73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
299s
max time network
306s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
20/02/2024, 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
468	b2e.exe
3864	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3864	cpuminer-sse2.exe
3864	cpuminer-sse2.exe
3864	cpuminer-sse2.exe
3864	cpuminer-sse2.exe
3864	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/752-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 468	752	batexe.exe	84
PID 752 wrote to memory of 468	752	batexe.exe	84
PID 752 wrote to memory of 468	752	batexe.exe	84
PID 468 wrote to memory of 1140	468	b2e.exe	85
PID 468 wrote to memory of 1140	468	b2e.exe	85
PID 468 wrote to memory of 1140	468	b2e.exe	85
PID 1140 wrote to memory of 3864	1140	cmd.exe	88
PID 1140 wrote to memory of 3864	1140	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:752
- C:\Users\Admin\AppData\Local\Temp\6906.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6906.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6906.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7683.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1140
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6906.tmp\b2e.exe

Filesize
5.3MB

MD5
ec1e5effef3d506bee2fe55d2c304bf3

SHA1
5c441f756f2b61b9bf94f4dc198e6ac7add4fc3e

SHA256
fb57a1870eb6044bcbb6fdb4e0c37d322a5c8f7f2260ac3951eaf9095793dabd

SHA512
53aecb8f81c07961a1be42cb393f615fd883472b99fc50361943cf67c09af38abab50d0235b9731d971ff8250e56ae57d952b36cbcdd46960b70beefbd104b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\6906.tmp\b2e.exe

Filesize
3.1MB

MD5
bca8c467df66fcb86bc5fd5254816917

SHA1
7e630f497e0f72ed5a6812698ff171ca638f174c

SHA256
cb6746e6dfe3139ec13e762f76e663fa06192d24b0054a384248566d2804c3ab

SHA512
ed1a714e39f36e26eb6b7ff92beb51b5cd6a0440f8ecaf19edc6960b9f015496924080513c4c123adccc075b9c5fa223f5cf2b365a17b8048ed3c50474a99eb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\6906.tmp\b2e.exe

Filesize
2.4MB

MD5
8433add10c7869f23769e6354f77a923

SHA1
07cd983f8385f62d62582014c3d9b177b9dbed0b

SHA256
24072543a6e91632327ed40ba50656d38980fd72c63b4d234b38e4ed4fb5436e

SHA512
ea54d34de50559099030ca6f9add61af2bbf7c3b61d933f7e0b165540706f5fe9cdf705a98e56b8ca11c76915f0f3421b24ae9b0317948ad80f68879a1e7657b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7683.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
882KB

MD5
27018f943b9c3aaad13d969b95098d91

SHA1
ad7a2c211af1d48d2d1811f96f5b0249bd54a49a

SHA256
5a21f2828cb8a84ea41fdf5319a9a358cc6a1c78433b86e7ae842ce3eabcf5f8

SHA512
f5a59eae048101a56b4d25aabd4c1bbc22c914feeba26c9ee4a9fcd1080b281402db187a0a03f8fb508599996e63d82e127ee0668358c4a6e41fb875ca3df91c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
692KB

MD5
b50f56dca7f82275fec4bc9f70c43a6f

SHA1
1d59cd6a4c7af308a8df36dd9005e90ffe12ebe0

SHA256
51d503c46c4d09982f6409d3e7de6f534410f5f099c6033d2b494b56e29a0466

SHA512
a4a5a247bbaa7e9a42cfcdd0036c31742aa568ea27d06820e8de477fbc17f5da3304d865b5d0c2688d322fb786333b85497b68e1bd0ba7165b58b36c16330893

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
832KB

MD5
9b527cc7775e3fefc75ebd6cf497b81b

SHA1
7405b4528854589bc404f55c0e591d2e534d8d63

SHA256
eb4270d5203fe07ee63a7161093d69577ada5ad4ca659a6181d63953a69bca72

SHA512
6471f61ebc78e6ab30cce7cb444c582a8a24cbcbff1a8cc3d22d20d299d53c6377127e76bcc2a1e2c9108cd65d6fb89d42ddf89b04140c8e225f5115984a4b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
938KB

MD5
d5c607e25d31415ef2177febd094895d

SHA1
4f7abe1785f8357c02019da340b03b71ff2cf8e1

SHA256
fa15d6b13b9441e20097321f7dd02b225aa10b4383bcf5f0acea37835e4f7d55

SHA512
1c7ceda271719661a60cb84b5b07f8cf026cd93f50761896da7338db748081f74f52b6f366da4e8b0365252cf7949acd8ad98575bae9e0c2e8b73c344933c0ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
676KB

MD5
0330ef469aa757e6559d742518f5295c

SHA1
250e8ef8fb2e4d3b30b9812b6c6e26b39d34a12d

SHA256
ca47fb731e1cb9f24c4490584530375b348516faa6b9685002a1400e1e39b33b

SHA512
776f8b053a6234980f38382d5058650da48706b86b667b3587ddaf94b19d221a07fae69100cd160f24ad2761c4ed51d027e4834f9d1b1640b3ffac14a7e95c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
691KB

MD5
f33bd1098cc4bc7a00fb08db8fb3824e

SHA1
732010f087dd1534418d0c7159fb2070cb9948d1

SHA256
d977afe1410b833a6f7ff6e8141f37a0563ab8dc8c2cdd79750335b23b3fb97b

SHA512
a6c357741e05ce8f4a7382fe60774744b0c90932b019126116ce44ece8e0a189a6755f398922eff4034b4f20d9d0a1c40d91e1ef2e1a4ab0d5cee0cfd45254c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
884KB

MD5
fe219afc31895a5c3a5a1821d2aadd81

SHA1
613ef4119dfef2f270940a36bc54c06a742a590d

SHA256
fb5f9bcabd3aa4e0c32a43bf2b06051fc817913d10090c600e262d53196e1598

SHA512
400684de4824595e28b10869ab14d7028714fbe97c4d76b46d0feac7270b1919459d9e687803ea9d9239f3ce937e27f5dfcefe0237145efc583bb06071593782

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
604KB

MD5
bae989193269893462bb99de9593443f

SHA1
c262dba1b9ef3f31e5e978bebe54098f51b712ba

SHA256
6feebf24930a9c5ef9ce9c9e3b078c3a6680c2912e90f368ab34fac330132b32

SHA512
4c450bcc562669118fb9afd197978d7807d032d8594966951cfd41ae1652759e98fbcd33ef6be8b9665d17c15e951788e4c24781f66982991b69ee7fdc78e74c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
460KB

MD5
4754aab39cb4e017404a45494b4547a9

SHA1
bcfa6028d04ec0e04b5a0926b90a05a278309d9a

SHA256
bc172ad35959ced0a461499bfcd1975d0126e72f6c85d9695e24866ac0f9e095

SHA512
3d615958727a2264f852ced09c12877c8655f906ba1122e20fc01fd57a1cbeafec0bc3b21f3ca57e1fa9ba1937757595675b64fb1a3709dde304845d2735c572

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
584KB

MD5
325ff5f1c850c97eee261104aa532f28

SHA1
65efaeb8607b154ff72aaf7cd1d3ae212d32df3f

SHA256
aca671adf76c23fbaa1973137eb557c2a05aeb3e648ca083670ff8bd4dfa8b6b

SHA512
426163b0ef162f10a2f564260c902260de808d109f9c3aa04134803db15ad36a280d31abefaaf295935bbddaa883497f2788746e7a1952975622ab0ca555c390

Download Submit
memory/468-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/468-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/752-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3864-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/3864-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3864-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3864-45-0x0000000051D90000-0x0000000051E28000-memory.dmp

Filesize
608KB

Download
memory/3864-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3864-51-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3864-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3864-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3864-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3864-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3864-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3864-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3864-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3864-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3864-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3864-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download