73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
301s
max time network
308s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
18/02/2024, 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3180	b2e.exe
1696	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1696	cpuminer-sse2.exe
1696	cpuminer-sse2.exe
1696	cpuminer-sse2.exe
1696	cpuminer-sse2.exe
1696	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2128-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 3180	2128	batexe.exe	85
PID 2128 wrote to memory of 3180	2128	batexe.exe	85
PID 2128 wrote to memory of 3180	2128	batexe.exe	85
PID 3180 wrote to memory of 3988	3180	b2e.exe	86
PID 3180 wrote to memory of 3988	3180	b2e.exe	86
PID 3180 wrote to memory of 3988	3180	b2e.exe	86
PID 3988 wrote to memory of 1696	3988	cmd.exe	89
PID 3988 wrote to memory of 1696	3988	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\7819.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\7819.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\7819.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\850A.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3988
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7819.tmp\b2e.exe

Filesize
6.2MB

MD5
d5fb5c4dca0c6da46b51ed4d419d6595

SHA1
8823915375e4279a74349b16fd7381eb4d30f6fc

SHA256
399d4c42f594627d893c82af357a4b2ef7a125236fbab80c5f77783317cbc129

SHA512
8edac651c64ff7111129b1f646938268025b25bb78d9599d4de4693a33a7aaf23d845152c7e27971dd7846841e5b691fa82b74ae3a5e817c2c2238ba36d1de42

Download Submit
C:\Users\Admin\AppData\Local\Temp\7819.tmp\b2e.exe

Filesize
574KB

MD5
2fbd5df2248d291b0034e24aaad9c352

SHA1
d23e20ae10a8decde7d40d5cf9bcd6e533b22282

SHA256
69109747e5fc62b1d6f402143a10ff5c4aa09285926cef686d22a2f42aa82ecf

SHA512
57f6bb2ac47727d0d1bc0968c09197b2d3964471d5c7a841d36dea81ea351c9f2fb423b06ad42c581972ed2032ee5404559868a1fedc964ee3e75b8cd39d585f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7819.tmp\b2e.exe

Filesize
192KB

MD5
6ac4b534a8945150025756c2f85dd2d4

SHA1
4f8633cd78b9248d5885e75ff1b26ef27a196ad1

SHA256
2e07e008a86c33e31905b1f49b18245261ad08ed3463c6750d63502e1e20e43d

SHA512
303f0cd104441235da58583af1597994df43d0a2d55d6245e89fc7d8f2509915525925277636214722e922f2939c93ba95627d54a18105d6cfa8e606b2f3c172

Download Submit
C:\Users\Admin\AppData\Local\Temp\850A.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
237KB

MD5
9fe6233718bb7dd114e5c85fe7f8cb75

SHA1
ed22d2fa851fe3466c80f24ff184343ef72e943f

SHA256
e04e3faaf4233698909029cfc846ccafc20aa96a41f9a9ba02a068f67faf331d

SHA512
e5a072cffed86553d242ab7bab617637132e91b72e5cfd44fce7b050fac132455924aaf3bc06464e21638d39ae53de85304c826b1378b725203deeffa130f746

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
143KB

MD5
adac56aa75bb3865e993af1c957f7f1b

SHA1
9ef65be98abe25097cbe2ee13315456c16c87f56

SHA256
f4203631ef867992935ce2ef206a913e46fc1af6de770b53f8eb49b358298c27

SHA512
91560057f622909549211923fa8be10032ed9b5152a4d827db619bd9012384ed9a1b223abadcbca6e4db8ccaa72a87e975f55d7ade451047df97648f17f6d1c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
57KB

MD5
e1decfb90b3eaca98b405d96c3f20dca

SHA1
b64766693a58cde8a9a2e6abc6f826de9ed4f904

SHA256
bbf5f3ce3eb31dab5f108303948c582911dec01f5dee104c29b7039698bdfd1e

SHA512
07c049a8469bf3e0302c9d8dd79f9ecd2cab235f3c9ec2263429aa6e71d6ed280cf1063e726bb8b841750a87536cdf2b193c9651dd1bb2a98f76c7cce67f3607

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
64KB

MD5
e7317a0a343dc63f3fa3bf9ca6e93ff0

SHA1
0d48881feb76cf81fc46614bebfa3c134cada128

SHA256
277a43f17ccc4f0fba87c710212de61a41383bcb94410fa093b50ebd50347a63

SHA512
84ef51472db00cd4e90df3062a3cbc29a994c5cf470e54300d4a2f103ba8fb8279ec87b0561625ea1bccd80a7ad664c63457831b4eb919a7608099430b98a3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
112KB

MD5
672bac8bdb23ac4f728234b23127f6f4

SHA1
e22a965918b7eb2570256170a7a92a259790d8b8

SHA256
a041fb529467ad5205ff08bc7e6afdd62f48d1f3cdad3c2cd67465197fe7d00c

SHA512
8724dff128989ea0791338adb3c5852f32ca2aa8f10ec642994a06df67146894b858681ada1c5448cb116c33a29c6e8f4e9020f0efbcaca5a65e380bc02bcba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
38KB

MD5
869513116f2dbf00e71d9d0140823f93

SHA1
8f4fddc7dae034be4b271e69866bf00fb4cbb225

SHA256
4c7efb80a81ed1eb8e8f8fe84823b644600346b068e2e8c18394709501d8186c

SHA512
8036ccd1e6f9fc9a4058614d57538c7def221872d4b4177d9fcde71aa55b5ab0b3d6c6ef28703a28af43b0268ea1c6af247d19dd61718eb6540799f830de1de1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.0MB

MD5
56a6a792ccc77da605a9488fa0f4e31b

SHA1
f00653135d93219022c0b1ea8b30e4b1030ed2a9

SHA256
f5ce9d3e79710e56d8d73e70480f8f1fc47583160700d19d0d410cd40b5c80c3

SHA512
c67f42a5b1cda15f6c87fd9b1257ba3bf098e69ad0ba41bd5d08ecc40e093960d1a4aaf2bd0a33f5561de18090ab250f4c79532fd495c57db1e8107f29a68597

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
29KB

MD5
8295b217623a35555da0cd3a095fea42

SHA1
4f0eb335ac5d1f652164fc12c2c2c5ac16ee7a22

SHA256
ee55036a01c2b206e0ccb5abb9e966dc6d7070ee3657c19b28ed71c430ca78a2

SHA512
91926f87a1037110aa9ddf8ab0f7d9d25728b214c21cf5c3d72c64653281edc4ee15ec1b46b63e4851206dee5b0cc55a2af83a6b367753b7fd7f211cb38829ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
54KB

MD5
268b3429702142d0c1e8ca8f6c9b7d37

SHA1
6addf181bee54e584273a099b102c2d676596dc0

SHA256
06b3ae69c19cfef672ef94272cc73f70d215c73cedb00c45ab9dad8ff4cff13b

SHA512
2ccb4d0555537d14ca946580d6ad3cb2d1e68cf3fa6d1c91e81fcde34a982888ff7ae41cc014f39f64c3d9a6fe2abff9ee8f1a4e28043897478ef416f33ba9d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
87KB

MD5
9660cd6ed4ccdc3a8c78009bc3087ec2

SHA1
7550fabb790c8aedf1c36461ef305983c93817fb

SHA256
dffd2e46e6b9c638820b9eb02f2c5ee94a03ca71c12d4701fbd97bd53c89d511

SHA512
9c33b63f499ed49fd1dad0ff04f5dc2076b48e1e10451b3f835ef0ae094eb13204c401dbb3ea6d2f49a6f28989061b7040ccd01da736492d8e5be7d73997373e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
24KB

MD5
1d97a6c7e75c1dfcf0b21ab7f469804f

SHA1
f0a0475d0fc9bcc62a7382691f2d77e377fc7b54

SHA256
c3ce4b1177126da53ac2a40b8b84618ab0b7bb6dbd78926e309c8bd8d37a6b03

SHA512
ec8ef4a0680c99a1b78110eb1c66f6e44f015c642d4916610b5306c28bf1c6d69c903dcfcb51988ebbe608b5e37933e41580f2c47ef6bfcf27e0e4b725f6a6bb

Download Submit
memory/1696-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1696-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1696-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1696-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1696-45-0x0000000051D90000-0x0000000051E28000-memory.dmp

Filesize
608KB

Download
memory/1696-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1696-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/1696-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1696-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1696-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1696-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1696-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1696-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1696-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1696-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2128-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3180-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3180-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download