674b6e32816

SHA512
a2284ef3b8f1dfb1fc6f6d9373304bdc186e3dfa9355818f24fa5d3a3834d45ae174e0913630f572b52c2be90bc0dd94e3e084d80c29c4bd4639db438c41378c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6A43.tmp\b2e.exe

Filesize
1.2MB

MD5
367c82c8d02560611dfb4f1f71af3d4c

SHA1
81e66ff9e57a935ea8735117200d6133ff2d876f

SHA256
dc336f530bd87ca50640705da8765fb25790f4330a67184c39bc5c53ca23a878

SHA512
39ad3349779db18ec2150366643c50e647cf939de194fc47ba7a0828fd9ed1d3ca2befb1d26f8b5d00777213d7fa20f256db20d404ea8618a70d3c1b830a12a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\6A43.tmp\b2e.exe

Filesize
1.6MB

MD5
39952da38b3600c99ac92bad2d014fb7

SHA1
42a53124de4bf808a9b23a27cf5ea0a32ff369f3

SHA256
1d17a461c0461419da73f7ae5c8884d29277c9e0f451371b5c262b28e033dfa7

SHA512
a39be207349a64f99ae2a7500d05ea06ed63f729d8c30af17a7eca2dbd6056e374f76cbce2bc1e7ee9d311bf5f5df8b568f1d98312aa9037d1196163b7c873f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D8F.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
351KB

MD5
ed150ed3902a24574156bfd5cd1365dd

SHA1
8434791b9927eaaaedf8aec834985273af83d1a0

SHA256
980b9d9a18a573637579ac597018c65db98e455f380d5b2cbb09c116b7fd43ab

SHA512
55e9f05192bef8d2dde237e34efa6c85beb557359f9f8242bf1c21300607f7cbad1e8dd00f2441b0d8559b2a188023dbf7e061d6f9168216d8ed65762ff112a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
519KB

MD5
fd6d6c851dfb1251343912797afb15b1

SHA1
844dfe37d805a2f1900ad55bd6ace33e31baefeb

SHA256
f05beb98cb79c86700a0f91c961c36a798e78543ee57fcdcdc3deffe3e740126

SHA512
04432f0bdf7726aa3ffab02908225ee0fcf4d4f1431d3bfbde2e2f987715eb48777013105604bb7787eb606c56e66f88cf6b569f980ff2cc696bc4b26c2edf5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
567KB

MD5
6c1025c80fc894133f3472af0f60de08

SHA1
73bb0a0f69065372ae0dad2344fedf8e2b739cff

SHA256
2aed06a84656e5a220538be29e1452ae61a4601182174d7862f6d2f33f2779eb

SHA512
96acff18d2dd77375aba828b7006376b78cb19a98c418dcbd51765f98cc561addb9cf0e877a6eb4815389a18a4578788ed28f5de57cb82cea9de1df8c8f4a4de

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
371KB

MD5
cdf36dd6cf27bb00a07fe3a6fb1b6e9d

SHA1
9c1c2864c423aa2167287ae61cca8f2632e0cfe3

SHA256
6c801c47d7fd6ac4d863aef81d8fbfeecdded5e880105d56da71942c914db6b1

SHA512
3f2a739527d634539cff48c18c3dd848f696a06ae2a83d03bd7ce3b48d8d24a8ce531327f565bce73e5452605e50215b997b24be6921120f8aa511fbf0551b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
509KB

MD5
4140c4c8d4c7a6f2fdcacd34d069ecd9

SHA1
768ac49aa3a47b09336f49ca81bef322e1457671

SHA256
b8b906f946bd557982854b270259774fc1886dc13169298dd45b1ba3e06ea9f0

SHA512
9f8d80fcd67655ef7acf767b8d88d38dfa89fe00e18133db866a0ee2568247df52643d6df19b33929d811c8f9807dff7c606a976d83592af84581c4926ed9d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
422KB

MD5
a439b159863e9ef4e27447fbf045f8a7

SHA1
6ebe82d2fb109fb17118edb65ae445a1547984d0

SHA256
4373fbd743ecb08c6ee6f7f3c838790b6baed5f3aca2001be31b5702faf0dfce

SHA512
6631deac491c630d7f1e800f58e71054b641a6a5e85091eb4a29b288cfb37ae47cd2c9b5bf8016e21a8aafe1edad94f5413ee91421c039fb7d0e3199a0b8942e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
539KB

MD5
1d6431cadea454b4e5ce92e235715ebf

SHA1
a081f679dc1569c91fc8d44d275824701e17cd56

SHA256
8542bf5ed2a22e5ac5840b3fc9a2f0bf3fa06f8e97a466fa1a21c7bb00893c5a

SHA512
adf8bbc1d23d87d5ab80dc8c535bbe943af6214644dd1786d5cc84568e46cca4bcd243676e9a7dc69110e955f7a973acdb8192966b81045e332315d18f83754f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
525KB

MD5
9ed952d443c16d47178f3a8497d315b3

SHA1
5c13b7b791c2a6232b7ef3f48152d1e8e4bbbeb3

SHA256
55a3656b75d77eec20afda59722332f0a174d5f1662c013866e0df95cfc508ee

SHA512
ca72d4bafef9ee0a6b95258c42aaf247d4f69cda14ae18918e6949f26871853f9dde9672c31d0606a2dd5203e65b58aa4bb9952aafc6d8923c77b68ade031f87

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
355KB

MD5
9e88375bc499ac0836a614488fd55769

SHA1
5f02ae7660a0c13b7c727ca8a1f36673093b64d2

SHA256
fb80a884867de61a987791ae566726a8d0b60f6776791d698b2ce65e26b65090

SHA512
88ecef9ae9f258a6da7a06e2a399367c34ea5dabb5425474997e0aa9eb67b3399adc4738ddaf7e7a8708a214a9dc8c3cf2023c5e0e2ab499f6402efb55a69962

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
544KB

MD5
91c31345cb0e231e3d6f9da0e7c28cbf

SHA1
af54243eb8b1775ddf4af4e5782469bea962562e

SHA256
15ec39a68a4f6a8f4fce168fde7972fd814b4b8c68130def25b0aac7ffb9d2bd

SHA512
9a35dea0481893ca383303627b9e11746c7076c71b2780bb032a786bec5ffd300b2566a8fce3e23be6013dec0305a7c9b33f044f16bb0f7344b04871e609c69a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
300KB

MD5
a773db62ee14db6b54ef673311862834

SHA1
d500bdb3207fc34ba24fd611504e5fcbb50dfbcd

SHA256
0258a0b958f6c861906a7c88b01a498834d24b887a7939c4f8fa5b9f7fa57103

SHA512
b4a14525091396ec842bf4b51bef51d7b17d1972f3b8c03e77e3c550953790973c23b4a105b4f31426d94a8ff8823c62a4d20763d8ed0cbed655a9991608d939

Download Submit
memory/1704-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1704-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1704-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1704-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1704-46-0x0000000070B30000-0x0000000070BC8000-memory.dmp

Filesize
608KB

Download
memory/1704-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1704-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1704-47-0x0000000001150000-0x0000000002A05000-memory.dmp

Filesize
24.7MB

Download
memory/1704-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1704-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1704-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1704-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1704-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3804-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4740-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4740-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download