73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
318s
max time network
331s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
19/02/2024, 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
5836	b2e.exe
4912	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4912	cpuminer-sse2.exe
4912	cpuminer-sse2.exe
4912	cpuminer-sse2.exe
4912	cpuminer-sse2.exe
4912	cpuminer-sse2.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4024-0-0x0000000000400000-0x000000000393A000-memory.dmp	upx
behavioral2/memory/4024-1-0x0000000000400000-0x000000000393A000-memory.dmp	upx
behavioral2/memory/4024-3-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4024 wrote to memory of 5836	4024	batexe.exe	84
PID 4024 wrote to memory of 5836	4024	batexe.exe	84
PID 4024 wrote to memory of 5836	4024	batexe.exe	84
PID 5836 wrote to memory of 3132	5836	b2e.exe	85
PID 5836 wrote to memory of 3132	5836	b2e.exe	85
PID 5836 wrote to memory of 3132	5836	b2e.exe	85
PID 3132 wrote to memory of 4912	3132	cmd.exe	91
PID 3132 wrote to memory of 4912	3132	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Users\Admin\AppData\Local\Temp\DDC8.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\DDC8.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\DDC8.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9DDC.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3132
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9DDC.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDC8.tmp\b2e.exe

Filesize
5.2MB

MD5
9276a92773b476a057c4ddbae2c38708

SHA1
e86dbed9d1b8ac5bf4451342542242f39185cb9b

SHA256
c0b343e5d470bc1d74dfeae44f946aa9d5d362120c970cfa7fb96836458ffbb6

SHA512
5e62ea09f6274ca264d596e6d392016ba0b321570af04e216b8c5aa8a3e9e4676a758a5ac8ab39037faaa5621ec096fba3846bc59dc4565cb4980cc3011262af

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDC8.tmp\b2e.exe

Filesize
3.4MB

MD5
36dc6cb2bbf93510077384ace933193d

SHA1
a5ba99ff31f5112c879443ff9bc27272f9897aa1

SHA256
ddb00b7b456fc169b8076ca62acb778681c84998a284deb829c72c9d2253636b

SHA512
99c5a6eed68009e58436eee05249ccfe2b722abf96e7491b5591d01243093d87a3eed62892c8b51a6162b83c6754769b1e21dbc4358c0a601a991749ff0d31f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDC8.tmp\b2e.exe

Filesize
2.8MB

MD5
e8fa343080efd54d9b55fb15adf0e0bd

SHA1
0a9d6fd18dcf59fe7112ae526028b52cfcc93e50

SHA256
0d954b1815c6d3aee1ba5938857d62c54988c1afe7f4a13b58408a0c0482c6e1

SHA512
bd2dd38b482bff9f8167761ddf0fc502d513e4f5d092e95e3ff2c4fdbc0a7c565fb51e086280fa6c44a2ee1debe85d6b3e4f1225eee7a67a65223b739b4ffdad

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
990KB

MD5
39fda02b04383ad87c429afdb0dda36c

SHA1
7109dce68c1a0711fa0ad82ebd977de9e7aea380

SHA256
001b69d3895a655eb46172b3933024ff64b1bcf9413f7216048554b0d7ab44e8

SHA512
85f22d8ca91d886d3c5555b8a15ef90107d2b2640d6e064d63bbd885b362213878558772e7ddb89798bf1ff7c69c95e7d9f53f0be9a06c8a9d907a7815202c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
663KB

MD5
e9d6c80b47ff023456e99d1fe63be752

SHA1
62e81469dbfa0ed40861d0c37e8ea5b94156a793

SHA256
0a53debf19f61ea84397da12c0d6fc7f754ee1f587441ea12e471a9c6ea56378

SHA512
b27d60e1701ce22d889546603ba4c3addaaa2a59e4212ab021d8cbd0365961169a21c16f6e123aa93e14842b93c35ddefa846f12c1ad5406e6b39ab3f098569e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
821KB

MD5
c58332b70a96a5562609ad2589e46a24

SHA1
b893db8e45e53a0ad9b2f5324dc06e593180629c

SHA256
b9fe0d656ffc2677b016d7fd9e620d6cd01a79053f3fa109796e56fe8f5ec3d1

SHA512
a02fe131100840634a1d248f1f7814e99e3a99b5fa9ccc1a1be22625dbe0baf866a462eb8f7e87838463a72335c48e6617755f72f53daeaea1630173c0377157

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
563KB

MD5
af65b38bbbe6bfff3f401606841d29aa

SHA1
707804ce557c072a57fe8670715e1749ed0b3d7c

SHA256
e00386cc33a78ac434aaf7e67d98d7cbe95aec0f9f056a00b2d173e736ed1d83

SHA512
96067331b01b72e6b7b4e4724278fbae411fdede41a26c6d8b81f81c67b4d4038939050f18d78d9f91bce2abd9209beb3a4778c03e7ac1041ce846752f7040a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
658KB

MD5
e9f63d7e4d237c0663c4429443f4d85e

SHA1
d6eb4ec1c3f5252a3b49160f59e66eba4056380b

SHA256
bc5fffd017236b73f4f64cbe7ce935ae62caa7d282afb5583b01d3199188cc73

SHA512
60a24e7060dace0f0ca23937fa4b94f09ecf7d8fea4d046b158334086cd60c3f2298a7f8d6d9244e2ccefed5ed9afe1ed8375242c70017f23de1ac4052790e1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
634KB

MD5
ee81218cd63c72b796d43523bdfed742

SHA1
ad5230ab0e4ec348b55a349c92357c59bfaf5077

SHA256
23dbde54482a4223f97701f44f31395e12a8eb2b770bcbc98b05c52e46625370

SHA512
83eaae18009414745b46d4b0ff491e9c39fbed8225b43d7350d3b17a92017fa52b44010030b54158ff16528af89aad90ba06871935b25194462c07b077844664

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
601KB

MD5
d89e842e7b082d195d57b4b8ef84b247

SHA1
2ecca1715ec185653625559c2c1b339abd8df8aa

SHA256
47634c5b8da011c7c568387c6188a917dc002116b4aace8cbf9e3657a78d5734

SHA512
2dd1072305a047adf6773ef927eba20fc0a80b495f1b0e7e838a31a002cf6cd71d49b05a4280f346dc33ec15cb4f0607d7351f09b2b4cbb9cd2bfc565b7cb926

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
173KB

MD5
d4c88513089c02dd5f62139b4f44eb6a

SHA1
9df4765c0d16b20872fc7aa789810c90d5b361d2

SHA256
d67241ce837878a67499098c48ca9c51da5f035745503e3349e63d27e2601e9c

SHA512
355729f634cbdd187169392d5433999a535fbf5a400f2970afbcb2e5ca24e9af36330ff14873bead4bfb9afadac4fab24bb60a41b865374e532930cc0bc181d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
186KB

MD5
8acbc56307368b84622dacabe75fcaea

SHA1
95d7fe0c7db7850315a0afe4d963b73651417c82

SHA256
8dc119f14a4bb506db33a9431a8aa50f0d3eec2072afa6f70e0098b9811d2868

SHA512
a77225022c3a3dbba9a109d4378cde7e3245f172e99a109b786004447f79a4e8680b92374413d4939cad500a59643452b613fa35e18f2a28adfc91cbadd7e2ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
205KB

MD5
49250bb5b5006f6819abca8faaf16041

SHA1
eec9fa0fd789cb344513fa9f835c9807b166c3b9

SHA256
2b8b4294f54bdc608ed6ff27f1a4f2bf44f094dcbbbdeca3adedfebbf6da9b86

SHA512
dd38cc54c4290df00453468aad9fab26ff00c82e2121476139de10b864068ab20a5706fa3f32d62d9f09ed9e0618ea9887f703a13c1043181f84e2b78b258811

Download Submit
memory/4024-1-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4024-0-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4024-3-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4912-54-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/4912-60-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4912-51-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4912-52-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4912-53-0x00000000635D0000-0x0000000063668000-memory.dmp

Filesize
608KB

Download
memory/4912-100-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4912-55-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4912-50-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4912-65-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4912-70-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4912-80-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4912-90-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4912-95-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5836-33-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download