73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/02/2024, 01:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3560	b2e.exe
2612	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2612	cpuminer-sse2.exe
2612	cpuminer-sse2.exe
2612	cpuminer-sse2.exe
2612	cpuminer-sse2.exe
2612	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2524-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 3560	2524	batexe.exe	87
PID 2524 wrote to memory of 3560	2524	batexe.exe	87
PID 2524 wrote to memory of 3560	2524	batexe.exe	87
PID 3560 wrote to memory of 2672	3560	b2e.exe	88
PID 3560 wrote to memory of 2672	3560	b2e.exe	88
PID 3560 wrote to memory of 2672	3560	b2e.exe	88
PID 2672 wrote to memory of 2612	2672	cmd.exe	91
PID 2672 wrote to memory of 2612	2672	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Local\Temp\4CD8.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\4CD8.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\4CD8.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5033.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4CD8.tmp\b2e.exe

Filesize
6.2MB

MD5
34333ba897bea70f2551d9a780ca9ccf

SHA1
03601a8efca7a31f91ad5c26f6f690738b0ccdaa

SHA256
5f5f97d29f72f14723126773da106f075a88117ea6e86edaa20f0f0c64f5821d

SHA512
8c00e5538941a01ad548813b1681bc0946dd1001e85050d5bb1d22951c97c5c4f232696ac6118a1a769333c9faef1665f74f60b47f4c6f454f4d53bfc4435d83

Download Submit
C:\Users\Admin\AppData\Local\Temp\4CD8.tmp\b2e.exe

Filesize
3.3MB

MD5
87fb35460d088f92df0066808f4fb211

SHA1
e1e29b9d5b044b5010bfba0e87d26190cf233e62

SHA256
9fdbf80dd168f2fcb58903be87ee8cb24ed5a3b093363bc9ab3dc9a02d680a84

SHA512
824ab2e50ffd5c051e5794ed77381da1861a78f0d8329cb5c2cf161965af174988b80764b4fe7fc4a3241ebe854cee3fee7d5d413b42bc42297a18b70cf44fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\4CD8.tmp\b2e.exe

Filesize
2.2MB

MD5
b6a558633dc13e01c86f714214bdd894

SHA1
95921cb72467d2a69885d7987fa6990ed3756e81

SHA256
85cd30b679653b5cc0ca0c6cb9e56e841122391168a2237121da79b28b9fd507

SHA512
d55e570830a21e8ffe9d7a769576afce67fa05396d4450818bfa45132e1f10e5bf8f10026e9fa621f0451f8908d7c9bff9590f64a85d5048af173f5e529aa7c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\5033.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
272KB

MD5
cb6b1eba54ec93f88e91cbebd92de9dc

SHA1
c9daa24bd5441b661b2fa699b109de7b10fd364a

SHA256
dc22761fa2786d1a65f297aa1e4819c9325d0eebd53cb551e94600f9360b9ac6

SHA512
869050e972bb2f523cd3b2e207829796bcfdf2b0f2b6dc949e049507b2b7648eeca5bfbb5ea5229ef11bc074f429b324990d80a4cdbc4fd4d94ed096134ae484

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
145KB

MD5
e21dd12691662aeb1812cb4fa01188e6

SHA1
35ed2e287763dc7bb4f0b14e2f3a67798838662b

SHA256
9dc87e9565e5f3300c7639a67c47f5514419e03800c6a7ea498f55aad406a977

SHA512
b42880bcfe6992621bce247f20ac63ffbfd508d1cdb5ee7fb52d3034e62cdf672c95897984d8e5bc8df83acb79eabc3933a1134b9acab67d2acca015aecfb6cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
128KB

MD5
9d7bffbb51b9f40136373a3c282af178

SHA1
5c87ca256ae52c1e6826099387f438fb16a441e0

SHA256
9ba3f677e8ed7063a697acc0586c7cb8de914d7aa585ca8ccd5d2d461bd2e67c

SHA512
12792431216c794d5be4474c90e734d00bff650902a92da4b2ea08057fb688e9e922dd92e904205bf881df39374cbfe54177f4fff30177093b5c8de49aba6323

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
234KB

MD5
ad291b1a305c8a1461cc66cdfc9bbbb1

SHA1
eb390ce0341d333fca2683c31a59d85a6cac82db

SHA256
1db9ee29eb3d19aa0802c3c6028d9be44b3aadc6c6cde338058037ec83441881

SHA512
9d20cc309b8ee95261e6afd9c1b8c8899df45fb06d17ef1a486848f18d22637368fdbee8f99efba9f5284a00c214bcf54b4602945601c98fe66b2253396b9a37

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
109KB

MD5
a48e5781e087b37f42a1d84dbc3a9c4d

SHA1
2efcd983be905a8dd69738d225de1e09286eeb6c

SHA256
39b88d953ceeb217abdd53c8ff5eec5af8fdff947ef53a971731123b45ea266a

SHA512
ea7492d28343acb23f6f6bc1366c81b093d75454d0a4927f772dc35cb35ab2bc7c9b0fc371e048219e9515443a5844725f9628cdbb7f75be01aec7d1679a88f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
192KB

MD5
d73b46cd072058efc54c4b3885f47e13

SHA1
84771c2c4f5736ac08497737cba2a8634d9e9178

SHA256
3f62bb203bdcca4e489401897e0558cf33ad6fe890a9987f90f5c3894b965b34

SHA512
519c91b5b5a82c5a755d7d4295c040cfb6b0f029eb088a6bfc428db11e30d7f954ea6fd6de9b083d1781e1142737ea39572866ab5f669848dff7ef0ce34c79c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
262KB

MD5
1895fc9faf9ade5e8ec52db033b98af9

SHA1
c16d7e4d92566a9a50009528a521cf59d24c6a07

SHA256
f1b0954b2f579130a43839dc712b93c9f1ff93354082b40114a80414ded00375

SHA512
ee88d0a67b0ddfac6e48cddae0565f9943fd6dda484e70f10baeef9f113497fd46cb7ad3522a0b0439a251d76d0438352f1ee82ef6563186927d8e28a6f6d4c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
154KB

MD5
5b9b492bebadd378ed3642a877993f4b

SHA1
87dafe3e0269747ed471b2414e1fbcac0dbb82e8

SHA256
6fe76daa47533306e2ece6dc79ee26951584c29aa75830d895e77ec9be64b157

SHA512
074d7ad55844ba5c3a5215b9d086a9d7e990146c0e2a8152db92dbc8902324c3ba5a19c3cbe4d9b81dd957eb3e9951b52f5dcd1d862a92716784d0ddd8c3a594

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
112KB

MD5
059b0960ebcc7cf20ed3f31e4b7a4173

SHA1
5cc522e35a14b6cbd23500b0657ab0593339a6b8

SHA256
2c6878bc59f9ce1931d41e95e83735da5bdda317d462f66ce0678a9ab8fa9afd

SHA512
8309f1a0a0a1590600b4084562085f79543b927c6e03edd2a44c20ed32d5e9097a0a392254b2d3b987f2bf0f3fabedf9a35ba54aaddf23daeb6f3f77fd043f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
107KB

MD5
df4f66b2c2462754f677b8855d38be13

SHA1
eb5f410cd7c666bb3447b08c197c676cb4b90f11

SHA256
ef6f26d9d51e31c1401230187dcac89e4c600609a2d49cc2bf05c7977f4361d5

SHA512
684b19d8dc5644519d4af79d7009e94eb12ae61e1644d63a739551e99d796c7aac7b226f2c0830cd29a515423d0898de6f648596a94d7fb05e15bbf772f1d70e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
141KB

MD5
461207bcbc12b2fcd333ceb22761bb92

SHA1
0a7c31f2cb33f9c4d887f3a678d23a254824ea02

SHA256
9d36b7a8d7a98735129856540fad6960f8ac31939bb2bf67bfb3ccbfe3a45e97

SHA512
57f183d07492470808f906c120069e50b15166f0a445785f2191383463e19a6931965695731dffad4069cb7aa5bfe5fb2f1833f46c2633f010022163567e2b9f

Download Submit
memory/2524-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2612-46-0x00000000609E0000-0x0000000060A78000-memory.dmp

Filesize
608KB

Download
memory/2612-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2612-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2612-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2612-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2612-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/2612-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2612-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2612-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2612-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2612-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2612-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2612-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2612-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3560-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3560-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download