73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20231222-ja
resource tags

arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
20/02/2024, 05:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4832	b2e.exe
1644	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1644	cpuminer-sse2.exe
1644	cpuminer-sse2.exe
1644	cpuminer-sse2.exe
1644	cpuminer-sse2.exe
1644	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5548-7-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5548 wrote to memory of 4832	5548	batexe.exe	84
PID 5548 wrote to memory of 4832	5548	batexe.exe	84
PID 5548 wrote to memory of 4832	5548	batexe.exe	84
PID 4832 wrote to memory of 1208	4832	b2e.exe	85
PID 4832 wrote to memory of 1208	4832	b2e.exe	85
PID 4832 wrote to memory of 1208	4832	b2e.exe	85
PID 1208 wrote to memory of 1644	1208	cmd.exe	88
PID 1208 wrote to memory of 1644	1208	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5548
- C:\Users\Admin\AppData\Local\Temp\5AE1.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5AE1.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5AE1.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5EAA.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1208
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5AE1.tmp\b2e.exe

Filesize
32.9MB

MD5
ecfe2f0ec44d09bc9da5e75fbcbedbe5

SHA1
5f36c60cdb40c698cf7761764db6e30c2d2c15be

SHA256
48f56775d057b1d5b11d3c9d28c9dd776b3cb19f3fea79f4f858ec5129995575

SHA512
aa89ca23ed0e3b51d8b8418474dd9af5cb46b862586b654082c0013565e2a02a4ea9e658596a36ba443a21ae47afa928f5cf2271006ff444e333792db356606c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5AE1.tmp\b2e.exe

Filesize
12.7MB

MD5
9b9f582d50b55bfe99f9e47cc712cfff

SHA1
65ae5afc6f875c854c21a9a531f46b28c6ab4555

SHA256
2bdf69a46da83947ec182681c954a5201ecec4ff06371ba93d1ab616329ce0e4

SHA512
c56144bdf9f45a78f773e844e8415e2424f899e10516f9edb65b4eaf9c2e4bad24b66082c5d519442fb388fb6dd9da1ff08bf25e958367735c2529bf4ecb428e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5AE1.tmp\b2e.exe

Filesize
12.2MB

MD5
279b7a8422da571481fe522c5af327ef

SHA1
bf285b9e4d2ac5fcc1289c11397e90e04d7b7aa7

SHA256
4078b4647158a788fa26bc35bb411ec84a087c1649ef475368a82e29efa0d6ac

SHA512
0c45af14d45633582326e7f0f274eb1a6d8923b716faf9422fc764f4369e1261171ae069884c6736c89ca73d25aeac1d50a758d139dc3d2cfd3f9b68cc2e49f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\5EAA.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.5MB

MD5
4ff74831f154773ce0f6437abfd0ba4f

SHA1
b9ac1e63975ff7494e0f0ffb5146be8ed86d6e2c

SHA256
df9b335bb9a475519b633674179aa216bf844b371df7b3c5823bae50d892e7ec

SHA512
b972dda46990ebe84c68988a927ce74d57c0d75ba297d5ef1f938cd10eb8135a74e0dd5f97e0eea7a8301e6376ca90cab6782a8c8f3c7ef4abfef1eb3a08a524

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
576KB

MD5
6e18fc4eda8ed0e6aa6ed56f84803ab3

SHA1
e4a0a4432fcf3184baae1b01a8cb771ed580dbe2

SHA256
f51cf1f35d722b4af4bde30de5008d67d7256d271953eeb2ff63780978f4a53f

SHA512
25f97a3a07fd0aed4a5e6bd58e4cc3ebc2c56c0a314103536e9342ee10aa3c01baa24b459fb58d7154808594203e2b4fddc23f6c424182e2e8bb3a978b4dc256

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
704KB

MD5
903e2cfee96d720dd5200a922b637d07

SHA1
f6d639d7b6bb586abcb5f97b1b212252ed6c85b2

SHA256
443ef0fe0e5e9cff04e267b1bbbbc98b547e5bd38a853eb79d06a43a8e7d17f2

SHA512
c9c357be28d1d97bd5255d88bc64255f452867407c3aa4c99b286913286780da1204691a0344514f070b8bad391980a88b165eb1e8e9ee97f77ef02eb85071c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
704KB

MD5
538d0a2af59454daf4418e27268ec013

SHA1
dd5e047f232d3827ba6f9c1da4f17928557dd6e6

SHA256
ef618dca52a4f65f6fd72fd721744185c44cfeff6ff90928f56481969eab4126

SHA512
1c958d315013726aa6ebc24552fb4d712a30ad6e5621db0f9037924ccb8cdf45063a01ed6da3aa50485ad084248a9c67c3513aabecf9d324eacaaa2b75f0a7c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
576KB

MD5
46e1c7531774dee6a7125727095ea354

SHA1
2248bc2bd821aded068d2e5e55f5e7271b50ab91

SHA256
cecc229ea9e416207638b67d03bc6846fa188a14fe1c9e75028afb48ff4e2081

SHA512
fa9dc86df3e0a8f7b2579785c03717a43eec14beab8ca3176f73d4ecb0716d047241ab30cd53518e7acd645e9f8282a20552a6fa33824c34afc5c5210cc69f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
640KB

MD5
1b7339cbcb5b756c15c05fe0cc6443f3

SHA1
abdba01c4526a9bbbb7fd3853e09bce3cbb5287d

SHA256
5fcf0fb116f77206758e3a669ec4fa52648fae431a5c2aa2d7ee69944142e019

SHA512
7661b5e8413e74432a00089b1556b2f49e268b6b5c8cefd839cbe19074bffd138c18e8078627420f4082f579a9e3f8d02b199507ae36380b5375162a4d4ba439

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
512KB

MD5
a3dea3777f14f1235327b648410a9406

SHA1
9ab139a0c947962b3c471c36e8b9cca4d750c889

SHA256
ff432926dd375c44e9a86cc2520c46e66be2d212e35fb73f16ebc4b48b98b6d1

SHA512
b6cacf9e5d8adebdb3c4ae9b6eaddda6a90d9eae32bdc4cf6eb36ad7cf14d02486ac0c32942e3bc504e943a544fa71a6c9e2fec8fb07c456290646107b4edea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
449KB

MD5
4da1db1ec61d396ab3815722e87fbf50

SHA1
cbc54cfd01213b9753f76f0e7c592417e0c42c04

SHA256
f3fa3e1eaaf3b1efc5ebdaf08a54d6ed1144249c7674c60b8122abc153396346

SHA512
36c550b77bc003e552d7715e6d026e2856304029421efedc0195f04d3721e30bebec0edb00f926099e9e1680ab9aa323a1b6e4f9bfe0e374d482a5efbb97805a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
576KB

MD5
2caab2ad7ccd18421c96ea2ef5b9e602

SHA1
a629673c12e88ef88f30cbe8da12d3afb9a7d42c

SHA256
c16fbf658c970a716b976abe7c5d9f1b1a42dacd55a43b16fec0ecc6b84f0552

SHA512
aa9692584947d7fdbe843e877430ade40c5b4c6e15887005a292065d6f8e1303abc8dfc2bf50c01fb032bdfeca5bb2aa9312ba44d7ba4e2d3529d07bfd008969

Download Submit
memory/1644-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1644-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1644-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1644-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1644-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1644-46-0x0000000064990000-0x0000000064A28000-memory.dmp

Filesize
608KB

Download
memory/1644-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/1644-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1644-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1644-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1644-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4832-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4832-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5548-7-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download