73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
303s
platform
windows10-2004_x64
resource
win10v2004-20231222-ja
resource tags

arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
19/02/2024, 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
5212	b2e.exe
5388	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5388	cpuminer-sse2.exe
5388	cpuminer-sse2.exe
5388	cpuminer-sse2.exe
5388	cpuminer-sse2.exe
5388	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4216-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4216 wrote to memory of 5212	4216	batexe.exe	83
PID 4216 wrote to memory of 5212	4216	batexe.exe	83
PID 4216 wrote to memory of 5212	4216	batexe.exe	83
PID 5212 wrote to memory of 3436	5212	b2e.exe	84
PID 5212 wrote to memory of 3436	5212	b2e.exe	84
PID 5212 wrote to memory of 3436	5212	b2e.exe	84
PID 3436 wrote to memory of 5388	3436	cmd.exe	87
PID 3436 wrote to memory of 5388	3436	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Users\Admin\AppData\Local\Temp\5F66.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5F66.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5F66.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6263.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3436
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5F66.tmp\b2e.exe

Filesize
5.4MB

MD5
a23e10c70bf0b3d346632bcbd2970fe2

SHA1
833bd8af7fa0c3931fb20470561fdbf44bc82025

SHA256
487911a759d7b722c0ceaeb2a29bcd328d9692e27a34dec0fbfc2d229baad4b4

SHA512
5a36d8acdf9b62652cfc535798da3569605d73059a69bc8746792d9608bebcdc25f5c7505564754affb42a5dad93582bc02365b1760fbafab875591b4f67def3

Download Submit
C:\Users\Admin\AppData\Local\Temp\5F66.tmp\b2e.exe

Filesize
1005KB

MD5
a062cdee4e1c2c26e375178579c1556c

SHA1
5919af6ad0bf5884176c7caf8b5b13780e0260be

SHA256
e53e52ee76a3f4610e2f650d3f611e6c2c993afdea22d679d549957d250188ea

SHA512
0832fb41a40e5fb9e212a69cab939c1e1ada4e4c3144bddd4fc0393298e02c1f5f4e1df9a03f649b58943b5424b49d6ce04c2505303dbbe99d99f16963582ac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\5F66.tmp\b2e.exe

Filesize
1.0MB

MD5
4c0c6c4080db5ba9133a3dc1b973f7ca

SHA1
c7aa8db89bcd12d031c242d5ca18f7f4ce89b2e4

SHA256
fd62b571e3958b92c7db02a4b702376f8bd99051ab22e49742a68dfa5fbbe0f2

SHA512
89f4b719792a0856e6e8cf4f796a87c57622fdd32e5e1e5240381e5f06e296267a599442cbd3f027ba19d44bbc3572b8577000ce342d89fba0e10d3933973874

Download Submit
C:\Users\Admin\AppData\Local\Temp\6263.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
357KB

MD5
7d5ee52d3c818c5e6adaa233990131e3

SHA1
c1b95cf954246fb77a2adb4e9334d60966aade21

SHA256
c7fcae156cb8dfb4159aad40386dfe4dbdc2a3ff785f80c1d85ee46e77fbd7c6

SHA512
723d69130ad43c92104ee1c845cfdf548ec8c33d395c86cb777ec181c37ca16e05a02abb27bb11e5ab2954da61aac5b151d6de64900b24a717099f4530659d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
266KB

MD5
539d5e51f7f6b2a9b3cd8594ddc91f72

SHA1
dc5311aa0d811f029a97fda520d0ca7210e47b17

SHA256
1eaca2d4648feef6733e94b8eaa6baa8758b6fe53530cde32481bbaa3bf7f46d

SHA512
6f9a968f674542f428dc248aff4c87e2c6f0fd2394d7db69c80846f510d16f198f8bd69fa16a89da4c7fff119f93b5f29bdceec266731c20dc19ac267174a730

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
183KB

MD5
7dfa9a4e5b2afcb94a3046046b9abbd5

SHA1
9f0d85607277797623d7c7e8552cf50d8a3f55f5

SHA256
0c7cd19e77d65b4c3eeb0b832284650f9400fc00812218834081619d92aaafb5

SHA512
21cb0fe8b836589cf719b1d4c5b283c53ea2af462ba528b75bd460e0d10c3dfbbfbf57d1a88d1671e9e8db97dd7db1bf96395b65719f4d379edf59b366299573

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
90KB

MD5
59681887750e40e618cb2fa4f4cf8a1f

SHA1
8fcfe07704ecac4bc7179bc446c75d2dd9c406f2

SHA256
89561ed02444df9bfec1aeeea7bf384dacce6ba8aa3eb77853e17bb2839c5509

SHA512
a80992fc6b0fd72f6101a643376db5dbaf16c240ccc9116c4a87356fc1ff68474c278b8b138890a0aae5df1f8897b0ead5712c44b0a2e3160dfd32e67914c2b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
230KB

MD5
3a5d4645ad7ba063fd105a3e74b37afe

SHA1
4814100111a5ed43a5a0e5e069bb89021a6194e4

SHA256
e93f639ed2f513649a4da640b2cf0a5143d0841194c5faa67fb3f46bc91ea4f1

SHA512
7e48ee67a54429f1a147215d0fa8143eaed0b87c3128d5246feb804f33c48e04374704a5dc3d98a806749e75334b12711aa03d8c2ad9842ad06a2168fb37e234

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
164KB

MD5
71d33f259ba0d8618ba3b3af7c94d59b

SHA1
31f270361afde2dc180d63dbb05e47503f0c3e2c

SHA256
241afdc2750b5c47f88c5d8ad98fbf6f52067632ffd5a8337856b8ab0f4e11ee

SHA512
185896442b73709311a2a0acc9fec1978a330e0b102d068f2deafdcacea203aab2cce7f8f8d097819b3d1fc36120618a076de8d28af2bbeb06c12dec4aac17e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
128KB

MD5
ee5a1514f864b071df3b7581913b4a32

SHA1
56acea611b6d272bfd48b29a2a664b453d20c5e5

SHA256
cff6606c98115c485232e3c41bac137befb62a2b4bc41a6b6d899cff045150b4

SHA512
fe415f2bb8ce78f00a370cc15f6ae7a179d830836db8e37b748a2a8972a3f9dd8e03ac04e9937b8371cb35e9e19d0b97a09c2dda440e52702332b0cc4e854a7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
267KB

MD5
912f042a35ce411c862e9f6c3fcd4799

SHA1
dbed1c022eb79271120254213cc70e0a8a716db5

SHA256
3e653362d0c495a0c099d6c09c1d9e48cc4594154a3ecb7a388d92cbe82ed325

SHA512
1a9f9403434212120c16cf78d7aa384892060e1122fa01d6942a2e00ac8e1fb2bc31bfe63a75b0f17a570f0ec547816b0c9a97786cdc6049ee3af9092a9d53b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
316KB

MD5
42e4c91253eddd335aa0f487707cfa16

SHA1
4da1991e7cd0b102930644af9ba7f91d4a827f49

SHA256
c9fcdb34f8d088cbba58c1f24cb4ca23dba52ed2b748f0c987aa8238c700688b

SHA512
b1f3403d6fb10b9fe468f3c87ba45fa363d7db0cb3b2d255f21ca972ba75d127c142b2f2b955318d797d3a74eb3bd8c06a747e5e2cb36d8d3030898b247c7182

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
227KB

MD5
3a488694085ab4b2d10363914381e27f

SHA1
eae4197c794f9dbc286b3429795e338c58d6c1d1

SHA256
b79e149ee76f69007b1934985dda43f095c7942434912d1685fee6689aa570aa

SHA512
0e8679785b4e14ccf03f872f4a32f69c9feac46e602e4beb3876c6f915aec6f5cf5e78c26f9bf3684bff1cd47e0320be686228cf7a1b261d2a08cc1350ff28a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
153KB

MD5
9a9e9c9ee14ecffec04bc2d8d85458be

SHA1
2d8116ee257c1b823296a8b60be7b6304b0393fc

SHA256
2c18f5f575a939852aea63655a102c81f5f840e1d3e7eb9dd7bf83def9c6b17f

SHA512
838bdb75dbb63c191c618d96231c11bbf748b350332298baa0fe064be2823a4e336e15ef295c4abde4ef294f5c61f9c6e9780a99a8a351f430d05e4a4cf0a884

Download Submit
memory/4216-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/5212-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5212-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5388-47-0x0000000001120000-0x00000000029D5000-memory.dmp

Filesize
24.7MB

Download
memory/5388-45-0x000000006EB00000-0x000000006EB98000-memory.dmp

Filesize
608KB

Download
memory/5388-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/5388-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5388-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5388-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5388-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5388-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5388-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5388-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5388-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5388-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5388-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download