73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
292s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
18/02/2024, 02:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe

Executes dropped EXE 2 IoCs

pid	Process
3188	b2e.exe
4204	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4204	cpuminer-sse2.exe
4204	cpuminer-sse2.exe
4204	cpuminer-sse2.exe
4204	cpuminer-sse2.exe
4204	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1168-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 3188	1168	batexe.exe	85
PID 1168 wrote to memory of 3188	1168	batexe.exe	85
PID 1168 wrote to memory of 3188	1168	batexe.exe	85
PID 3188 wrote to memory of 1484	3188	b2e.exe	86
PID 3188 wrote to memory of 1484	3188	b2e.exe	86
PID 3188 wrote to memory of 1484	3188	b2e.exe	86
PID 1484 wrote to memory of 4204	1484	cmd.exe	89
PID 1484 wrote to memory of 4204	1484	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Users\Admin\AppData\Local\Temp\6CDE.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6CDE.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6CDE.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\79FD.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6CDE.tmp\b2e.exe

Filesize
12.4MB

MD5
3c6edc5ac42c9c216c04ab81084ca5a3

SHA1
f721ab4f0680bf4bb133b8d7bf054e5c9587cac8

SHA256
4d66120a98986bf2c7da4b37f7d4060d79e85a18da535b24a83fb7017708a4cc

SHA512
d691b0f7c42be3f5bc27128545ccf6838bf7adf14ca273adc6c557b3ddc4972b847e45ae460ab44e8108211e61d9ef8caf96064893fb74f195bda574d9af14a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\6CDE.tmp\b2e.exe

Filesize
2.4MB

MD5
000f75482a8f3c361e1ef9b58a16ee5f

SHA1
4e67fd460b9fa59dc5c1147833ad2f40f94d0279

SHA256
5143fc3449d84ea5cf510321dc92e2e28e68385863a6b07da646a406b53a875e

SHA512
fe72c633e123cea33c480746a4534fe6228f2c1f6184edbc75c144a201fb556ba0d68415c2abaa9c844a39bb900300f24476e38a4e13825829da54d629eaf152

Download Submit
C:\Users\Admin\AppData\Local\Temp\6CDE.tmp\b2e.exe

Filesize
3.2MB

MD5
35d614acc52ac1f063676559357ef3a0

SHA1
38bb0f406b81b4c032d7958594010287638ecd96

SHA256
397dbf36993a3df62c00ff4c243d4fa121db1cedc849f2463fde7f4b6b8005d0

SHA512
0c20d72bef049a19448ff7864f4f57a113dcbaff81dad6c45b4073cddfb9e719f5053242d98d312263a7bec791a002f26c62a24b83fc755a5ee1f47a7f8427fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\79FD.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
114KB

MD5
a940afbad760b7ac3f356b1c1110e204

SHA1
51809afa594cd64429fecfad287838e67346528b

SHA256
e31890e89bcd81705712fe2760f6f2cec1425e0710c834b2cbdff92aaa25e810

SHA512
ff5fe234181c9aa380d77836f9fa09ec23703a82b3163fb3ff4719decdcff9507b97be3081c676c8bcc2bed4475cdab364a5f019cc86aa69d7d4312c45bf4af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
233KB

MD5
e56face066777175104ed781a1f07f82

SHA1
1439e022dee1ce3b621059af7c6eadff62a48ee2

SHA256
c6b4cbcefb1a2d778693e25ad2f626e8ca2ab27cfc5f252cfdbecd6b44209e96

SHA512
1e0ae3918bbbd06e87316d3c8f8b9c627bad5af6866cfc5c5a0c563320967b6551eb5e902cf77dd064c6c77582f87ef4093e2f5b1950d4af4cb842e44e80d346

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
158KB

MD5
8d046f12b9a4b96cf69f20817c8d5fb1

SHA1
1ea2cc0f5f0b4b4bf12b6acdbca39cdcb3d205f6

SHA256
60e691ef4e57aef47911681f6efd39f9f80751fdfb1a416de54a256656c8dc62

SHA512
0137f94331d540e16bf8283e59df1c0186112d23c4d1b463c3253ef06905c056f68c3e05a85a90c78ed6f594b13b487bf080589a7b015e32f0793cdd10d5c4a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
206KB

MD5
27aacf0e25256429aff35a0f22d844eb

SHA1
e4ca37d37aafef73f521a669ae51c75b0eb04fe1

SHA256
4782e2b3252f16c6c36c6123f4f96df32b5f66a701e81f7fcc34e0f1b12576c8

SHA512
34a9edc940bdeda2445ae5739925cfb78537949907f0e2f3fbcd740da66e1182fab1fc44d9e606fcbf69656cf10ca30c3738b0b5222120e27cc3c425084d4653

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
209KB

MD5
ed72b709f70a44dce398b31d3051b177

SHA1
110054d6ff25668cc24da8383f69880eb41d95b0

SHA256
9868d8b11d98947e7545e48a948d9b361028d51aad1c8c8dbf3dc40b8f0ae9e1

SHA512
d7594d7462013c2b3e8c1270db92554ad1c2341455e643d7f6eb0fcc6d0eb1bb86b2ca10a68750cb3339a87623c3e561948b0eb455484ba300c814e0103deb39

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
134KB

MD5
bc827eb2cd58bb2bc171a1247a3edf93

SHA1
b9b3b6afa9a4d5abf28aabe09eadc6af2c778f37

SHA256
30c6dbd27eac8c1735dab32146fe6424f67b1a9545c71d5bad15a4dd351e232f

SHA512
81fce551fa19845e0b8d1e3f3ea767a8dbff198196bfbeaf5ca0361bc2cd6e1435fc47b361839fcfab3bd325223cd43b600395c013c5df7d00daa424dd409bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
166KB

MD5
01747c7d649d5dd5531b4b37ea25663f

SHA1
3266d73a7a1bc0ef6f5ddc7a6d19158428550303

SHA256
3286a10ee1000232b15ee01f53923e20424141925ce75e1ce73289aae05f921e

SHA512
86152e101f44abfdb31f626e36ccc269b25043dcfa48f2626d90e525c32fa9bd8c27ae12f5020705cfc86a0b87e9ddcf72408e2437e6e0a861c72d49775f7c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
671KB

MD5
d8a649cdf3aebed7abf366aa6d514719

SHA1
33a78ad58cad51dd785bab7f9d89988de31fb47f

SHA256
c17b7feef493689b77a6038259a64ac24cd7cd5fa1970f114ceca4b9287f4d50

SHA512
542172aeffc2290e82985e067252e522f4de816ed2bfd00297a23601be7197365fe0d8c27946dcb651f4f0ee7b5cdb0f2dcf32157f2eb5dabca386258317aa8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
889KB

MD5
161d079cedef30cb730b8d172c6ffcf4

SHA1
bb5132d648150d42897e2baf1ba672e0c14af5cf

SHA256
31fca8b75dc2c2ddf8c467b64a0f3d146f4ba6405a90ac664c8d38460669af37

SHA512
6116044d807d93e83954c239039c15aa25377ea85b63bb4299a906297a6f5645d4f438389129cdfb8fec5b3f42f11035651d05550c1202f25c30d712cf2e6724

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
127KB

MD5
f65ce86ca454d8bbca74c7aa7c9c932d

SHA1
6104334351edc66b0d19b44bb9b7c9ecbd1fcc61

SHA256
d82f91792cc2ce73cac3fe4e38f62cd0431df48eb740e232264e65645a332071

SHA512
66199385ebe88452d6c59c789e9d23dea0e0d6387049de9ba0d237b35ab79032eb996772bd00b0bb276e01c56c95942c5a4731b7693822d1d58d59570768b94b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
197KB

MD5
2ebec7e21db06f2cd179de1d54f15e97

SHA1
8d2033840a02f1974f1c2e95f34913f43ac79ab9

SHA256
95d47eaa24360eda01e02a87ca9ab0720fb6045ad104b88a0e8b30c5e50f54e4

SHA512
1798dfa1882bb0a6da4c9a7d21ca4b79c048387b2caaa244ea9980dfbfa4bf26fa3bbf26d5b13223fdb454549371d0c77e8c59abb0a4aabcaa506924088fb17c

Download Submit
memory/1168-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3188-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3188-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4204-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4204-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4204-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4204-47-0x0000000001010000-0x00000000028C5000-memory.dmp

Filesize
24.7MB

Download
memory/4204-45-0x0000000051D90000-0x0000000051E28000-memory.dmp

Filesize
608KB

Download
memory/4204-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4204-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4204-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4204-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4204-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4204-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4204-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download