73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
18/02/2024, 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
228	b2e.exe
4084	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4084	cpuminer-sse2.exe
4084	cpuminer-sse2.exe
4084	cpuminer-sse2.exe
4084	cpuminer-sse2.exe
4084	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4128-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4128 wrote to memory of 228	4128	batexe.exe	85
PID 4128 wrote to memory of 228	4128	batexe.exe	85
PID 4128 wrote to memory of 228	4128	batexe.exe	85
PID 228 wrote to memory of 3488	228	b2e.exe	86
PID 228 wrote to memory of 3488	228	b2e.exe	86
PID 228 wrote to memory of 3488	228	b2e.exe	86
PID 3488 wrote to memory of 4084	3488	cmd.exe	89
PID 3488 wrote to memory of 4084	3488	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Users\Admin\AppData\Local\Temp\6F73.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6F73.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6F73.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7196.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3488
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6F73.tmp\b2e.exe

Filesize
2.6MB

MD5
93e2797930b93e1fec2d1dc5c864e60b

SHA1
ccf6994930a2956390cfd445169d1becd6b97eb1

SHA256
b155e4748670d1012d71b2f918011e8aff5c33510aa34d856a7dca04048f32ea

SHA512
a6a356dfc495bd582619ae8dd94d4dccaf3d05b72b38d061be98db85a45bd492c90b1f01a1efe0a5c10bc394633b38384dd81d30e361f8c2fcbd247b50d50c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6F73.tmp\b2e.exe

Filesize
2.0MB

MD5
01d95068304607d267a6cecefce6db64

SHA1
b2639d6926737b2f5c0887495e45910e0e331f8e

SHA256
c7ec9e55688d2451223aba6a6f0024d800b6f094b949af245d32d282cc1f815f

SHA512
426e0256c6faa1663e45b903f84c61fface4cf0e0666d46faabe49a20fa7c88cf4b4138a0c9355a13ecbe8248497bcb38b59ea7983d134032aeaaa42335a28f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6F73.tmp\b2e.exe

Filesize
1.6MB

MD5
bf60cf0462c481512a28ed5444b6eaf9

SHA1
8cb257b0972634524ab759fc9100c237e9676c41

SHA256
f63662d551730652ce069ea1365c63241b7fb1271b63000761f7ae72e855d127

SHA512
47cb7623a1ab79f7e020f83d4f7d4f2ac289d9711781422858b7a9c6eeb3b7c9ead7cc2414bdacf176e35caef0ec6dfd8a59c44f45a28f72f2cec359f09824e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7196.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
556KB

MD5
aadf3202f875b30d5be13219206ea3fa

SHA1
1c28b1f0c4355f6b95c45b78cb62755d9f841140

SHA256
696238979a4b8bde16b20ed53979e85174a69cd8dc8affc87f3233063ff613e8

SHA512
706a09168c550a73c7adc381dd18030e25fc3afff74a686835ba359b777b494fab79f4ad7136489b9803b10b1e965a9513e68f2878777a290772657b087241a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
270KB

MD5
168ba090134363fee61ed592e9f8d807

SHA1
5ab216632313b06db0af2f8083a308fc82904e0c

SHA256
5841bfdb649b599b41f7c22d5c1b5fa74840a3f20d79a2b960bd387b4a31889d

SHA512
6d01d6bc9025c56122fc9a9f0725373d6f0650ebd6030cf3a764d2ec0da1e215dc67e86d5dbbdff5256f510cc787f0c2deb215c46595ae45845f403033265341

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
405KB

MD5
c79f8eb46ce578a2d084a8aafd04dcb6

SHA1
78ba7d1f2d6d00337618a9eae6f82464101dc873

SHA256
f19dfc893ed743e674ce2b691591b793a29c38eb02422e0f7e2eac043f4a7e70

SHA512
44c193549a97d53684a6a7695eff0d6cace05627bc9dfb9a3291153438e89f000b6c30a5be19614efab53fe369f09e1953326e7f8a27fdbc67551e40566868cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
638KB

MD5
2ddf8464d7a1f991605109501a869ad4

SHA1
10237f91f4f0567bd4f48524586ca74ad6783851

SHA256
3e2adc990e16400cf8973a2b7c8d81f2d430c7ff06d23d8911aa4c5df2c6ce9f

SHA512
66c445082b9a79fd44564f9f9590f90f086c23dff90d6355cdb4fa8281122db8764a259727e9e9f680f78118d0699a72b1cf89b69f57657a090143dd0476297f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
363KB

MD5
e41eed304127751bfad0b9bf33b5cfb6

SHA1
51dbe6dd9f5eef75f8143ca11ac96b8d1fccd4e2

SHA256
44d093a4c268fbe7ba035ac70b4b0bfcf4e79c5d58d0537402bf058b32c15aef

SHA512
23de4f9cdf2cefd27369973fed42bb2a4f98aac5f9d805ec67a6dd11e84242fa8cd8546abe6a3c343da0a9fac9b4e78db35203ff07700e9cacdf4b7d1b8cc24e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
380KB

MD5
3f817516d151759659d2236e6bd02dae

SHA1
92c1cb5d3aab594c3178d7804205710c0090dc21

SHA256
7d25269fcfe27e1121d07360d13ff9357f79f9ffc92096988e5ddcc93e3f6f43

SHA512
003e6ccaaaf433fc7e59d96a2680459d5d805372a0a58f1debf0dd3c00a989b065eaeffd269936d598b6c7d634b9dfcc8ac1fd6bc72fe99c4af20e7ae7e867f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
527KB

MD5
f2815015118d1c152606ffdbdc506cb7

SHA1
be7219dfe8d299afa9c9476797f928c8fb62d540

SHA256
a34cfe81b3c8a58c4ebc89cc15c6ad2e5ce29fba0c475ad70732de199dcbd9ac

SHA512
88982be27f50fab50602bfc3458c43fb0889ff80ed3249e2d917ac9bd58b4e6dfe0658a3ca7727950f40a4d685c3eb360ded242e2387a208a362fffd957b21f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
414KB

MD5
a0e479f9b463492c1835535c26195abf

SHA1
2593cd7ee9f6bbb62c1588f6fa02160d21393bbb

SHA256
3624fc45a02f3b55ce3567c93e02573800a342de5da95ed7610229ef5a709d60

SHA512
00557b57cf8a361c5381b56c4bb2dcf23726ca10aad54c7c7d56b36e68f12501912f556a7e9c16c6161ccab02f4cf930d9ccb6fd14fb3188b06283915f6ec222

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
170KB

MD5
905aba271068e1b18a99f8c9df54b178

SHA1
b0a2c90af3df10b5811211c6ad1e991d75f859a4

SHA256
1477f328493640d7d35cfbc493c878976cd83b5f89ddebff7a1b3e2d3bc399eb

SHA512
66b663ac8bdb7e5e8682baefa048a9e499044df5229aba63063441722b087e65a821942afe4038a0ee638330e0f1a5c24db9e75d507c67c51c0ab5b71b9554ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
525KB

MD5
e715b65854538780f1a0c6a16b7781a5

SHA1
ffd3acbf6cac8012cd6d4bf9c0f1c1be362ffd05

SHA256
515f86aceac50359f6af11986ffb6f50f011933a25fa4020b695bb4c874d6ba7

SHA512
b6b761ab0fb2f95b465879e3ecfb35d4da3b40728e37b1c77abf1c0a6fe5167cb732fbd855632ecffd32c7cddfbfa6941b2299afdbe2e5923562898ebe01a31c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
329KB

MD5
0f2635b0958c36483f7e9141e5c24059

SHA1
eccddbce081f920eac29a6747c823963bd3e0d08

SHA256
529dbd69493ea73945181dfa4b4becf0f70390524451d577d47a4f5ecd42c6da

SHA512
b32e319dd8a45798309314a9d50d0bb77fe79551f193145666f3d195116c0aac28ed3f3ac959272dee3078aa29e3453fe23dd3f7e2275eb9f514edfec654aa39

Download Submit
memory/228-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/228-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4084-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4084-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4084-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4084-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4084-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/4084-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4084-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4084-45-0x00000000747F0000-0x0000000074888000-memory.dmp

Filesize
608KB

Download
memory/4084-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4084-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4084-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4084-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4084-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4084-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4084-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4128-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download