73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
20/02/2024, 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2256	b2e.exe
3760	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3760	cpuminer-sse2.exe
3760	cpuminer-sse2.exe
3760	cpuminer-sse2.exe
3760	cpuminer-sse2.exe
3760	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4916-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 2256	4916	batexe.exe	85
PID 4916 wrote to memory of 2256	4916	batexe.exe	85
PID 4916 wrote to memory of 2256	4916	batexe.exe	85
PID 2256 wrote to memory of 4280	2256	b2e.exe	86
PID 2256 wrote to memory of 4280	2256	b2e.exe	86
PID 2256 wrote to memory of 4280	2256	b2e.exe	86
PID 4280 wrote to memory of 3760	4280	cmd.exe	89
PID 4280 wrote to memory of 3760	4280	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Users\Admin\AppData\Local\Temp\6B0E.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6B0E.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6B0E.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6F35.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4280
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6B0E.tmp\b2e.exe

Filesize
1.5MB

MD5
e13d53382cb6861c99ed129db856a203

SHA1
b07284c7c54e0088441be02600c738f68ae064de

SHA256
1337fb7f19933f32739abae169d31a45f1f581d381779cd4af2ee17628fe67f5

SHA512
4a9c0da23a85a4220d0d99cc50c725cf83e4268b6f694b37df1562d982c004d849403326f1cd3d9430331d0e23fcfc1297b914b95acb6ddfe19a926eece7f207

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B0E.tmp\b2e.exe

Filesize
2.9MB

MD5
ac7022c4d89ab62ea78ba72150f81911

SHA1
4bb88f0660af6671ca648a0a25812099e255394b

SHA256
457166d54bd661d4eabc7571193825b2af1d4e43e8c4a2cb5456967cb6aad25e

SHA512
03f72e6c9db0c0bb7eb0d274daac8906a7b62fa88ffbf80c8241d4bc997af585319cb2ef725e193772c6fb9690f318c17c49a49a26d476cbf18d815a36f56be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B0E.tmp\b2e.exe

Filesize
3.1MB

MD5
fed9133b08230659c3070e84537a3312

SHA1
99e81c297c1159861230e00d27f26df44c23d729

SHA256
ba727620f51f1393fcef99ff3c2801504eff6a3b7c4abf392b036d50a9452372

SHA512
9f0814c5c5849c0189c3bc511dd52c5ef81a1277030741f002d895e8d871271878f63ccb19c376f37d18f38829353e05f331ab362738e2b4f37ee9459df09081

Download Submit
C:\Users\Admin\AppData\Local\Temp\6F35.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
441KB

MD5
522c4e41902ef3a0ad2172fa6d2a193b

SHA1
6e08a9ee080d9e2638fd009440f2c6a376960258

SHA256
3eeeaccb31af63dff43dd0926f4a7b0706484823b46f8ceaf3ca7fb1785e4a8d

SHA512
d6750f882cf13c9c8507b86e81bba5f8cda3c27c97e7e6d3c85485d9e5f3f5952c321d1bc1b51ef85febbfe4b31263b5fdf5e47517b027d566db245282ae89d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
451KB

MD5
f4eaad17749b4522d360ad62c6a7a463

SHA1
c959c44eb9cf463af38433acac0d9f63434345b1

SHA256
fef3d35d71ced76685bcfe4f8f4fc09f0a9b5af5520947d550bbdb2a15c284fb

SHA512
ce774086314ad9a4fdd5c706097e557800b845581e807ac52de388457630a9e19d1cdcdb24912f97528335172badd5bd3946cf582119a8f0c862a28068481da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
213KB

MD5
eab02fcaf248fa1c8c362365c84110c2

SHA1
364dce398eb44e8f20778ebcefa47fdf7f3f0f68

SHA256
56c514ceb6ce6b6c8d943d06055069989fd0cac7056694b9d1fd369da78c1ba6

SHA512
1da26f3f278e1a1ad7a5505d58c4e98f33c314052e2e803a152f6ccaf83402c25e7f3beb7fd6ecbc4e4ccd75c9fd607de84ad447898fd979f8562aecb990f9af

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
342KB

MD5
824cbbeb9aa3f8bba221b4dd8d274fde

SHA1
b4b2810129073da278dbd9300e208eea8dc3115c

SHA256
b40a81e7e1c3e106040920fa9d13c50fd336c33ca90dd066c3ab1dc17c13edea

SHA512
108a04b01e22699e09500d4f074733fecbb545aaa6d65cf427bc252f2e82e3852fbd4ac5789cbc65c125c36fa4a96572ee9a3133105e5782c9bb2074ec2ca96a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
421KB

MD5
4ee6387493365c44747b919d4148e89c

SHA1
784569169ed252abb506cdac798390e60b300645

SHA256
88d3cacc637590f956169c0fb59434ed22d0be51d7e5e046469b69ed8c9d7b55

SHA512
2942c1afdad8b16bacea8b04e44ec195fd02a4b4448c599f414ef367b758799836fdb3805a272b98c70ddacd8ac187af7462df7e605b3f76c1a18240b2e546db

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
229KB

MD5
ac9fe102a8ad8af2f078616f206998bf

SHA1
f1dda11825e491929aa8b5275c4be828b73ce9ca

SHA256
0d27d91dd1d2b71a0d7281d178204b1348b2058c3c12700842aff34f6600475e

SHA512
ef276599bba949a9830d8cbd305dd0d87c05c8ac6c37592b672f8069088db03926bba99d469c80ad34c3aba01506999d5a95f33ede000e44c560e96ca57a731d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
589KB

MD5
d38dec2aac1b9a7dd2ae8cb4a7a482c7

SHA1
9a632dd3f64c527336482fc5cfe55318230516ce

SHA256
e0b6713c1048c112a24f433605902fdb602131675009be9913abad680dc23d63

SHA512
2f79a00f2dc8fa5a7ff63b3cdb5dd4b628a30ee02ad9a7b30825c12c9164795e9bf49973a0f00b8317679b26f4529ef1de172124f0e2340ce260b8c47dc9888f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
231KB

MD5
308f010e9fa1240693a8dd7c4c6d2e4b

SHA1
0c3061f5318a583798cf899241b177040bfd7ca7

SHA256
44cf8255dd6965d64d638e70e55499ec922e80e6fba94c2685cc9025bde09a23

SHA512
04204532f70ee051e53439252c2c8cdb5d06d8accdd64a7b8d56e2253d477d89933fbad60b1d3ac09fa919c8d660f9092c7db13a575960bcda1c9fc48da03c82

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
256KB

MD5
1d86b9560854472453237bcbaa2e253f

SHA1
5a03a7902d250377a3e9f746badcb696e2c98228

SHA256
1493703a430c68bdcedcb4078486daca39a02820199e7b72017c7b1af66e1c8d

SHA512
afbc3d7f8e06e41db25d666999f4d162af7054a66b17a651ac8a7f092f83580a067bfa2f558be65ace5966dffaa8735fe7a579e88bf42b34eaa3e72cdec96699

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
357KB

MD5
fb7b3dd0cf18862ca71d30242665bfc3

SHA1
6ce118d24b0111fe481155aadbb6b03bfcf99fce

SHA256
b1cebd648bcf4c5c61da939ea4eea0065bc07ccb3620b0cc255ae794b65dc9b5

SHA512
1991ba1faef8100891816266fdb4ea785b4b9d0d40fca9a3f5b6bd2cc2eda4e4023376a2a77e5851da26967d3fd3fe17957b6d33c2cf8b50c7a51cff26850e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
281KB

MD5
293b3aa78f2227bc28b700dbb56c00f9

SHA1
aea27c4402043dfe2a8322d52cb48c6dfe4a06fc

SHA256
1480fcb74cc90f4b057085dfd826811206f2386ea4ce8153402e10291a35b44e

SHA512
1552c1682c9cb3561fcc2edb1ddd52259fb111365a8a77579bac32e4ed6bad998615aba3deb0184e4177f6aed9b3f9343e798dbcc68a8a513da0a102cb76a6ae

Download Submit
memory/2256-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2256-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3760-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3760-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3760-47-0x00000000010E0000-0x0000000002995000-memory.dmp

Filesize
24.7MB

Download
memory/3760-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3760-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3760-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3760-49-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3760-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3760-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3760-46-0x0000000070B30000-0x0000000070BC8000-memory.dmp

Filesize
608KB

Download
memory/3760-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3760-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3760-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3760-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3760-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3760-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3760-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3760-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4916-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download