73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
20/02/2024, 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
1124	b2e.exe
3468	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3468	cpuminer-sse2.exe
3468	cpuminer-sse2.exe
3468	cpuminer-sse2.exe
3468	cpuminer-sse2.exe
3468	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4336-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4336 wrote to memory of 1124	4336	batexe.exe	85
PID 4336 wrote to memory of 1124	4336	batexe.exe	85
PID 4336 wrote to memory of 1124	4336	batexe.exe	85
PID 1124 wrote to memory of 2316	1124	b2e.exe	86
PID 1124 wrote to memory of 2316	1124	b2e.exe	86
PID 1124 wrote to memory of 2316	1124	b2e.exe	86
PID 2316 wrote to memory of 3468	2316	cmd.exe	89
PID 2316 wrote to memory of 3468	2316	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Users\Admin\AppData\Local\Temp\7407.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\7407.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\7407.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\76D6.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7407.tmp\b2e.exe

Filesize
4.5MB

MD5
f2b37c86de565a2ea08c4fc7e420ea02

SHA1
c087101e438c7996a2d6dbd6d2f2e5a5968e15af

SHA256
de99bd8c4ccb021445545bee55b940e8472b30473c393aba5964eeab153f5982

SHA512
4cbe9d092190849eeef01f1674f263282a992a53b7e6d6473e1c0ebb12f8d6fa125a999549714a8d8d0fb3866f883a00f8750c91eb414b6deabfac87e826fddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7407.tmp\b2e.exe

Filesize
1.8MB

MD5
f1582f867a687d129b30781fec16ac05

SHA1
b4cfd5c7d47d0df74c6d43022e43fd9a93358ed2

SHA256
c5e063140eddcb55ac1a618ea8f983b62a95bb05cf2f245689a5f530297d02be

SHA512
5beb200ff5d2b42d9e4483cb30f27537794a89defab3cc04fad9f7cf63167594a0a029526d57dfb5e1023a482cdbf2be6c9a20bd8c43de9ad302f9ed57a8fac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7407.tmp\b2e.exe

Filesize
2.0MB

MD5
0728dc4dbce9bc8e129e761066b3f9bb

SHA1
be8597f7e6beb3ee6a02f6b68fd2cd1b02ca2862

SHA256
9adfe308d5db201046bcd069c936cc5db178bb58f86e680dd32dd8f1bb52207e

SHA512
9a0c65ae467c55a3c11edbf31a68004e5cf5b850479a169236c88d108e0148b8c21a8edb143e8b40e9505e2cddce2b7efd2e632678a7fc8e030738c25df192e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\76D6.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
378KB

MD5
17cee8edcba5e1aab188467832b2a335

SHA1
fac7a52272e2a7c4d69e668aac3d26400154a95c

SHA256
4f3959af8bc28fffddf4c0ae333d2f4e61af92d0dce9f43a185ce730011ec128

SHA512
8adea6f3dc3b89c40546066bef8585436f1ca798a8ad78b2da274bd850c96071a1b9b1f9cc7eab8dcc7f88db52b0119a929af8bc2a3374bdd59a852e55e7dd28

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
76KB

MD5
97ea55b7ce7c5196924ebe76746380c8

SHA1
18a16882a8d2f294f77ab111c2f6804a355336bd

SHA256
8521afa5f16c3925519a9559c77e3baa70aaf71b1cc87c00e03792363ce76982

SHA512
611d5a6a73fd0c8ed6a846f94de258059d1ed1b351573397dc45fad8a5c6bf2f425e5fcbec6ea69c19b9d9a8bb057e0d44cbe2dbb0f5542eb9690199ff9dc014

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
71KB

MD5
d7854e98f1834b6f09b6888835f06a13

SHA1
c3094fe540fcdfee442ce9888bf9f034be7764bd

SHA256
aec1cd988fc39c8255a12b97eb07bc2ee7740daef0a0b89d910085c010ee37bf

SHA512
c7cff0c0469298f3da937ae7ad4176cd3ac7f215c75e0f2c6e1615dd744374e75c1c7e553ed3f275facf3c7a4e36b69a6b1453d1c7fac37fca47feacfe5633cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
226KB

MD5
db441292da32de1bcf8750479bd7d3e2

SHA1
f6179220b871c532212407131e147afc4190fa46

SHA256
04eb26621e3a53a0e8448713e5c5799c15633f87009ef574f0442cf5a5962780

SHA512
105270ff3c7b6795eec4d6f64e9c5a4920e71e1430ea76c9102b986915cad628b0d31894cb9250bd180d8ba0a86259d68a6c024ce1aafa30d1cb7301394ac51e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
139KB

MD5
92721a31fffcf8b005116a439803a45d

SHA1
ea581493f31096eb5a149a2bd6ec3392a6514d94

SHA256
5bf29d59ed4d305c324a0c43b7f109f3c525f9fb1e74bf8ee76dfe731fba1f6d

SHA512
9e1e5be5f6bc94255500766535233ce8b1428cae8294ab4a048189d88df44e3d7352ab029e6c1ad4103716bce9eb2e97877867fb8b88d563d7621b0106c2eafb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
166KB

MD5
e7bc41e4900ba02e11f31b3581a94aa0

SHA1
ddb3e64c41f75affad04911c0471329205fcc979

SHA256
72dacf2b1f4b74cffaf5f3433b61e17d18a6066d272e5c01e83b03ea716a4cdd

SHA512
e4c4a4cdcce020ddc25b5ed249c10cf1a1e82f4e38a03182e922dae3e931ac55a31894642ecb300911ca9335c64588c1e9f0175fba769efc61cbfa48b2075bb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
265KB

MD5
14979ef090f13c14f48066d925d81770

SHA1
cc450c98de145cca16ca1df76d3c03742d20ee81

SHA256
ada4f0b4e1fe176b4476cc31ddf250357cfe6caaaa6c24d2d7f418cd1f1bacb5

SHA512
03c68310f91c5a270f639a0a0bae6e0641c658dd7ba1c41df4bd5cdbadb2041ff67ad8b3631d3aede4b5b65abc8e3a185916906ec1ebc88c2db7ddb5d5ff08b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
117KB

MD5
4c06a79ed2a75086c868d2629e2c5c31

SHA1
d71455256bbed921d3c4c2b1fcf278c02b30269f

SHA256
727728f2844485f25a5a6a1526083d0ae3211571964ee2318e1747fc9d140ef7

SHA512
a7061afa000454b1f85a9c57709d054084221ba0befdc4364c62dc0495a27fbcd13d210b71a4a5cebaecaef8dec02d6a54c963552d23167f0a0678eda4721dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
171KB

MD5
dfccc1cefa240905899e47a1c186f678

SHA1
bf752465b2891e43c1688bc3d151b9079fd2ce52

SHA256
4dad987d38ad4083d6968e717528120557d2553391903ca15a661f4349417289

SHA512
bc801bba1a399beacffdd4c4ef4204fbfa526900ef220d79dca49a0a076ccbe3984905f2b5f1b81a409638c42d6e17c218e43af6208cd641eb06da7bf90b7404

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
128KB

MD5
8d949f4e279a9a80f50d7c2e0c7bff36

SHA1
92e29300716211895b2d8cd4cf010452f0132152

SHA256
2e87614d15e62262c8b0a0c65e302b15e971b591469f3c679e7e516934cf621f

SHA512
36565dc0a3290ac8c5e0fd0a2756764ce8e49a7ef52a437caad549c7ea1ac3ac7dfe05cd4951ed6b17051768fd9733c94365d85832092c429b0b74ab62a338fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
178KB

MD5
d9cd56e31465559e9cb20e339dc7570e

SHA1
54663e075dc332540750f58cd5c29b1eac8d30b5

SHA256
bff3078388fe35bf709bb94b3def0e3316047263a19697d7cd71d817f242b091

SHA512
48476a8f7d7e1f8c7fbcbd0c67519f8262b9c30aa74c33078e80234a7efd6cd08fa536f49e8ecb6d82a66f610173619401daac0bfc299833df299d21cfe7acf0

Download Submit
memory/1124-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1124-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3468-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3468-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3468-46-0x000000005BE40000-0x000000005BED8000-memory.dmp

Filesize
608KB

Download
memory/3468-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3468-47-0x0000000001080000-0x0000000002935000-memory.dmp

Filesize
24.7MB

Download
memory/3468-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3468-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3468-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3468-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3468-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3468-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3468-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3468-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3468-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3468-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4336-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download