73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
294s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
19/02/2024, 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	batexe.exe

Executes dropped EXE 2 IoCs

pid	Process
3416	b2e.exe
2420	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2420	cpuminer-sse2.exe
2420	cpuminer-sse2.exe
2420	cpuminer-sse2.exe
2420	cpuminer-sse2.exe
2420	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/920-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 3416	920	batexe.exe	85
PID 920 wrote to memory of 3416	920	batexe.exe	85
PID 920 wrote to memory of 3416	920	batexe.exe	85
PID 3416 wrote to memory of 5764	3416	b2e.exe	86
PID 3416 wrote to memory of 5764	3416	b2e.exe	86
PID 3416 wrote to memory of 5764	3416	b2e.exe	86
PID 5764 wrote to memory of 2420	5764	cmd.exe	89
PID 5764 wrote to memory of 2420	5764	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:920
- C:\Users\Admin\AppData\Local\Temp\6AEF.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6AEF.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6AEF.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6DCD.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5764
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6AEF.tmp\b2e.exe

Filesize
11.8MB

MD5
a132b15ca428dd9af883c530355ef778

SHA1
bfb8de637f523aa2c1aa2031f5446fae8040e857

SHA256
d26d6611457d0ee7bcf19cfb11161a1dc4513e7d54a058441e12068d454507df

SHA512
cb12dd3f84aa6947015b295abdf89b65124b9217fb466ecf6441dd139289408adbb78473a007f2b4d215b46aa19df4a1dc566b087acb4b9082e5391010e8f8a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\6AEF.tmp\b2e.exe

Filesize
2.3MB

MD5
e7bb6b9c2f6dce554f4f4b990c780fb8

SHA1
74dacf2c321d2a2b958fe524b2463e7f87c0c1ae

SHA256
9f53ccdc3c831c3e9cadf48c5326e2d57be70a9f02cf9908cd72b271c7e40bb3

SHA512
db39f8d1b1732e66e76d95824277134c551f1b55d4879d8885e18f46c25fc9578e538e86eb5e5804b7244174ea730aaa4515060067b3893e19a0af9249dd931f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6AEF.tmp\b2e.exe

Filesize
3.9MB

MD5
8f71f5b71ba49ec69ac37e8b164c4ffd

SHA1
2bebdd2aed448ae8bed3b4fa93a4ada51d5a4e3f

SHA256
090558da6b2f01b61b71f11ca8575dbe1930ea2588a450e66a75d815e82fcf36

SHA512
aab2ae07636e2681dd2179c74ff0d0f7e069ac8dd9d9f2d6b986e6f1351cdc50015253b7522db93ce41fcf3945530b9a1464246965b9c48b98ba2104dced11c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\6DCD.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
225KB

MD5
c42ea7605f653c9bc5d730314d4c6cc9

SHA1
ccfb4b6875e734289c23b00db7e54afd927ddc8f

SHA256
4b270e77321c7547f91c97b82ad26e967fba20a6f590c540a26baaff53d4317c

SHA512
279c4680433f4202a95842a519e41760fbb4ac66f8d0fa5a10b9fa6afb93083c2b632a507d8e297755d980b9a98e01ebfae2b6cee5d2974a95266fde7604b34d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
219KB

MD5
3f1adcd935ccfec3a864a8053b4fba2d

SHA1
7fcb9d08af1d93b5164488ef2e37a2305fe0109d

SHA256
c0211d93d1c8eed7b4c77b5abeb24e295047852928aced1bcf4ff556aab5d34a

SHA512
9b008a7b998d3895828678c728a880d5c780bc8f3c5b87fee4efb3e72fc1ab3d696336684022b29345a9bcec1086ac6cddfe79ff989dc75d5dab97d4936fa265

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
236KB

MD5
1b258e4a5b107392f34359dd492972f6

SHA1
c5a9c80364a0ee2582767e44a7f762f46c758073

SHA256
a21039d3779b129de241b7778ed7437a26a4a8842bcee0858421cf9623c0b34e

SHA512
cc581f9686c84a97fd08ef4f91be40f4bef652e26969b92f04d326770c369677caad78f8e6dfbc588c963093a59cd370bfadd860f238fb617680838c1191fdff

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
116KB

MD5
83b6821fa1c858f802fbf4114ffcf1da

SHA1
4ec3f7fb4be82c19c7943fa9dc0503f1f4f99e58

SHA256
bce651b25bd75edc7725f7c41cc57a0bed2d85d6d96862bba498cfa1f283a817

SHA512
9d9d0a1fb626ea5a86ced221d90c39323e78472c97b6e30ae4bbacae6c7b058949e7bd76e96bd67b43edb8b0e31292ef682e10aae0976ef74be0ecfd93552b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
113KB

MD5
542a08e014aeb411fa8718872cf6f9a7

SHA1
c9d7bd992d4f5b1fea535e65b5b08e973a426c38

SHA256
54ca9bca69e6bd9a9455ee73c9bf53336090c13cb9b196889d18355b6ffcaed6

SHA512
ff35c93bd65b24835575e4bf6d26eb010cc497e5d4bb979ae566dc91feef6e1f619e999bf687978503a8af8b4553899490566dbd2820d93e63396fa3f501dd66

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
195KB

MD5
adb4706647b5baf337eeb7fc2412c1f5

SHA1
3bd4dab7f88dc050529801ccade7f76a96e9998f

SHA256
03a728e162119b99775c2dbf103e55c06bb66938d62e1acfd7a1d702ac2c9269

SHA512
8c198cf190ab35374de23ffca2b4d7bffa3ac0a711cbf622aa051c2944b3408d205e5cb77f0fc821529aac13d16eff6503a12fecfe8d5e094a5fd27f59fe0cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
64KB

MD5
e98583e2f3157ea2561f40a91a79b195

SHA1
770932f48dbea7a78a3b21e3df65e329a27313ff

SHA256
f6b3de2ac1e9c449daf82a3bd6fa52d2ed60e73e8cdd25d5d2194586a8d10de2

SHA512
cfa97067447a389dc5439dc42ca467f97947fa7010314cad0b99655688361721720bb33e34a1c7b22c93d807327b756109f63d15a40df5aaec620b0d0e1acc7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
125KB

MD5
68f740c31f7baefa75663307b515d4d7

SHA1
a81289110345da118355c86e4221b0c6f29728bd

SHA256
88ce4d896f6fffb76e5c57e12e60a9711978ed25f8c31de429889d33aeabd3a4

SHA512
f0c05118daba73d1533fd080bca4041ba54a570695b38d067102380c903e72dc322ad5fb31ec5aebc1f74713037583c236c48b8cff9a66762858fd95736ebe04

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
115KB

MD5
429fc1254011166f53e11c09747f3fd2

SHA1
24886f2c4e707d285cee0ea51a8aecc3ed8468cf

SHA256
423e19721fa29d11d1903378ee1f0a51284a85bbd7a4cd14f9bbdc8e12126102

SHA512
ca62e373f171eea21f86736891f004f41464cd828f00b74bf78d27ecef04e01417c478667bfaab68d130d86f79b50ccb93db7045874e7b27bc2956909602f9a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
125KB

MD5
cf3b78f9057d8b3e6e5ffb5158e5e3ef

SHA1
e78bb59fce9c265fe057fab6f31bd3519f0ef078

SHA256
a679d2a26283e7b2fec76d5e71b81f23d2a1a04d112f23bf79994292d2e571df

SHA512
f4ebaae7170da69f533c845d43314d79bf34d565f882569d48e88128ec83697815f927742d8f0574f7e1e77bac0fbf8a9c7e3f8bac3ca86babd50b6359c1027f

Download Submit
memory/920-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2420-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2420-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2420-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2420-47-0x0000000001120000-0x00000000029D5000-memory.dmp

Filesize
24.7MB

Download
memory/2420-46-0x0000000074D80000-0x0000000074E18000-memory.dmp

Filesize
608KB

Download
memory/2420-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2420-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2420-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2420-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2420-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2420-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2420-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2420-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2420-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3416-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3416-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download