73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
19/02/2024, 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4212	b2e.exe
2120	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2120	cpuminer-sse2.exe
2120	cpuminer-sse2.exe
2120	cpuminer-sse2.exe
2120	cpuminer-sse2.exe
2120	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1920-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 4212	1920	batexe.exe	85
PID 1920 wrote to memory of 4212	1920	batexe.exe	85
PID 1920 wrote to memory of 4212	1920	batexe.exe	85
PID 4212 wrote to memory of 1536	4212	b2e.exe	86
PID 4212 wrote to memory of 1536	4212	b2e.exe	86
PID 4212 wrote to memory of 1536	4212	b2e.exe	86
PID 1536 wrote to memory of 2120	1536	cmd.exe	89
PID 1536 wrote to memory of 2120	1536	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Users\Admin\AppData\Local\Temp\6ED7.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6ED7.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6ED7.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7196.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1536
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6ED7.tmp\b2e.exe

Filesize
2.8MB

MD5
71a12ed1c8ce17543eeac9d9fd6b81d0

SHA1
8809e2ade32cdb703c21a8fcfce55982a63f86a6

SHA256
d0725ccbb4ed2a047c403d28f1b653391530fdc1d7f465bd9049903b3838bb28

SHA512
4dbc26fe9c782acd498c309ba0df31440165c3f43bac69fe5bdccc7c435d4024eaef10afa8d212c8ec2e2f2100962910fab100afec9ad71fd473179cc6d60b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ED7.tmp\b2e.exe

Filesize
1.1MB

MD5
ba03f15142caada0d933975163fc4320

SHA1
34c3c3621d1a6cd6d58fa320fc12c9143cc6d875

SHA256
65e59015d727b91a40499cfa241b7f1540c5ec834c9d0b905f0b52ae28002269

SHA512
ca3a6f87073c7dc5214b1ab4621daa7cc3b779560565f873a593337517dcb55488a6e646577dad3bba2f7c3ac0c7612416890fd2d9a97ba427acdb8a2e073368

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ED7.tmp\b2e.exe

Filesize
847KB

MD5
f4033d1e66a6ecb25f5b590a648915d1

SHA1
fd0484e63750d9d516530fbb7c8f1fb01623826a

SHA256
63673d5c4ba111607e06e56b317cf964e5ed227087e35b9d7d2e585e8b786cc0

SHA512
fc665779d49aac29457eaf8799121bfb711763510fea539b35488560c437d920205eb04522910dcbae82ef387ac663ad676613df4897e602f153001b86120a16

Download Submit
C:\Users\Admin\AppData\Local\Temp\7196.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
244KB

MD5
34997a37e436d75601f2f76da925df3b

SHA1
abee9b4f4e8aef864c7e858cf9334226f6e531f1

SHA256
f80d716b54da4ebdae2f159b004c3d666ff5329c4c2c325fb3130b6b4bf5505b

SHA512
b342e4612b455f0d864bcfc8b61102156a30e2e5a21db429829a9af948a342a88a32d6ae4781b29042284f89442b048ca0e2de8523cfe235b46fa557c554b940

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
330KB

MD5
7941f0f7862abd8d6b36514275c8bc2e

SHA1
ebc89640d30f9bf23749c819843d6121c98965cf

SHA256
9b986ff1bfc508a01a60854a99fb2b6de12dcefc1eceb95657e6b29125ae1bae

SHA512
fa41cc438002fd065847617e02cf29f34cdcf0b22bea2843ee5b5726f60f5e291d45a428910b202b177263e72fb025050211d246d731098a955d1a1c778e9585

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
194KB

MD5
226358475269f60483a7f65fd4dc2fcd

SHA1
b4463ee5f27c6287073ad8a03ac3474c79039ace

SHA256
dc307830cd9dd12423f2133205eff9c89f8a5d495a3cdb14063ac7bdd008ecbe

SHA512
00954ba3742ea3b95a6b37466a7b22313de324748cde32ca2cc76049ab97e43ab427f24ab6176f92edf822bbe64e308d53ab2a3d94f1e87da0fd45875645823b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
182KB

MD5
f64f6231f5d21bc5c43a63f97e74773c

SHA1
bf6b592285f22938d53e6c84ad8e555287235a27

SHA256
441499a1406aaf32ca72fb657550f52bc9b9400efc13e6ada37d4c84e8c89e9a

SHA512
88abb6b95295d691084f456c938517794f72f72af3812c431bab7f69766bf030f6a2b734a29ce051253124fb8fa0fa9a89c89d71e721ee5eb408a117b20885ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
237KB

MD5
069b8399a466d2c202013121d52a2756

SHA1
93ba19d4967c94978fd806e1d2f94217fb4718bd

SHA256
c09600951087d6ac0f9b9abeadc2ecc486e8b70daa21a61b4957c6ee88321e85

SHA512
c41ef3c216a9c51db50a71527fa1d027020cafbe2a8906ca8a98f9268ab9b5d3e64d5cd3af649b5e8e815c8a18d3ea1071981e08a614dbfb158e1fe60389a5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
131KB

MD5
bcf65588ff6fdaa3bc14b81c99417235

SHA1
37d1120775ef234b4efa23dd31fe712e90f01965

SHA256
20828b488930222fd008b2180774479f7b26ba6ff15dcce7e7026bfe95c9a012

SHA512
1fa21852172beb13bacceaae6e4164fe73bd30e9c6110db23ce169c918060ba579a2169754608f0ed103b68f4cecc86fc52be53634d3bc45ddebef7109b25744

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
267KB

MD5
bee0a15c1663d2de22347d7a86b38642

SHA1
0ab5265fb403d7a4d5da09e8b0af36df02ffe9c3

SHA256
073ef6284e1a028e4a42d1d1a00e56ad0318daf6ee327252d643ac8c863cfa87

SHA512
ce789eb3a2f31530cffe44e1680becd3f4a7ccb350a97bec8ba1855196a333deffa4ba7f6f575e2d94e6a3d6445a3d67c932bb8b0838012476fc6077d2e3adcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
126KB

MD5
ec3e4ba348ee8aa433ddf9b22a17ca97

SHA1
d96979cf5654e8c56290d2c7e6c82ff64eccebb2

SHA256
c3baf11a0897ea717133fd15ac30b306a5836b8826741bdf407db0aa424d4707

SHA512
b4cd57d343b67597b97204b439ea7ec51fea20fdec7f56df435550db4a63963fc1e9672ce52ebb0dc64a4dd35d98f5d547c9eeb41028c436b748292f3d9790a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
312KB

MD5
d33374603bb30e4b16fcf181080578d6

SHA1
84e8b09ed4bdadf5a92d9e92b300ff56391d7ee3

SHA256
67d8b7e1f3ea3d738eda6d8c24ab5279a5cbe7668cf1d0f9f61e90c1167478a9

SHA512
6afb0e28665586c95331fefe6a53e081455e3295bed9f72c16a5ce6b1e9d94a30636a42cddfc0d9697cb6777189faca3f7e4262c1b415adcd598761f0acec0a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
243KB

MD5
44458865539d1242a611373e005ccf9e

SHA1
b51b5e5e4c1975aa4a63ce5f8694ca63738778f7

SHA256
ddd967250d0fbee7116001adfb90c5995e356cd6e914ae7ab2e69e76e6df3aac

SHA512
9fa388985fc522d5c9b4d890a8ef3c606eee3eaa32ef10ed448345714bb9000723f580af01678f463b49ffc3733b9866332c6f5401d5fd828e25f67299d1ba25

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
213KB

MD5
df0f1dc012b49a6d0366432be871dba4

SHA1
12dbc399f4302d3f4d41489abfcf69ea3c8acd9f

SHA256
cdcd2ccb4feb2eb37a87a21cbab94913e99447a6fe56d0e9a9c2aa596abe1aaf

SHA512
71feb2d88492dee57e8c5542fb016df1d00ced8c033f9b9da471f317ddf0b053c045d125f6df6268e49670fba40388bce94276274bd7fa602831e2fca605fbba

Download Submit
memory/1920-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2120-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2120-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2120-46-0x0000000065110000-0x00000000651A8000-memory.dmp

Filesize
608KB

Download
memory/2120-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2120-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2120-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/2120-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2120-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2120-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2120-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2120-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2120-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2120-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4212-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4212-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download