73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
299s
max time network
306s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
18/02/2024, 08:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2176	b2e.exe
2528	cpuminer-sse2.exe

Loads dropped DLL 6 IoCs

pid	Process
2528	cpuminer-sse2.exe
2528	cpuminer-sse2.exe
2528	cpuminer-sse2.exe
2528	cpuminer-sse2.exe
2528	cpuminer-sse2.exe
2528	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/752-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 2176	752	batexe.exe	84
PID 752 wrote to memory of 2176	752	batexe.exe	84
PID 752 wrote to memory of 2176	752	batexe.exe	84
PID 2176 wrote to memory of 3688	2176	b2e.exe	85
PID 2176 wrote to memory of 3688	2176	b2e.exe	85
PID 2176 wrote to memory of 3688	2176	b2e.exe	85
PID 3688 wrote to memory of 2528	3688	cmd.exe	88
PID 3688 wrote to memory of 2528	3688	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:752
- C:\Users\Admin\AppData\Local\Temp\6A5D.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6A5D.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6A5D.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\74FC.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3688
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6A5D.tmp\b2e.exe

Filesize
4.1MB

MD5
a0601d2ba900b5f8684ced419af24bd1

SHA1
91ad7ef3283fa64ff57c34095b9c35f470d63b6b

SHA256
e9f6b462bb0041edf88c916b3b3d453c5784377a89eb40380e75915c9d6b0fe4

SHA512
6cc6b840d2bffaac11b2ae744a7e3e7ff720d09805199593b7d86a6f9c8aec3288ae63f67ccb8e491836220067b08712d9ce9f80a7537dbd2e894d01ae49a424

Download Submit
C:\Users\Admin\AppData\Local\Temp\6A5D.tmp\b2e.exe

Filesize
5.0MB

MD5
cb0b0c052e1dc33e65d6181636aaba74

SHA1
2281fac7ab98c9ab66d0629a7994fbeb295a3bea

SHA256
38484c644c358c0cd697fa7cbc1dabad85a5efe5fbc22d258031cf985276acd7

SHA512
e2632dd9f9046c08000ba60645ea6378fe4bfdba29e287922d012f23ee72392ba446a89c2705ba94df79b65dcea4b00a215f03610198ec3606a44d345b8d2008

Download Submit
C:\Users\Admin\AppData\Local\Temp\6A5D.tmp\b2e.exe

Filesize
4.7MB

MD5
1d6c96590fec9e4d752d34441c14e1de

SHA1
af054f3b150a472fbfd2d7f8181e35758bc4985d

SHA256
fc3d2aeb4c2288088d5c999d0fd8a1c91a2bdc912a9fe0f55fc387d002fdbf76

SHA512
a595bdd9f3d8d0dc4b7f0ddf59384d66d1555ed953ae283cf4ffeb4cdc6b1cb4ae4f99dade07a0134ae5b4bbaf1a851a0c43ae65f87aca1172b9b690e95b0172

Download Submit
C:\Users\Admin\AppData\Local\Temp\74FC.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
913KB

MD5
650417545f0ef2201cc935c12faa0603

SHA1
f09d7f5c1bc3d59c793ef0201ea80abcb4b4287a

SHA256
ede0692ad820299b354c71e88c0ec6650b4568acb390fa1dd42097d0b62fb34c

SHA512
faa7df34a25cb4e6b15cfc14ab0ff65608e6d0f412369114d98165c14c9f3366d1ff9466542ff14182bf01e734a0eba8bf36709d15ca935caef2d0973c7702d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.2MB

MD5
03abb6477e96fee16429e9a81932bd20

SHA1
713c659f714c539effa6357cb3fe541ff70652bd

SHA256
d74d29096bab57a68a03b85d9442d9839671584923ddf2b828c4d3d5d530464a

SHA512
e9f6640655211d0ca9fd200b7e3ef7d0f9fa2b56d6e5db37ad316823d2d7971e038a51a7aac000c4317d45ac4d0547663bd4368a1e0d42eacd9995fe8429743b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
778KB

MD5
525b55548ad64f9ba7b696dc5f31e5bc

SHA1
a694ed7ebd379852eb119857916b274c89d735dd

SHA256
e58d69995e3a66fbefe7e8bf39d7344d07c5b0e97f971e148defed15a17f3791

SHA512
cedc6a7eeb4f057676dbbbdc426138cc6ba7e40601d0523af9eef2f0e5b1217221b2e13460df9784edcd1f6cc78821d22241a802fb7d2eacbf2cc08e5409c362

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
757KB

MD5
a839f3bbfc2c6447820ec1659abb60bc

SHA1
9e4b9b6ebc111b9ee300235356b0fc5e3bcc5a39

SHA256
fb8e3cccac13b0d00cc3bda0b056f2e04849c9b3b7ada4159dd4351ef425c169

SHA512
6820529d7bad5ca10cd070b998d06fcf06496392ad92d43db99a22cbecaaab9f51f33587751cd6ec6c96e774ea46cd9866c90c82bce6defaaa16bfb3be26cce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1013KB

MD5
e823809c7c985af9466553fa61baa1fd

SHA1
c5eb57b9c9cccaa1bd8d9d5ab8f0f3731dae4b1a

SHA256
87c5e683a7ec8ff1fd64a756e6cf978534591a87edb6d5c7d26be80e245567f4

SHA512
97c770ee521a3e2e40d7e44be493339f1fb39db7d86dc52dea7e33a2bea21f77ab250d9caa7318c1f613b71aa9a00a2260a86228f83e6c120c10dd1e24f9994a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
900KB

MD5
e41e2aac44042cfdbfd49d6def19f22e

SHA1
77a57189b64785a18d69d4b28a5121a654b49d8f

SHA256
c18296287ceaad16ff61d85f2cf0509defb610d95992838df108bc36f208ed19

SHA512
3b1eb432b0c5854f43a91bd332ad183af11c2b90b087b21f51acdd468963c6d81fa8bcdcf07d36a422be76e02c8be64dc15754339e7ae527e97e399134466d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
937KB

MD5
97892601e047a6065e38ba68eb04ec10

SHA1
42656495ec9ef6052de0632a98460ef821002990

SHA256
0fee56ef95427cd8dd6e2b04ab53ca894e4505ef77c9e8f07418855d3428d6d7

SHA512
8c65a985fe195552e21405cef399463482cf52de81abb1e0c82a2ed7f754ac1f39645b53e03cb249f13722e84fcf51c940102a0bafea0ebb13e2dd7283089a49

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
843KB

MD5
b7798d3fd5ce98977b327ce701271b7c

SHA1
e1d5eee5444349e0d7b3a45714aa3f1aa2d638b9

SHA256
b813c1e59c23ebdeeb245dbac9fc69ffe271d03858da7906191e34ff6ea73bf7

SHA512
9ea952fc9b68b4039f37831e733a3ffa07c863fd61f3318d538922b8ee18cb60951a0f4706a391296841b4e5e6c44f29b8c00da73d08e73975431361c4506dea

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.4MB

MD5
7bb70773abe6685dd979ad42140880ce

SHA1
03f9ea940cc6a0df85513611f58b8d726e147485

SHA256
3d8b5b71cce85563562ac11b5aba2bc71f8ee2da8234551608cb92db3f1db6e0

SHA512
c95ff372f3348dee22913a483ae93e5a3a1c92bfa961b4e31a5c2d354b6cb2100b6ce9c330c9ee74baef39640d1d4e1c9e7529bc3838e8aa6bd8c602968f42e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
557KB

MD5
a2e9faac5486557e6fc8ebc6818bbb16

SHA1
b03164ab0b6b7570140a44621540a43de6b64def

SHA256
1c5726c4f05972fe729f2f7431c833cdb154368a33de751e610f40a3142e8d14

SHA512
e3e2b6e16d84cafaa66660ba49f4ad141ea92027f5772e5889b1aadd649ac90114b39dab19abf8134fb8476258676de7b47214f228edfc93dd90b674b6214af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
482KB

MD5
53f38933acecdf597fffcc571ed30779

SHA1
e283d50c62aaaca331562c3fba469e36701d051f

SHA256
8633e3d4cd15a19f16f56b2537cddd6de3c44a2b3dc77fc53dc1e9d0557e7605

SHA512
c9d75e2eba0c3ab996a98e61ff9856a92aa41878b352286caa3b9e971c7ae4c7940b3884c203b16fbf976c34463a5598349601a8203646e5f695fdaec20a515c

Download Submit
memory/752-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2176-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2176-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2528-50-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2528-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2528-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2528-48-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/2528-49-0x0000000051D90000-0x0000000051E28000-memory.dmp

Filesize
608KB

Download
memory/2528-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2528-42-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/2528-46-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/2528-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2528-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2528-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2528-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2528-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2528-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2528-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2528-106-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download