73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
304s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
19/02/2024, 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3052	b2e.exe
2332	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2332	cpuminer-sse2.exe
2332	cpuminer-sse2.exe
2332	cpuminer-sse2.exe
2332	cpuminer-sse2.exe
2332	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4704-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4704 wrote to memory of 3052	4704	batexe.exe	85
PID 4704 wrote to memory of 3052	4704	batexe.exe	85
PID 4704 wrote to memory of 3052	4704	batexe.exe	85
PID 3052 wrote to memory of 3208	3052	b2e.exe	86
PID 3052 wrote to memory of 3208	3052	b2e.exe	86
PID 3052 wrote to memory of 3208	3052	b2e.exe	86
PID 3208 wrote to memory of 2332	3208	cmd.exe	89
PID 3208 wrote to memory of 2332	3208	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Users\Admin\AppData\Local\Temp\6E69.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6E69.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6E69.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7196.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3208
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6E69.tmp\b2e.exe

Filesize
1.3MB

MD5
5227643497d86d28d0a790044afb4fc6

SHA1
fe8bd62a9450c7f2fb1cb8bd1e28ade1756b5981

SHA256
6e60b324f4a3f067e46d9f0237239a7d3300b2d564b8701d56a8a404b41effb8

SHA512
0f7b545b22c30b94744cbd63f809dafd283ded5c7fe373d0b15edfa7bd03a5e0e219aa193e7acb16ea1d1fd807a627b52f7c4453bd42426ad53c135eb07f1200

Download Submit
C:\Users\Admin\AppData\Local\Temp\6E69.tmp\b2e.exe

Filesize
2.1MB

MD5
f04d49049a5eb4c0537429883e9a2fa8

SHA1
b9c3c6986f88a71e88be3e34312047af0cce16be

SHA256
55d804dbe7ce75a516cca4a6f2c9df7b93d34d40763b4ddbb3af18b107eda29b

SHA512
adfff42265b95052cb8e5c439546217b8bc96548c4a6dd332d657e83ac84e53a13dd27109c38a5a47679f5ce24edbdef41932ac59b6ec2cc8bfc14276e747dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\6E69.tmp\b2e.exe

Filesize
1.6MB

MD5
7488a1ed6157d1a75d053dccb0506abd

SHA1
3af861d337b9ddbaac27ace4f75fd0e4a48109a3

SHA256
56c7338478f7ffb6cc1ad4d447b6c676fe8c9719549f3b02556d339134d1efb9

SHA512
77cb7546df5dd5b34119e64c4e31a45ef54b2c2ccaea1fced132296a9bda2e1dcecda5650c18c049d77232fffcf910e31f4e0f883eacf9a35389f7ba0d6b79af

Download Submit
C:\Users\Admin\AppData\Local\Temp\7196.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
496KB

MD5
f5130f3b57c188737e5b8909c418c7d5

SHA1
31fb00b15b84c038b283935242d2629be9825b14

SHA256
98696bb0eaf1af8ae2e3995bb69b0d274f09b6de78db4f520e06887384b8af30

SHA512
1b55f91bfe3b610c6bdb55c71dc697343b537ded3cf10ffeb470b04ceaa8fa80a9f457f7f0c5c9c5efd748331251b57c7cb86dd0dda1fcaa1a534c0b20c06a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
543KB

MD5
fbb9726b33131e8e90ec403d4130e1a9

SHA1
29954f0f418b26640484e078fb7e11f5f0b3f375

SHA256
662cac272837db9abdf71ed5aaeba83d940c869f18c069d677aa44de3bca18af

SHA512
529d26b2fe24d4d66e6150eda02a96b4133f0b4816f8d0acc14c452b8ea77cc83f7079e160837a7fe3df46459dfb202ca75c189edc04b9d1b23ba6ae90696d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
452KB

MD5
acdc855737ccc82cf7bd7f0a9d30c7de

SHA1
718858b397f8d74b6cc2d58ab08af4069c5df469

SHA256
cdde99801d798f78342fd63c52fa64cdbbfecce0b830f22ddae98ba00ef1a339

SHA512
e46349b2a0e5877b354ba8ab80bed30359e5ff41fba93c40edb6b6ccfe31bc59f806f646e8e1f06774fca1a9823d0d2ce9b22f30eeafceab50c48a6fe21126ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
502KB

MD5
24bbdba3f9e4aa51c872113c850109fe

SHA1
c1b86383d1105622afd32d13768b97176dfcdeac

SHA256
fa826594e9a487c0290fca3a115bddea7fbe2ae133ccd5c1bf29ae53196584f0

SHA512
cb175e98416b02448b8bf660777549d92d83504b446f268439913bcc3673d5acc10344e597345553e8bfab2f83807bb6eab833d8dc7422aa62e17ee284412024

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
821KB

MD5
a3be8699b6fc1f19523467bd78375a8a

SHA1
36617ce748f8423072da42cf58aeff8f71f9a63d

SHA256
5129f77a6a285abf0d1bd2268346a0936de444ac549e429eb13175bf02dea56d

SHA512
ed7beab49cbbcab184dcd52c8f8557119557f2f2b7259e0f8af2739bc0e3f9976aa961f77e2e7c9f5c647690039d5eb8cf91490f111f0398cf9d7eacd95a64f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
343KB

MD5
d9addc32adcb5f8847d714f91ca44f62

SHA1
aea11dfa1145bfee1c11ea0639321d5a6c535617

SHA256
61993b376936c8fb4e146136df696bc64ac1972f45916d956285d9abb23c7fb8

SHA512
814dd015773bebaea5a6332a062c2cf9e83bc519e7350357663f62bd59a1ba01e69e72d90aabaf00a5f13a3847fd1f4ea0b6486ca41cd4b4bc27ab8f18684fb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
520KB

MD5
ff13f5cfaa4b3fa74f8fc5ba23f54f69

SHA1
a3af656a338c14b597eee45bee78d2393cd68948

SHA256
2c0c8f80a6acbf778fd08cd0403e66242d4412e316712ce75a16eaeb11a365f8

SHA512
329507e968d99ab3edf166f82fec48fbb866bb2942e69cbce8deb0619e920401ab588b25c9060245a9eb6c81bcb16042bb1b8c20b9de0bba77986f86b3932046

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
247KB

MD5
70bb543eb774f31a9d1660353faeac4f

SHA1
6731d5ab77e3780ce0840da0f5cdc2c77e890116

SHA256
9ac54a25a0eac46c04c5ac11ca5b8a93d653f49b605fc69da20006c57b286089

SHA512
ba3adea5cccbfa6b4e84ac6c98347ecf13a268530ded8d0b9510737d1943526169a7077a02e914daac2a78690b4a8186eebbe63829702d66f2c27c8f3e2a1488

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
552KB

MD5
35d7a90b9e76ee172509b5e8ed500615

SHA1
613de23ccb4e07f5257c114ef98633bb435f82a7

SHA256
289d86a513defd8521bdc1271da1a15fe60646926f6412871476080601d39c7e

SHA512
df5963172f885ae642525392bb0bd05caebccfc435d9e6e04dd2c56403d14c5162404ab79f9541eedf4057268c1630070fd9fcb650898e51cbc4cff90cfad4f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
515KB

MD5
ce9227a61d62f9da84498351655cc866

SHA1
1b6726dd70e392e5bbcf130c20eed3f0b343dd0c

SHA256
1679a5963c73eaed2f30cfa1139e74c60cfbcdeae86ffdf4a6321d50043ad012

SHA512
076d412d6c8e4e91a59d96a162bdae0cc3e61c940f6defc781b05cbcfe683b48e3915195e8a7b9b6ae1842cd9404a88bb03ff579e5c1605ad22a4ec1f705c30f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
407KB

MD5
f685c33898d6b25f13fcde18645ecd87

SHA1
7a86a60e9fbaee908af6def4f4eacf7aef72cdc4

SHA256
69c08ffa5d8adb43a79cd1dddbda8d619928b6e76f929414b8d4f0150ffcaeca

SHA512
5bb55c38b370072ffa85dc36895692d2a28fa1511c95f108a749da3f9b19786a4c1c8f0007064b38ba64553d5fed93bec70db752f56116769e4eb35074bcdf24

Download Submit
memory/2332-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2332-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2332-46-0x0000000067D60000-0x0000000067DF8000-memory.dmp

Filesize
608KB

Download
memory/2332-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2332-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2332-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2332-47-0x0000000000D40000-0x00000000025F5000-memory.dmp

Filesize
24.7MB

Download
memory/2332-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2332-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2332-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2332-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2332-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2332-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2332-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2332-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2332-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3052-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3052-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4704-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download