73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
300s
max time network
306s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
18/02/2024, 14:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3060	b2e.exe
2916	cpuminer-sse2.exe

Loads dropped DLL 6 IoCs

pid	Process
2916	cpuminer-sse2.exe
2916	cpuminer-sse2.exe
2916	cpuminer-sse2.exe
2916	cpuminer-sse2.exe
2916	cpuminer-sse2.exe
2916	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1988-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 3060	1988	batexe.exe	84
PID 1988 wrote to memory of 3060	1988	batexe.exe	84
PID 1988 wrote to memory of 3060	1988	batexe.exe	84
PID 3060 wrote to memory of 2904	3060	b2e.exe	85
PID 3060 wrote to memory of 2904	3060	b2e.exe	85
PID 3060 wrote to memory of 2904	3060	b2e.exe	85
PID 2904 wrote to memory of 2916	2904	cmd.exe	88
PID 2904 wrote to memory of 2916	2904	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\83B2.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\83B2.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\83B2.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8F6A.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\83B2.tmp\b2e.exe

Filesize
6.9MB

MD5
af408b23fb68a72b39c093c225604cd9

SHA1
6fbd39519b45820c829144703f724698d3bc14e3

SHA256
bea5cc0179a71e71b0ae296d28d8fcaf0ffcc2147cc1e5851b160745af5cb8ec

SHA512
26d74bfcc22041a312d81e65f55b9fe2d51475a4b052f4211362d38894bb625918453118cbb75618e5593b104daf7b05fe8cc8144e5da3028c6523371ca5b472

Download Submit
C:\Users\Admin\AppData\Local\Temp\83B2.tmp\b2e.exe

Filesize
64KB

MD5
3e63d8d147aec3c4d5e3e08d79395350

SHA1
633cc399218c2915b895a83bda89bce9f37e39dc

SHA256
39cc053a2dc8074a4530b02f00bd8bb723e52196224d978d9aad3b0f75740320

SHA512
545308057e5ea490e55f5bdd7fbec20fd954f847cae6f60460a4b135bf76c4c8502d922768d8e3a96d29d4c3a513b91ebc40bcaf5395de2c50d4368fd46fc536

Download Submit
C:\Users\Admin\AppData\Local\Temp\83B2.tmp\b2e.exe

Filesize
4.6MB

MD5
15fe147adb4bb214ec76192f47d38674

SHA1
e4b565b43f51f9866e12ebc3fea50dcfe79f1ad2

SHA256
f93a82d13e4ed6cc0f0faeb62e02ff51e9e04bf26c4318618831d44fc6f6acff

SHA512
d7ec84bef8a06ddef92fda14f26fb7e2c327cdc289d8328d4106b8a12847038dbd053369aab780862bd9f86c1988a0508804033ca11dae1f297d75d8d838ffb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F6A.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
106KB

MD5
a09ea16ceeaac16c5ea74c61f5c6aa05

SHA1
2bc5980b6ef49875c2f1267c2765974d905c6584

SHA256
da9ee92322ff1e4382e755139192f564bcf4b06f1a5f3008079797acc817df88

SHA512
9b67525121f9c53f7f5239f4bfe7e2543077b008e8beff3e8c4199fa3b1ad19de92c752f6021c4e9f2b0d806932aea15554bc0577f8da40864fb70338b8ddc20

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
131KB

MD5
802beaa4f93c6d33f2093d32f5f6b813

SHA1
2c406d4527b89b008c2c15ea91a7bf4fde2ab982

SHA256
96ed59bd2f3003b7ffad82ebeab33869e2e148f956b2cee7b3b63fc02c5535c4

SHA512
24f19f0c7bfa1d9275e150e0dfbf8f6f64fd0d17c26a842590f0939c24d8be33847c350b2d3d9611c667e3b3a8a40b526a26508770dc0007c0be609f111469ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
57KB

MD5
e1decfb90b3eaca98b405d96c3f20dca

SHA1
b64766693a58cde8a9a2e6abc6f826de9ed4f904

SHA256
bbf5f3ce3eb31dab5f108303948c582911dec01f5dee104c29b7039698bdfd1e

SHA512
07c049a8469bf3e0302c9d8dd79f9ecd2cab235f3c9ec2263429aa6e71d6ed280cf1063e726bb8b841750a87536cdf2b193c9651dd1bb2a98f76c7cce67f3607

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
25KB

MD5
263aed9740d582f5266428ec44350289

SHA1
1baf657934ccf46a074c49be929fa57f7f8ae3c4

SHA256
363071e78dde5fe43a4e7959670e5f187a6e41dede28ae55096f1ce9cfb641c4

SHA512
6e8c9e00693df2ee77cb58caa00d6136c9dd63a6a6c9ffe78a591e79195c11aa799837c8bb3891410cf5c2ad328f045e59ca37cd2ecf9380a49d860d0b1c1c9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
673KB

MD5
57d07f6f04edd4f7047f073f951f593a

SHA1
bb7b04e3b98a8d5103866bf8e3f65534f75b28a1

SHA256
40915040cc09257f2950aae2c6106b3dbb1fb1534055f70f44ec46a4bd9f693e

SHA512
5ea79e398bbbf49895f523a9ff5a5c87874a6b69e5085708ce179b21d4b160470ced21ad65cb04bb0d4050333d0213248aaf80c4f3cb5a251818ddadf6de7ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
42KB

MD5
1a2de40dd53d27cd668a69f2006410e8

SHA1
195e3692d8cb252a9b926c9235d0494630767502

SHA256
4eddf1079a34292e9ed8e4e674e390c0ef8b0ef2365e963237040b396182cf71

SHA512
353b6f0a7dbf7ed1bb565c1377c00b8ee59b7fcac9e32da1b657f05d90ce3fa8d285a42ff8bcee22e6c030f69d0a11f56ecc336811c494cdafe3d00b56ea1dd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
746KB

MD5
9140664f4bc828eb61429ffb3f42866d

SHA1
3d058887545ddfc1e16699b64514095b937125f2

SHA256
e5059fb8f87d8114f1979756fa9e0d29d5d91233bab453736fe9c665972030a7

SHA512
a0f2dddb4da1e341492ccdd7358046422f761fd280cacad857fc739d76e144b8ffc19b9784cc7cfdc330f71bea1e33d5350d9993e95f5f04078869e0579c787c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
910KB

MD5
7c693bc3ec123b58984ffe5e242eb7f0

SHA1
df11d8e869435a1dc448a6eb6825351d10fa590c

SHA256
df140c1b3a04df983fed84a52c84f644180a7b0781daf196c1dea23c7d9b559a

SHA512
118067cb26e2414809c7ffa3a86a92010ef4c1aa6317eb444e339ed35a1b272be6f9a2bd243e55a3873b84252f88d0cc340c87e5c656cb7f5d92b9be6d9ca2cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
89KB

MD5
3bc0850f9f22e8b815523d2236effbf1

SHA1
e29030ddce585f19ee414c472d5d971513f44967

SHA256
c4c1632530726b70b0471297306f5ea1a80063e46807c39d56c5551278167558

SHA512
e68770cf680d419f03d7857bd1c4b7994f2542c650ce1a594ac227122f2f7329ec0f0b0009338bbb7fbd003a6ddce8b2b602beb3a82dec6839a4119f355f4176

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
73KB

MD5
dc2fc2dfaab3226bffdfa2e2624a12f9

SHA1
8ee4094ff772032bfa11f8dffc800624d8feedf8

SHA256
e1d8270184d6f95176a2afff1b680249ce6cf84ae4f72ec422345916b231a7a7

SHA512
699703761855a52f736f4152297e2bdf6f43a144f86ed8918fbc7e06e0ed2c9ffd126866293b5498b10c740bb2e545e78fa450c36d20fcd9d16776947528c406

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1988-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2916-50-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2916-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2916-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2916-46-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/2916-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2916-48-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/2916-42-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/2916-49-0x000000006F190000-0x000000006F228000-memory.dmp

Filesize
608KB

Download
memory/2916-106-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2916-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2916-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2916-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2916-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2916-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3060-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3060-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download