73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
19/02/2024, 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3572	b2e.exe
3424	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3424	cpuminer-sse2.exe
3424	cpuminer-sse2.exe
3424	cpuminer-sse2.exe
3424	cpuminer-sse2.exe
3424	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5424-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5424 wrote to memory of 3572	5424	batexe.exe	84
PID 5424 wrote to memory of 3572	5424	batexe.exe	84
PID 5424 wrote to memory of 3572	5424	batexe.exe	84
PID 3572 wrote to memory of 460	3572	b2e.exe	87
PID 3572 wrote to memory of 460	3572	b2e.exe	87
PID 3572 wrote to memory of 460	3572	b2e.exe	87
PID 460 wrote to memory of 3424	460	cmd.exe	88
PID 460 wrote to memory of 3424	460	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5424
- C:\Users\Admin\AppData\Local\Temp\5F75.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5F75.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5F75.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\61B7.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:460
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5F75.tmp\b2e.exe

Filesize
443KB

MD5
5fdb6dd34a06b9503da2c198baa89e3d

SHA1
66bba02c96ad3a7898d1c29c1f8cfdad1c3be58c

SHA256
597c4907cc5999f57aac2893b6f6c2e17730f127e5823e41a7c711f5fb188c3d

SHA512
2ae14c6f7e38cbb1b8db3537c3f47762911e638ca98deb95a0228bf5657a5afe64dfa022e9a0d4e900d13e8fbdeaca6aa591f187891d3a4d5c6ecddaed3a7d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\5F75.tmp\b2e.exe

Filesize
515KB

MD5
923782f422012bd1687c026e0fdc541a

SHA1
41357f29087790e4fac077b81160942a1572f200

SHA256
12de45203b6c3bf5628b14715148fa40b6b65c2dc1a9a0a5c388dfdd8d7bedce

SHA512
13168abc5af2886ae224f6fca07ba199535f3faa9e38dc0ca49f991ca0bf53a501267d0d8cc0bdbf1beadbedb4583837d9f63d73bced7258b82b17b8e5014329

Download Submit
C:\Users\Admin\AppData\Local\Temp\5F75.tmp\b2e.exe

Filesize
361KB

MD5
2ead02d74c3ecbf8e87f09d855521455

SHA1
59cceb0b427e1e53cf335908393e1cb8e3978150

SHA256
ef38595d166f04101fd130c3953e496177fb45f9987b85f1247325919bee735d

SHA512
71769222e115ff28dfd9ee16f51b1855aa88fef21006b9ad38e0bdf6a9cf324027e45d670e7bc521383ce2c493a0172acd462e969b7b0785b92b240683b99ee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\61B7.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
38KB

MD5
93b7ae51f2125e69a201d46784b2fa40

SHA1
646b0fc8ee5a940de5c133f04dfea980102a39fe

SHA256
9377ed70049aa19e55769562a8a1da91ac83868b3ff1b5960f407b35e2075eb1

SHA512
881e117fcc7b7c8f2e85d733fa38c18d37027eefbde9d1c18d2b8b3463a9da147673692fd60318d7add6cf9b8dd6e290e68118688633fd12d1a02a4da12e89a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
149KB

MD5
50f2dbeda6b31df6ba3a76b84b6e03e5

SHA1
0481a34b7674ab97eb1949bdbb5a93b2315b0a5d

SHA256
65c8c385fa9563b79fde3d46238f08f80e46920bb24936d6ab992fb89692c419

SHA512
04baf9ef021b243f240494c13ecca9d2bd63eee9a81b587a02624ac68cae6e7dad874d57a9718fc11b4abaa97deeba6da48bfdcf1b6d462dc58ab764580da032

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
46KB

MD5
103c2a9e1cebd988fb10d168922a53dd

SHA1
3a839718d62197f18d963725ece5558726dcfdfd

SHA256
a39e5b1f5af2bce0e0c6bb56958343a877e8491ef8c497e2ca25352ac85c1439

SHA512
841a06086b7e08afcdda8d833f5496e8d33f77f19d3b1e4545fed45ab6d98abed2b088a3b9c0a43faa79acfdf1a431b2363e88577bbae44976127df7c9673994

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
156KB

MD5
e3dbd98ce9b647dea14f8ff59cdba93a

SHA1
68ec2e13e2ecd0d532683cebe0a6e18b010abdf1

SHA256
eeee2e094e1da219d677b63293fa7b66879cbe24eac88e08c576466f23ba0099

SHA512
251d221bb20ce3ddbc17b5574cf664398d2ff528d4ba072547e7a4ae1f9804ab337e6ea9fb114f9acacab50d60c5863bb85a46def61eb9d3317c276efce2f713

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
187KB

MD5
cd6d2b80fec68e4d4c895e295b596c29

SHA1
c9c9a7ff48a6ce0d1cd81c1cab66a137f70de910

SHA256
a6a8d2b2f18c792e5888f6d8823b966a8c34df40b7d68825c5a5919ab2410dc7

SHA512
411d91206e040da2931c3fc447236e1a7683321d6edb30f22ecffdf3fccffa3670f9d6eda67e639f7bc6a8ebb24dcf7b4b5a4a4557b79c046d12b62c9876160f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
156KB

MD5
b3fde958a22bcc05b8e7422c0798358f

SHA1
c1248944f0c9f3985f59da5847cc7a0d5122bbc6

SHA256
9f08e5c21e6b1cd71c1d13e5352e728895139ff65e1283ffb74fa8de57ad22cd

SHA512
0b5e314eb772b4ac129926b03fde93231b905e9920b0ac2890db53461f6f51ab6f7279c2aee8ab78cf939620c91fb6cd707f4fb6a1a983ab7c65be3b3ce59c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
133KB

MD5
5fca34b4ad3491d99ca97fdb3b302f2e

SHA1
00edbf5a5e938dac65f849f7c0febe2603a59009

SHA256
e3ebc9910397c36cbeb0f86e60d186efd0a45802fbba6ae77ec65cb92dcbbddf

SHA512
df12d6ff8644e249a76a5d092c5618ecfe7f635e3831b08ce5e2e285d3b3f36fa151876ae9329513f4d6c8d0dc4367fded92289500961aa393fb054b1e7fdbaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
229KB

MD5
c56e701e49d9f4dda0322aa75aaa36be

SHA1
72b145d158946c452b8b0b228cc11b6363e955c7

SHA256
0fb6a0e148746d6a40a9ec636eb558677c67a7d9b335c1da4aa7207719dfa9dd

SHA512
f713858feed3e65f977ddb6cbafa04b045324723e29017bb87050147d1af604624af6cfb07396076cbba9c614ad6da75f0e97f4b00b01001da20897964a89bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1KB

MD5
7afca165eb598c56e10ab965bb8846ac

SHA1
ec4f2164d7fd2e3a9ef14f6de528a322173a9453

SHA256
555ac9bea13abc8011c591542b66c78024aa8f18c80f5a0114d5200a8b17730f

SHA512
d747e3aae86c96e7821538575d6d5a810125f584f80d4404b3dae3aea0afae5ddfd3b353b6cc7cc4bf40e30c1c2b2f88eacce19cab10e142ff9998a910f179cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
116KB

MD5
678b30d409e6a9bf75c028192f5f6a2f

SHA1
9086cc36c1dcf606532cf57d06aba61b0fd13d18

SHA256
8a4d4e4ffc5156f7b936453c1bff90ee4a5926d7b570487add41c9e05bce359b

SHA512
db31f061a43d84ce25af28caa8d17395504cc84096b549ada2eeabfd97aef982da607a76fd5de616dfa7e1ceafd839d726df966d909f695845f5b9c5ce234fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
96KB

MD5
01ef2a6a3c947b7dc837d3dc7b96bd58

SHA1
4e00cbeb009ef6ad1052d8df14578e0ee6c9b713

SHA256
32d0c371483beadf4f58bd9da93384364539a41e8ea09010f68d756687bfc735

SHA512
8f3ea3860894dd711daf1cd46ccea2449c26b416345b883bdb22e2eb3d47af62333f9f3a1d66ba0292924b65612427f4e6ba0e4447aff75abd964d09916bb6e3

Download Submit
memory/3424-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3424-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3424-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3424-46-0x0000000054CD0000-0x0000000054D68000-memory.dmp

Filesize
608KB

Download
memory/3424-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3424-47-0x0000000001150000-0x0000000002A05000-memory.dmp

Filesize
24.7MB

Download
memory/3424-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3424-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3424-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3424-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3424-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3424-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3424-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3424-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3424-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3572-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3572-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5424-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download