73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
19/02/2024, 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2844	b2e.exe
1700	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1700	cpuminer-sse2.exe
1700	cpuminer-sse2.exe
1700	cpuminer-sse2.exe
1700	cpuminer-sse2.exe
1700	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2956-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2844	2956	batexe.exe	85
PID 2956 wrote to memory of 2844	2956	batexe.exe	85
PID 2956 wrote to memory of 2844	2956	batexe.exe	85
PID 2844 wrote to memory of 1072	2844	b2e.exe	86
PID 2844 wrote to memory of 1072	2844	b2e.exe	86
PID 2844 wrote to memory of 1072	2844	b2e.exe	86
PID 1072 wrote to memory of 1700	1072	cmd.exe	89
PID 1072 wrote to memory of 1700	1072	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Users\Admin\AppData\Local\Temp\7494.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\7494.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\7494.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\77DF.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1072
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7494.tmp\b2e.exe

Filesize
4.4MB

MD5
f92bbe384f164861de2a61d577390012

SHA1
f0b427743fafbae568037905d66e98e1fbccee6b

SHA256
bca776a46f9d9ba4475cef59ee588974f530a63df3cfddc57735706df8936179

SHA512
d23bd1f6791fb7c6c75fe0f4d250fa9fe475f531199834d436fa854729ea310fb569ab158726cc9182ec655c595bcdbadc19ea234de594dcf111a52fce8a9161

Download Submit
C:\Users\Admin\AppData\Local\Temp\7494.tmp\b2e.exe

Filesize
1.9MB

MD5
d5de5af0d8230dbd76bdfcb65052a18a

SHA1
64ecea8615b4585e571d863c811f2a1abd658a1d

SHA256
97c2b9f946e3c5c8bb74f3c20506c4d6ad9f0120dca2d1f7aa1762132abc23e8

SHA512
eee44aaacf76873a747ccccbf1bae21839b4cdeb92d92b7a1dc00dbc041e8fd3cd6e6458209f3679ddff5a8a36654e68ad0b6c7ee20d721e5f2fb2cdd2ca5c2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7494.tmp\b2e.exe

Filesize
2.0MB

MD5
b83f087538eb0c564a63a90e0f8a353d

SHA1
e10a75f7a865baf9843e939122b860efdbc64c13

SHA256
c18c2133404b7ca3e792959f67d57b61f8648a004fae6045a5166f8a1122a233

SHA512
32045252f4f775fd7b4de7d95451b5f1613451caaca68ef80d767aef76ddfa6aae8ee7c36e6119c84600a764327f0409e8352307922ea5f7900241b6b551be49

Download Submit
C:\Users\Admin\AppData\Local\Temp\77DF.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
267KB

MD5
22bec0e355011ba504a3a20fc6344edb

SHA1
b45831cc6f4b2eb3057287b00567833d07fb2bbb

SHA256
0d8b5b7204508ba1dae46ec54dda8733e2318d31b7a928df39710e536f7eaf26

SHA512
0a3db6ec294d0db68225c64597c5de2a5bcf9f1786392ba70f7a78d8997fb17fcc92e77c684548d52c333c0dd3dfa119e5811a39e39e68d0200397e36da3a507

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
408KB

MD5
e45f76a088943a6ad4b67a3757b35c4f

SHA1
ce080a67ea1aad38550818ff4776156f046f8d8b

SHA256
e8d0c731eafdc9a30177628c6097e8e270cbb8b4ea5ee83e21abd530ab900867

SHA512
dd1fca950f46644c8143da6ceca51f27758a5085aad74fc145371a5777d77c4fca37f0bdb66cc637c25990ad91e1fbf0848cb5b1f236a2da2c6827fd8dc6a343

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
223KB

MD5
f3fa494de5dd1937065b2bf8f5fda73d

SHA1
65b505923116a1051dfe48ffad3eb36ff3edcae7

SHA256
dac3ff6cc9736192ff3e74a77670888a0ea0a55bdb9c9fa5c9988963575f9e81

SHA512
5894c0196051ca2f6ecdd14f04a46f0a3efae6952cbea278128560f59305c711ff8463ce4ae3abd6714b79ba726ca203fdce452ceb9055cd4deba1a06e4cd4f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
430KB

MD5
e19d53e4c7934e8b625e837fe4121c9a

SHA1
c6a8b0741cf48f2893fa7aefe207cfa5e388da98

SHA256
81686be36aa678ec9f95434034362b05539f64d1921d1dfc599f76b68edb5cc2

SHA512
44689b3f39b505765d6ab007669c618a3333a4826ecd910a17c1ad694bcb2b39c51907cd541fcede25ecbecb943336b5016ab63f8e03e12dd2c0f97c583211d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
403KB

MD5
b663fb21f426b4a0bd997894c6d8d4a9

SHA1
00c1a9c64a7f8220bbb11331b42653d5fb5f8283

SHA256
c6cc1d03c72f10d67b0ac576b685c12074acdb11312d4f990b892815758af61c

SHA512
00ef68d3aad0d25ded655d1b7a3695235149860353e8fe05cce9260653480798b9c2bfff4b1351f05e1c3f5c2a9d81624be5af7b121e1ecab3186964e7848763

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
424KB

MD5
23479fbe531820299f60cf6c92972c9e

SHA1
74fe5b6936ebdffc27a18f34f1be23bae6c3afde

SHA256
c11a412e4e08f6ce9791a914685bd8b090d6de49fddb3bf74cf68c464fab96bb

SHA512
3c62f912e2c0900243ed9477f92221551d10d689b2c973fbe9f16497fa39d5af65d54bb045f46707174f5618e8d305dd73cc243942fb7c49204a9c7e6ac34781

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
456KB

MD5
8392deddc52ddfe69eeaec64e982c71e

SHA1
01d9a902fd4fc395bd770639b3f58a0572480fb2

SHA256
9f6e036433c8f245f04b42ec33414b50364ec89522f783d74d4c6c126d1a7c7c

SHA512
a2636403e6c2dcebd61e11535ffaed9e0fdeca5d480e04ef891a966d14cd253c1f36acc356fee0c0265271f680f7baeff1df01745105f0c5ed77cc141a27cc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
289KB

MD5
6e6caf2eac9478ad6edf65d216d14ef5

SHA1
267c49d3fbfae38926ea1e1b7fcab0de3edd091e

SHA256
4342b6917c0c6e24e848df0af94bddb87b89c5da45f16019b49e94a2e12d534e

SHA512
d82f7873a7608aca2eca5ac818b633ffe517606c24d32434e3c4cb30b86a7f925b471e5f8caf162322f413042796a81b68ec125402f9edec6af3ef460fe1363a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
388KB

MD5
740f3941737f7927055274f116d8c7b4

SHA1
8362a820e2ea337ab8601dca87b5e6f70d706736

SHA256
6fcada18c035ca73d81df0f5afc27a10d73f43677fec2a3386421de11368645c

SHA512
3541048e28dc2e5ab96d7bcd4056c1815e0bc95bc804987faaf12e877f4187659564cf12bf5c4d19d50954d7d1adc963b36c974236d6ea28896ea6c22a10f4f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
298KB

MD5
8a6509b6a7782af4afd99e6f77b5e267

SHA1
6e50b986ca3e51090213d2d0f2af81477770c885

SHA256
b04de335e26af89fc545763f29179bc54d29a5df1e870004b793e162631997e7

SHA512
5fc30acee0a700ebb929a50c87ca020b2808068620ece7caadb83dc0ee191c29e840e6194bc257f5d2fcc6edaa78de27181ea0b46ba7601106f85e3179e24457

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
401KB

MD5
baac90e24fcdecc8b68fea2cc13c2d19

SHA1
8301a6a569b535510a7f130c006b2e3d9e7d82cd

SHA256
5039b78a94111af0fb441e24b1285591b56ae83dc2ffacd8319785b8391c2f2d

SHA512
3381c74b26a0414eeec46b1a850ac9d701cc912edb695e8d36ec59a7b64c02f6614c0d20414a9f899808a6094ec255ff1e6c6e178b65ab6c32003d1058cb9996

Download Submit
memory/1700-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1700-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1700-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1700-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1700-46-0x000000005BE40000-0x000000005BED8000-memory.dmp

Filesize
608KB

Download
memory/1700-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1700-47-0x00000000010C0000-0x0000000002975000-memory.dmp

Filesize
24.7MB

Download
memory/1700-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1700-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1700-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1700-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1700-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1700-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1700-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1700-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1700-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2844-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2844-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2956-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download