73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
306s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
19/02/2024, 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3656	b2e.exe
5396	cpuminer-sse2.exe

Loads dropped DLL 6 IoCs

pid	Process
5396	cpuminer-sse2.exe
5396	cpuminer-sse2.exe
5396	cpuminer-sse2.exe
5396	cpuminer-sse2.exe
5396	cpuminer-sse2.exe
5396	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4612-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 3656	4612	batexe.exe	85
PID 4612 wrote to memory of 3656	4612	batexe.exe	85
PID 4612 wrote to memory of 3656	4612	batexe.exe	85
PID 3656 wrote to memory of 2604	3656	b2e.exe	86
PID 3656 wrote to memory of 2604	3656	b2e.exe	86
PID 3656 wrote to memory of 2604	3656	b2e.exe	86
PID 2604 wrote to memory of 5396	2604	cmd.exe	89
PID 2604 wrote to memory of 5396	2604	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Users\Admin\AppData\Local\Temp\4205.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\4205.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\4205.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\55CC.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4205.tmp\b2e.exe

Filesize
65KB

MD5
06db4b899676debe5d0eb65c66b1ae0b

SHA1
5ccbdddb951f13ef03c47f6e3978d2d3f781da5c

SHA256
ed497e4169498fc971daba6848e556c5332935de7b99be98a4390c5b136ac0fe

SHA512
7a731f61ac5eb264d3ec2a650bad0c4034b34fc72e6cfe5584ed1ae2d228677c1846df67179f9a78bce5e5b34a5356ced315331c0258316f8215e45532381f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\4205.tmp\b2e.exe

Filesize
1.3MB

MD5
b0b149fd9ce3600e9d70c122cc8f226f

SHA1
cef6e1c7ef7b1ea3baa9ddf59208629fd9a06559

SHA256
9bb02f96fd5c7af1a3a4cf94ad4e7c5e232dafec2ee671c1fa1e2ce7c827c4ab

SHA512
da5d98f0186648fc58decc38fa0fd7d17c4fca101f45c234db7724c1a323c7894cbf2a19179fecf866d0e4af3202b8bb48fcef6e8f62576e446964e0c7db2cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\4205.tmp\b2e.exe

Filesize
1.5MB

MD5
48ad55b9c4ca8bbe480283e84da1dbf1

SHA1
e4270399d6437cb58e791a2a4ed9eba7b02ade5c

SHA256
04fdbc629f4244b7d1a0492ac8e438f67a883952782384b00256cdc0e970c3bf

SHA512
6bac8f39324902ab9723332b3f260e4c1d5ed387fb1137549b981dd1a7d82ccb6f60da950096f0daa70efa661ce332c930d2f45cc3abdb70afeda35b2c25cbe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\55CC.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
301KB

MD5
4d2f97cea4dbd30a6b154c05f8329180

SHA1
05b2ca6635e14f8de6867f5bb24fc99458c33197

SHA256
173e77b97e2782a8d01794a8e3d579ec185813bb6104bb9a384401a6aad5a2b5

SHA512
b3ce75b74b7d04c22f4d40fd6abb74f7204866c7c9d464632871a1c1b1b4afc51e112d5222f15215fca557bbe5e5000a3ec90802c55198209e81b7894cba97b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
92KB

MD5
2208e21083a086a2713adcf7fc93dca1

SHA1
b2bdc35d1c35a51aeaa7c283907747c55176fefa

SHA256
bf0848324025b28d8126e68bc887b98f2bd5dbeb0757d9be1c1b0ecbe1dfd9a5

SHA512
6c3ba4bb86574f0424986fec5cf3b5ba17914906e490b4ab4ce183bac555c8b0fa4d77a46e8d9804cab2a6970b1f0fc7b98dbbcd0caa7d1d5f598f4133f82347

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
322KB

MD5
c93bbb7cadc82ff108d49c6832cf0c12

SHA1
ac23ebde0ef589f0f911937a38e11ad94507c8ae

SHA256
b0867ce1f6b92648395832a7c341179cef21708a25137166c681198c81559dc7

SHA512
1ffb557664012e67a548a7c602dfa0e3d6df8113db04645b91ba2a01d9063963305e7f219e9078d56e5af8030720ba624aae40343d77092eaf3804beb181a268

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
72KB

MD5
8456f9bee40235f2198bad2d3911cd20

SHA1
f95e96a5a9b3d202c2a3eb38eb977a796ef9eab6

SHA256
988d57671c0c14547f74af6e52d6be112a52af5c9e927e81f60d377f017c5ccc

SHA512
b831ffd16d83dc8e068a044684d1f29eb9bfbe4b9b0c5294ae392dc7cd7c71e87f7036a2367554ff5c3b00ac02619992306d2ea7685343dc4f5384d03cadd2b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
317KB

MD5
bd54b958ea407c1f83e69c95c662cdaf

SHA1
ee357d1582df1a8e5b1c8ee9f213d20e56e35cb0

SHA256
88d88528cac0c625de1bc480f7bfabea351a356954d63c9c89b0499148b99d57

SHA512
943020c7bd50bc930479b0266aeed3296f36c5f7188ca08e220e6ae7f42474a4747cfa5995075124ff2aff311b9dfe80b7a88db3f69681ec56bd8f7fb6020ff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
489KB

MD5
dfda2760d83c82e0c1afa7f9716c28fd

SHA1
5fef73281356b129ab120a6d351622ae6c2060ed

SHA256
225b16a2b3393bc4d83c1a5085b7fc2760c5afd30277d9ba65950fda1e039ebd

SHA512
39be97e9cbdea412497e9bf3e9a01310ebfe7cf444999d655ed1b337f99998a97b511ca6e9c52261bb239fbf5b6c603bc9d6471e10d61848c8b718ccfb9a6e6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
287KB

MD5
91e8162898f01b253565b0c7506722d2

SHA1
44fd0044d168cb6f768e90bc02de6a1e27595cc8

SHA256
39bea11a0b2950794dd788457839a6281f10d4632d4981ada19982f2ce46dc38

SHA512
3dcc7897da954c020ba1af4bdbe1a98fbbc793974b1d5a35512d43909b14ca58b6130a54723fc6371ec675defb45814937e327420d589f45e15383bebb504539

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
141KB

MD5
aa5e66ff71c63ba29e874f50f72f96d2

SHA1
62de67eac191a2c6e85ee9c8a9bdc748d0fa3d2d

SHA256
cf43920fdb007aadeef2bf1cd6502fadf4c8d3629025fa9eda1abd4e4b7f543e

SHA512
0fca5160dd0c7af3d7c31a91231fe55cf534c0eff325fe3c0e2021e69b881701f97644dcf0a7ffbb8075903ee7458cf0d1bd632c7f92a74e9359e920beac7996

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
422KB

MD5
e04c7e73f32eb92ef6c2a2fee5bbe228

SHA1
d7931b0b21e58db76b4dd6fd7541931fd3160b51

SHA256
42b9f246ec773489559eb2c672c145f20776e0168116d26320940343d76193cd

SHA512
0bea7820fa334270709734bced72b62d2432df088cce4139b6d2078f96c2924b034c73c98f163e74bdf8d6b602d502145d4aa5a4a69116e6b86135a05c5ee415

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
195KB

MD5
bc145e7e40d76dfcc3fb4f57f2174a8d

SHA1
850fddd47ac4badd294141721f1da00ed5fb275c

SHA256
333fe641d508bad6d82aed5e588ffcb142cc6b1af63f66bbe37751a45a76038e

SHA512
eacd9bcdb80029228844e36e103e8d8fe7a13a9c206c4f73c71d2d4a2ded473e9e57877390008c28ab88f79b0c94c2a28be616794ebfbf5e29a2e6398070554b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
192KB

MD5
625f906456510afaf916dd0384d76eee

SHA1
66c56574aff02fb199caa60ab71ca9f1c9e7fc92

SHA256
27baaef233592b03722c7d64c26d2270c0300ffb8e7f08a8e0d65212af4b848d

SHA512
041399c5ddc614d8b1a359238df8fb09258c95a0013e5139dbf4093b892395f5f78fa31fbecfee92966c5e78a5c5894005c98e559b8b5735ecf9c1995df51b17

Download Submit
memory/3656-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3656-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4612-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/5396-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5396-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5396-49-0x0000000065FD0000-0x0000000066068000-memory.dmp

Filesize
608KB

Download
memory/5396-48-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/5396-46-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/5396-42-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/5396-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5396-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5396-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5396-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5396-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5396-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5396-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download