73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
308s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
20/02/2024, 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
6092	b2e.exe
5392	cpuminer-sse2.exe

Loads dropped DLL 6 IoCs

pid	Process
5392	cpuminer-sse2.exe
5392	cpuminer-sse2.exe
5392	cpuminer-sse2.exe
5392	cpuminer-sse2.exe
5392	cpuminer-sse2.exe
5392	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4912-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 6092	4912	batexe.exe	85
PID 4912 wrote to memory of 6092	4912	batexe.exe	85
PID 4912 wrote to memory of 6092	4912	batexe.exe	85
PID 6092 wrote to memory of 456	6092	b2e.exe	86
PID 6092 wrote to memory of 456	6092	b2e.exe	86
PID 6092 wrote to memory of 456	6092	b2e.exe	86
PID 456 wrote to memory of 5392	456	cmd.exe	89
PID 456 wrote to memory of 5392	456	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Users\Admin\AppData\Local\Temp\3B3F.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\3B3F.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\3B3F.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:6092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4CE3.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:456
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3B3F.tmp\b2e.exe

Filesize
9.6MB

MD5
b040b616665ab19474313141578c5dbb

SHA1
c6a236d60457f620abccc75af2ea06e6ae0afffa

SHA256
859691b8507279e5caa04a02257391e49511fac78eeaff4cc4d110d66df2cc6e

SHA512
44e68b9c9d791ac70140ccf09718a372a25f5d0b973673defab1d9eb6cc83dde46f68f6653eeb5343e73484e6d042c3e56dab14ed000d321da289236cb3f8f65

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B3F.tmp\b2e.exe

Filesize
256KB

MD5
18c91665349cf71648d4af5d21843ea9

SHA1
6be582f8587a42e96d73bf174cb6d6345761c192

SHA256
979d6a944f61f2cde2dea724ce5e0297005602c15fbbbcb917540ec1b1f3f937

SHA512
544d110b9bde470b9411a91f9195bf5e6914c1e5c59ec4485be08acaecd0e519d1c932181cf5a76d5241dedc362beb56f2fb407d808d554e43d408b34a621d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B3F.tmp\b2e.exe

Filesize
4.5MB

MD5
8e95ed607a08f26d1bd801129562391b

SHA1
2921ff44b40afbe759b73f49f274b411115f5b81

SHA256
fce3099285470fa553df7be90adaf3aa7e3f6c8bd7a2da9c5f52d687452ee4ae

SHA512
8007a99e86d4d605a9f952ed890e0c4f1175298d34d1397515045ef532ada11da906659013631b1225cc2d40406e5c2c0199075f97d84a09cd94ccad10d747fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\4CE3.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
642KB

MD5
40d99474f05443055dda55c8d497c3a3

SHA1
99323136ad7f260c81e35a9e3b66308353f88c2d

SHA256
2f02424f17a43de5cfe91733f8e5a85013b9ae77338c6d0f7bd8a50f408f12d0

SHA512
603b529b9a465ee30d6b7441653f02065953a894d9faa53a35db02f162ceaa8ad6192d70c92a8abde0ccda7edfe8dcc82d35a40755fab63e3644d417c642a39b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
703KB

MD5
dfc73136f83569539091b68cc85a2507

SHA1
bccd20c2fd37f1a899af595570926dd4d1eb0be1

SHA256
a05740de8669a9d10efe348aeaf7f639ce7138f26f6e9002d2289f28213e889b

SHA512
d6a1d95785e70373ce94b5a34476dea43f8fd4a2ab108ae377bb47074f181300cd30d6dfb8e373c30f34d228b894c0a8cf7d8e1b919a499d2c04c684a25c3c4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
611KB

MD5
8f11e07ecb024ddd1e1431a324af3a9a

SHA1
debb8c9365d9e419bccff23df7c53e0439434be0

SHA256
d362e180ba28606347fb8094a7a84dde62ca5a2a09b07f8788a0d809e79bc81d

SHA512
0fa807fbd9513c5dc3a9a49ed26a57dbf6c4f1b52a612b613cbca04000eee7b716d5cd6d19c6cc3e8a1ae5dbd8d8d055c2c25f6c1c7a802ebe170cf8c7c5b9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
316KB

MD5
e12b9d0f69fe989ca96e6308baefd63e

SHA1
c0209dc57968f488549ff524bc119e845c0c6d71

SHA256
20071115f3be863b707c64d9423277b0c6c30b3e342f3b6d5bc2548bfe8bdcf7

SHA512
bb7da50f1d8df049933a17cc74409130be4430f84dfbc869d509d7f411cafbbf0fea0cf3fab7bf60c6f669816a4ed60af933fc2ae73426e4b3ba8c414b0bdb23

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
305KB

MD5
1eec0b222de53557f5746bd322040885

SHA1
63f99a44bf6265029d3fa68dd0888a66f8e8c2de

SHA256
82d49fc1f03a7caca388923fd93e67c4e01d6bf2a73b6567d7dbedc44b0d68c7

SHA512
4a8b9a3143a3142b6437d14dad2bbec9b90ba4de05d9b565478d66b457704362c05a60a212840c150e4e678f75972f3d079d333e5aa68fe3be6f50a898af57c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
520KB

MD5
205fd59db3d43f9baf7fc7d02f4cb796

SHA1
3d6d33e1ab3dd959a48bc60604f33fdc70de89f4

SHA256
5a39dba0159215b809b1d2399256d5c26ae8f635fb0ed41ac4e2d4a31bed3789

SHA512
a4da61728c7bc4c5d06ac7254e0a8a02973e4129f46b5ce3c97f68147b2c9014c91d04191699478efbf43f91317f35bf03f8b7677b99fb608b18a7833b661e64

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
220KB

MD5
9eda00eae5c0d4825512a918425ec028

SHA1
fc1dcbe9049be5f184fafdd37988d15539c98b03

SHA256
9217f3b48c6012350df03a6fd65ca73e425fc39a15327b847881873886b5293e

SHA512
f5447866bfe9eddff84c7c63062aea98b24b92ccb96733558d4bf583ce9933b31f3ba51e17fe7d2d2f976c7bf17f4fbf7248b26c530cb43bab5714b984a8ad07

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
192KB

MD5
76847159c9ebd1f17d9a642b1ea37c7b

SHA1
b0ac2efb18c7c8dea59f142d9603cd79c2be4762

SHA256
ac3fd5c90f89f7131723a34c294189932d1c1d2fd9b5e366f323486d9d4c9801

SHA512
91c217f0b31a11712f617e1e09bebf760fcc30704d311e2676b7f0f25207c22ca8c140aeeaead42ccb56c162e7aa5db51433dd2d55ae72c7f420e765d109c2c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
519KB

MD5
a3d5dc06b21f627ce73d39ee4725ba6b

SHA1
a0583591c3ac3cf4dbc75138e3687316383bf40d

SHA256
f4c02ecc44d89cb565e350c39f79441b5dcd2815e5ca0fa4f7da8ac06f43c525

SHA512
016b18c7401f566ccb666e790ea3bca4eb374fa606c9819af4ddc059d6c7da55252706cc49c94373305a5a3672a0aa4a1060d1db4abb793823b6c4be174b0ece

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
476KB

MD5
42ac07db2a4580d3c64ae9644952a241

SHA1
17ce08a695efebbe8bbac79ba7801ee9e41fb244

SHA256
ee2d0083a0011f2c931a3a40435723be53c2dbc8754ea77f04bdf42dcabf7991

SHA512
18409da1aff71972727efdc21b6596c1ec1ab53aa096b128f1cb512c3eb00f429f7e3713c993717764fb64a896e706df824cb3788c62fc034614c91b66334100

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
143KB

MD5
ef368255d0014366b5e1c4ede7b73aa5

SHA1
0432c95715ceb305033d3cb3cc6ef39948ecb8c9

SHA256
279c29c98cb72111e96e7537f61ce3f851b78b7740b9cadee037b3c25f2a48ff

SHA512
c1f5cdd6025339fbc79ddda2e9d2e9595d647af8cb9101a13782da5e42dc3341b16014e8e2352c3adb4d67b6e5c526cbfeaaa7898253255578642376c0178e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
376KB

MD5
c4251048504fba596e13241c790171c8

SHA1
37d821b6aff11cf213482aacd374f30280ebf8fb

SHA256
9dd7ecb7ef1a75442079caadab2e48400d88ad459b062da17a1b19dca6b4e7cc

SHA512
07178b4b2b1305cf20a229b4a2c119a9f84ba39d6e1e23ec09f8ac590b9affcfab96bc2e822aa1ca5e6f38b3506c93bd9895ccf54eb84e27f414dbb61bf4d081

Download Submit
memory/4912-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/5392-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5392-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5392-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5392-46-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/5392-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5392-48-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/5392-49-0x0000000065FD0000-0x0000000066068000-memory.dmp

Filesize
608KB

Download
memory/5392-50-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5392-106-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5392-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5392-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5392-42-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/5392-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5392-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5392-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5392-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/6092-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/6092-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download