73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
300s
max time network
313s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
19/02/2024, 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2204	b2e.exe
3308	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3308	cpuminer-sse2.exe
3308	cpuminer-sse2.exe
3308	cpuminer-sse2.exe
3308	cpuminer-sse2.exe
3308	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3204-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3204 wrote to memory of 2204	3204	batexe.exe	85
PID 3204 wrote to memory of 2204	3204	batexe.exe	85
PID 3204 wrote to memory of 2204	3204	batexe.exe	85
PID 2204 wrote to memory of 1540	2204	b2e.exe	86
PID 2204 wrote to memory of 1540	2204	b2e.exe	86
PID 2204 wrote to memory of 1540	2204	b2e.exe	86
PID 1540 wrote to memory of 3308	1540	cmd.exe	89
PID 1540 wrote to memory of 3308	1540	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Users\Admin\AppData\Local\Temp\8E60.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\8E60.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\8E60.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A350.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8E60.tmp\b2e.exe

Filesize
5.4MB

MD5
20849d500adf882d9a36df3ea9fc9f81

SHA1
eec879d9e0f3689133b0daf337f731aed78da9a6

SHA256
694d25cc4b227106f92ce13d2f713a087d7477676c0ccc88b7adf63bbef0e02b

SHA512
a5427289e40cbaa1cee14b1d1a6f3e00d7728d74bf082e25d9c72291576b6fba4b6a2dcaf7f3a1f84e2c68d7328cc985c853f602c7a75fd1bfb1f978af756296

Download Submit
C:\Users\Admin\AppData\Local\Temp\8E60.tmp\b2e.exe

Filesize
1.3MB

MD5
65f8090843b1c25c1b76486fa1e9fa69

SHA1
03d3c1c9df35212859db7a197f5ccdb1fd8223c4

SHA256
e4461682ac2c1a054443e2eb1eecbed9b7b2480166b90f5987738ec9a338fb5a

SHA512
db3793c7ddaa7fde1b5e33e6764cb33cc29306ed0285f5cea20df4e5a06314cd76abb3b8ca546d75f80ac0623dba14ce0479116c480ec52d4e05c9664b54ac61

Download Submit
C:\Users\Admin\AppData\Local\Temp\8E60.tmp\b2e.exe

Filesize
1.9MB

MD5
f8991772724dddf32027f153da8cf41b

SHA1
36d6bbed8ca03852d9e3559ee691f17e9e010447

SHA256
3dc9cc3e95c404cc1ab06950bfcac4c18f3e473e73c46c7cd4ce3981897e286a

SHA512
c7947a12a59bfe06fea8fc2cd5bfcf1d2c1ac05d1bf7b907862187d6f89c7d45e1a41d634ce35e4f8f3e71caf2b8cf15f27102dc76ee25f97a8fe969aa2d46a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\A350.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
123KB

MD5
bc037afdb9eeecd0c47df24188684a5e

SHA1
3d13e70403b2dc0dc6cf19417b0dd75e419ad1bd

SHA256
9125044fc2177edf092bf781ad6f6364ee2d7ab046094c413238a4d6c27fc001

SHA512
946e54c06352dccb9d9438495310839dc13dbde85c34145bd435d209bc47719643d7caba82f272b02ac8a7cd482d3f81ea54e8403883dd0c6b07f51a2b0766ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
132KB

MD5
73865fe7c803cda7c3a36d6658044684

SHA1
6b0a38b8da56e25f9ad2c1bced9d0e4dbe46498d

SHA256
660cd01f7ea4c83ce687af318554ded715ee2089253bef3b0592c0797a76ddaa

SHA512
98fad62eda432889f31e837390a22727f31a76793f919b2d7c2e13b161fb1a4da1d377ab67c6e4c21ff322f6b74554eb53eb10c2c073f61eef303eb76c510e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
90KB

MD5
92a6712922507aa5eb967ffa48a84d3c

SHA1
cda3be000d6adc739fb9b099946c03970b636fbb

SHA256
98e624987e41dbdc074ce9897a66d99e8b0ba836a50b9676f11da1568a60ff10

SHA512
94e60cd870d4964c620334143c49d8abb0f41e2c6ca646da6d10e9ff23994806b70d7cce35311f78247f7a67f3eaea7386623272d09631907b8f36a7e1d63a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
172KB

MD5
dba03f2e9953a7053d982dfc5d9d07cc

SHA1
8b4b852e689562e3778727482419fdcdc53eebfc

SHA256
52ae935c8c0384198b1f0dcca585abcac29d1de6a6c23fa38faec8fcbe744dcf

SHA512
aea87e4fdb1eb898cfa50d849da08b70e21bd7e051998803f4fe9e444b1f79bf66669237d1851ec9931f15f7b25010bdb27d490c7d35fe514fe90e10dd3671ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
320KB

MD5
e63bf5df87e2ea807dc353cc5aa9aab1

SHA1
69fc94bbebe878711cb133c3a1affb80c0bdecff

SHA256
2c9d6315f90367b959d3c32badd99bbc03eb808e4a46db72ccf2e81788b41533

SHA512
70f2b2a8a4c8ab23d81266cd23b75c27ced29a1eab8c80d95c57b595b10254b7229cc03b637716edbfad2a83827f2c557847b98d1de80256beec05c9512ee4bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
130KB

MD5
719424a37bbc0f664bc245ea7f598412

SHA1
e6fb16614fb8382dc7b07a164a5525fb2abaaae2

SHA256
5cec3a3abeebcd3b2285e2f2e9358bc83a8a41e2efff0724dabcb3259a14bcaa

SHA512
e91d0417906ac8157df854015354a492fc4208cc3b337944c986d27fb3c169aff57a797ba7b1f685cf6ba7e126489070e7cc127992921c9a738b6c8cef626085

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
324KB

MD5
ad59d861945160a909e2523f00ef7706

SHA1
953f68c463710c43e1ed5687df4852c5be7a377d

SHA256
c1f2566b3e88e5beca048893daabf8e3725c7aef0618c72157492044e614de56

SHA512
a8dfc87ce51cf154d58ff7b09e11af5c6ec5e3bde61f1ddf2ce44c20f692a2646fef5746a41c5c813e9d8a27873cfacfc1709ccea8221ce7a7c04e9970fe14d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
493KB

MD5
de0394c88e69bdf49760eab490595e86

SHA1
5470effcd92f425c3cc7f296cfdf4ae77149d89f

SHA256
dd349dd5b736d68ad80aae35113c2ba9a886dc683c78f980c1bd2dae0ae21d36

SHA512
fe3c1c59062415acb7f7b5396fb3d047e0abf0e9cdbc3388eaac0e96826155b79fb8091c0506009150b7b5a47466566592dab82b7b6aeee6db4af95fb9a9c7c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
949KB

MD5
cad2e31ebbcdc13438b95dfb54742a75

SHA1
fd8e31c5f71f3e9c2068a6e37ad3d608b8d1cfe2

SHA256
eeba2e63b807550a21a01454e1357a6002927e1fc8a3f5c6fc62b8ecc292ca56

SHA512
a10b0e36731a8a149154078474cb923fb7326efe21e85c8c5aacce932b436c8ea4c05da0d843ae1218489300ce6d0d368072b84e9a2c4a9fcbf07d466b17e78b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
172KB

MD5
de7ddc3391926b98b9207232255d36bb

SHA1
4cdddecee102d715abc9182ec86322aa832c6a52

SHA256
6d763260274cd35833b557ecb75575361e32bf5694387bb7378054429f7a4b8c

SHA512
37cb3368dee74d2107a9c066beaf8f8b20a42bfc62d978a56154cd83fcfa7ec5cd982ff043e829400fb4bc5b728a867f65de467d644cda164bf05f930a34f53c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
62KB

MD5
0c12d1215db45c5f8c80dd25a60d4568

SHA1
377ba22580618cc5745531fa28dcc65119e6489f

SHA256
19612620e261099e618ae7a25a576a230576c8c9908c363abde96bc70ba11fd4

SHA512
764fd72e2276e6c9245928da95b83a6d12eb95bbc0395ccf216bdaef2701482f03f6124bae792cfedeb97370fedfe85a7dee4ce4aa5a2b08bf2917f3afc3dc9d

Download Submit
memory/2204-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2204-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3204-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3308-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/3308-45-0x0000000051D90000-0x0000000051E28000-memory.dmp

Filesize
608KB

Download
memory/3308-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3308-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3308-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3308-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3308-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3308-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3308-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3308-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3308-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3308-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download