73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
299s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
19/02/2024, 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2428	b2e.exe
4984	cpuminer-sse2.exe

Loads dropped DLL 6 IoCs

pid	Process
4984	cpuminer-sse2.exe
4984	cpuminer-sse2.exe
4984	cpuminer-sse2.exe
4984	cpuminer-sse2.exe
4984	cpuminer-sse2.exe
4984	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4664-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 2428	4664	batexe.exe	86
PID 4664 wrote to memory of 2428	4664	batexe.exe	86
PID 4664 wrote to memory of 2428	4664	batexe.exe	86
PID 2428 wrote to memory of 3312	2428	b2e.exe	87
PID 2428 wrote to memory of 3312	2428	b2e.exe	87
PID 2428 wrote to memory of 3312	2428	b2e.exe	87
PID 3312 wrote to memory of 4984	3312	cmd.exe	90
PID 3312 wrote to memory of 4984	3312	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Users\Admin\AppData\Local\Temp\973F.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\973F.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\973F.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A131.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3312
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\973F.tmp\b2e.exe

Filesize
5.5MB

MD5
4381e8a3bb172c1c8991d4dbe2aebd40

SHA1
f39d054110dd25c8caf8574446009032a5b270aa

SHA256
6fcd2ada90768aa45a4ca28ae074769a7249ae749afa906ce8be89c50e17cd2b

SHA512
08bccfab25097c8827190a251f70212e38b489d3541e271ffbccca39f79e5bbdca8bfc0b62ef1207498df55b0a38c537b5f35d89d5fb7ea611729b221ad0818e

Download Submit
C:\Users\Admin\AppData\Local\Temp\973F.tmp\b2e.exe

Filesize
4.3MB

MD5
f3fb33a634cdc1e5e9a8f0faacbc6406

SHA1
00cb2eec882af4f70568e3c9ea4f0fc5d3955bac

SHA256
1926a88c48c773776f0af1f3d42aea357e9505381211266194369520836a38e9

SHA512
c4e8e55db5142777f0ede75faa757fdb61a20305a114bd7d7f781d7e0dc0f5b4a38856254e0e79e10313cd8b37ef3d07b62d166f200091b1dded01edc17b9f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\973F.tmp\b2e.exe

Filesize
4.1MB

MD5
54f6e5d8cd638f57519e3a6f3efae466

SHA1
a97f55f82c110ddc06012d05cd86b5ab41889788

SHA256
15f4f5c74297647d76accd8010b50f4c02b5c17c364d5be0a1e0857b721de075

SHA512
6cc2164bd9f7dcf77d856e7c3f79ce55b08f71c8879774943d602b2d8b8a19081f548caab5ea6c417213bf19cc8cef1a2c7635710fc98c784c74e3aa9806c9ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\A131.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.4MB

MD5
719e4f6265ecfb2c85e413c5885c8426

SHA1
599632082b68920cf29d841689cd27c766ee256a

SHA256
d4b877e84085bb2c288052bb0fb2abcf07104620f058107ce908e47877a75ca6

SHA512
e9ba89434bb0dc16ccc1e7f6079b37a86b6da6691250eb92f7e90df497e86b8c9cc9308b12d4ca1ddc185d9b7617a7611f74f13ea67ac1ca7a9bb60c18bdb687

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.0MB

MD5
77aba1f424f3faa878eea25186e8afdd

SHA1
3e6947d7de0b5e0fadf7fa104d18eddb98f90b7d

SHA256
a613bacad7d5c366542ce8b4722d5db7abb4b0c9156b8a99bd756790907a0970

SHA512
8bb82115caa9796a4dda28bea575f002ab67fe77451d2b55d583f212851a35be7e289f7d2607e5dca3a7e89fedfe1eade293f6819cbaca948e730e280485a0b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
819KB

MD5
7f0dd649678eecdb0c42600cd2e45cb1

SHA1
3185243fbf0b1db24ae412e84c50fda85a599844

SHA256
ea2454172856af3d6d33d895144e618918093cd128aac9327676c5458410ccab

SHA512
f08ea3c37321233fd0fe44d8a123fec31fde44ce7d52d776dc94ca42de29769649c5fa4326933cf5be5c1afb8943a5af09b2edf493a0519a9132ca33fed5d9ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
423KB

MD5
acd2a590e7a8f3203d06ccb52f27031f

SHA1
66377d052ce20b3068eb93d1201f1df9e4d1894a

SHA256
0ee1fd294da1d63d609209827d13a917a116d8f303a49c58a6fe724b1336393f

SHA512
58910cb689af62de536b217481823146ffdac2cd222091f773bb3fa64f787619c16f9c2a301f93672f3e0c72f71d3b16e37c15a1292875b63d349b4cbac754a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
796KB

MD5
3a568f0fa815ffbd5306f18571af8d97

SHA1
11743b572cab43c70c3b1b1d8e933a00cf277dee

SHA256
6482d484b7d76d2c850f1aa1e98fe1bb8cf0849e35c5da50f313e0dd559448ec

SHA512
080bad39c3bcc4cdf24b7a77962614e8a199d5e56b55dff58d47afbc8a007431a89e1596e1178e17dc99c878a4f4f492bd7c54f127786c255c9c8c0102f3e1c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
480KB

MD5
fcbd5f54dd91b259a80d0b5fdd45a1cd

SHA1
fc4eb873caabd1549bec1a306825ef28d1aa300a

SHA256
cc34d515dc1457a2422f78ad45dd9caa552500eb5085aab4f3b8f8a3bf6c3fa0

SHA512
94e99c7274b7b609f90edc162fe95538ac22cc65c784daf69624cbc9b1791fe2a5e6e4c64047874ec88247cfe8914193e7c67d27915d60b1f2916e6254274eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
422KB

MD5
3b8eb9bedff8067dea4085ba34d2c2db

SHA1
07c7a8bd4a1dc72804a48a740e2a4b7027ce87ba

SHA256
14269a7fff9028fc93990d4f3d59764597994c9f521617a89aca588ca573a168

SHA512
92fe1d1123590c07c6a7a63b246669accea798234cf18f6f5d7a573d86faebadf8e33072e752f019d6fe83e5ca008498db16ebc4c61bd779bc3dd7861d580c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.0MB

MD5
8d1aa679b73a839c1a982a87ac58de73

SHA1
7f2001b7896ef03e55066f54df7a5661756b3142

SHA256
873d2e3fc1c25083ad1b12feabeddebb632eab821535918f95b606bb5772561f

SHA512
03a27fb41661c25deef3e442f61baf7bd9075be4f73a6aa9932863abc16d0f736faaad945f73a65fe607702e157b7edbea81120f83cace512b033d53d29857d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
700KB

MD5
c7630cad54decae7653e15b5891e4c97

SHA1
5d9ab2b22cd2922638a0f2fb95c3f2486e0793c5

SHA256
e0a52ea3fd436ada8cd02ee25328eec82ae0b9c2f9b96aa5811e15ab1729a1c8

SHA512
53f0485d71dd505f8e01da46552616a2ed9726340b8afa42fa5c484d4dac9df4c210a03520cddcf3c85e9953fa5107ad432e648f7915ca76389ed21477b4216a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
497KB

MD5
f5df24389ac08bb420f121ac00b92c4e

SHA1
e8ca332bf4187e4833830bc00d5fe8a145cfa3ae

SHA256
b72d1a718948fb7565322dc63968194ee5a5d8cb2eedc6b19442d4147440f40c

SHA512
d5dbc3d7a494d68672a825f2df7ca6f96f9b67cf5cd8262d545b9488b42cb6d9ca5cfcff973fa9c1e86f25b72702328f305ddcc7e1fe3f6f3bea69450e3fb5fe

Download Submit
memory/2428-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2428-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4664-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4984-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4984-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4984-48-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/4984-49-0x0000000073670000-0x0000000073708000-memory.dmp

Filesize
608KB

Download
memory/4984-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4984-42-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/4984-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4984-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4984-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4984-46-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/4984-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4984-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4984-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4984-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4984-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4984-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4984-106-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download