73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
302s
max time network
306s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
20/02/2024, 20:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
1184	b2e.exe
5036	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5036	cpuminer-sse2.exe
5036	cpuminer-sse2.exe
5036	cpuminer-sse2.exe
5036	cpuminer-sse2.exe
5036	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5444-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5444 wrote to memory of 1184	5444	batexe.exe	81
PID 5444 wrote to memory of 1184	5444	batexe.exe	81
PID 5444 wrote to memory of 1184	5444	batexe.exe	81
PID 1184 wrote to memory of 4752	1184	b2e.exe	82
PID 1184 wrote to memory of 4752	1184	b2e.exe	82
PID 1184 wrote to memory of 4752	1184	b2e.exe	82
PID 4752 wrote to memory of 5036	4752	cmd.exe	85
PID 4752 wrote to memory of 5036	4752	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5444
- C:\Users\Admin\AppData\Local\Temp\2A.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\2A.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\2A.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C6F.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4752
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2A.tmp\b2e.exe

Filesize
11.4MB

MD5
12b8ac5b325fe919f52cf1d4eb6e83ef

SHA1
0525c796d0c52633b865915b5b6b04f899a7443a

SHA256
55d6ac5c6767005b979562663283acf4d6bf87e34c7d767dd2ff059cda24a26c

SHA512
8dbe48c15cf43f5dc37974f9e9256c66a49cbe4b1047faaaa8402e64fab5c6a6101aa3e0c821509c458338a96e2f8b40eec811e01ff68677a8a6b4e78e25a5ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\2A.tmp\b2e.exe

Filesize
2.1MB

MD5
6a1d94904bcd2e065fc86cbd149c43c3

SHA1
81e5dcab1d5dee4a4fdfb406749fce6cb2a23fef

SHA256
ed3e83776e1ac8c00e073fcc704abc597e49f65165ec5b7ac4669f3bb133d0ea

SHA512
669d35cdec78c2c307a93debfef8966840b48793413d646abe235378acf6dd23689b415a0216c88820daa27859949deff2dffa30205f62837188b923c1b41233

Download Submit
C:\Users\Admin\AppData\Local\Temp\2A.tmp\b2e.exe

Filesize
904KB

MD5
07353ff766478c1c3805d43d5c1a67db

SHA1
441afc4329ed5a19f728c277944b261745876c7d

SHA256
031a2e1515c869e8c4aaa86a1d3537b00fc69aaf1763b92517f56e470efb1cba

SHA512
eae57ae4e72ba3ab2414e86ea6d8cf758d68ef39a08081cc58b49af2eee737c3ef81c4c0c04d960b68980cfd8d94daf5a6cabb028c73c19a8a41e95f9b23a6d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\C6F.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
111KB

MD5
aeba24fa63208048a89e5fcc3b5fc25c

SHA1
169a18ea55ff131e9eef8f12a21bd49f88bbcbc7

SHA256
a1e5e7a9a76042a20bc65574b376ce2da6c725aa66451cbc3347a6a32fa21e7a

SHA512
8fcd5a9a20a8384a3e85aa9a46d97ec3a3f98a9ca67189d29948f5706c15a0169c7306824d0e03bca388a133ef97869046d1aa0740119beea38091bf050fe2d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
151KB

MD5
ae3e6c21b9ee8c0b427f401aa93cb952

SHA1
de7a89d8ff2ab74471a2fe09d2fb28159169e18e

SHA256
3fdb637a4e3373f3cc0ae55079b47e7fa297b6ce638145939b87433d46dec939

SHA512
6fd76af9985e9d050921c2ade1e3ec0513b64f29bc3ae70b92b498b558a363dca39728e00fc258ea65ef87faf720e3b15d8f9a2866a443ef7616c6ea90a09690

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
69KB

MD5
fc6f55ab1c98e4d7b6e6b699867e2777

SHA1
4163036b2aac4eb4356b6e938a7252017550857a

SHA256
36d740d815f9528d4ca2ed4cc4ad50a96f722eba3fbc214dd3dd6b60595cc38d

SHA512
b1076c30aed208f82e8f5c5ab2e30f8d0105e6cbb5124831725c53bdd8c0ad65903ae66e20da3eae47ad889317f210871946532fb0ccc8a2cb71de69699f2bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
229KB

MD5
c907c87e8e46f96de0ae1f9baded4a39

SHA1
fa97de93bc30fe2a4de92111a45c3668eb8cb80b

SHA256
5fe174e125af3e55f5f22f4ea7ca90da2d35d8b8b966dbf26ec470d1bad5828d

SHA512
e2f9ad0715911a9e6ed6c35dfc58888916eb2f13e6b4e19d282c240444c172e9f047747bbbae25a73e8f28e82a208e3404281a63457f5e5fa13b37445f5bf719

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
92KB

MD5
5cb5e3ce27f1a3dfcfea02a589363c31

SHA1
b5772cd23a4a0b0f12a6118482ddb8a162635066

SHA256
f1e65a645719fb470b1846b41a6f42d9d5643edc11a019602c2634d59dfc1c05

SHA512
0bd26ddff06bb04df3fce35f2b33e597fa45feca0b697ab83ac48929da116f09c155e2e367882bfa94fb5d53577498a2f7408e00aea0de02429bb005392fa1f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
96KB

MD5
f5ed624af182ceee41d97bad09fdfc25

SHA1
7b80bc02fd615c8e928e02416ab61200918835c0

SHA256
3dbd94bcd4e732ab14872e5e431d0b10f2d61b2077701001b332bd8577fae587

SHA512
216439009067ca1c69d398b23cfa49ffb4956079f9859b1dac78c40708d967ddf136165b21dbac9c8d5ed2577f392c28964fcb55fb986eb5c19b52bcc8044bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
71KB

MD5
f198ed1039326e6272c38253fb95e88b

SHA1
a3d3e0ac01b320672c88ebbfe55ca49dc5baf445

SHA256
5a216ec9aa35ec4ef6b3a0f631f0aa81eff061badf2dfba24c3401703fe4077a

SHA512
538b4884a6293be0e6e715d7822d7aa03ffec9b5ac8be904fdb6dbea3ece2c533a84d6b7bd706c48241be696c15a97b7ef00c1b93b58e733718ca89a05f4445f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
83KB

MD5
f41c4106356010781d6629227deb1504

SHA1
0be03816462469b1124d1dc9032d056bc2adc7c7

SHA256
ccbab16145f24f0c024e4a76cc1d31d9faf7684f910ae6e84662190970c39c36

SHA512
27aa222deeb436b434583f2a0fbf036d499205ed8af39b948070a590fe8a4126e1adc52d367b2188699e38b68e993c1ffaa052b7150903e47bea9b4165980808

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
96KB

MD5
959c04c1c59b2777723c407a683b35e8

SHA1
6e4381a7bd5085ecd3df2c9728b2f9e7bbc57fa9

SHA256
b34689231e5a14d743a4d506b4e9a242d0b3923474a2bfcce9d07b274ed9ad39

SHA512
5e3fd202cabf7628a1fcaf39155d403167f2200c162d8d512d65035fa7567b71aff35e1750a8c16ecc9bb3c4adb50729006bbeaf3038a5deb8b3047085d1b3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
57KB

MD5
07b59122b40ce7a866b54f68cf5b7ceb

SHA1
f95371c9234b6145bbc6ef086213c86dade22921

SHA256
c97fcebe672fa8f7703e7b627d248b9b87a51d8ffeb6ac1dab72cec31106ca7d

SHA512
9796f33345c001a51b49fce5319c0a0bfb144b37f26ba7d9c1e26a619c9e151667e2d67171be1afcdaf56b05d537a4999315d523fc98739c7f4766fb90acb0de

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
198KB

MD5
8b3365853474d5feacb591705e363b55

SHA1
1e51d9eb840479ef61f27aea58c213f3f9634200

SHA256
5d9f7c173527a6706f6ae9bde5a0dfd0b7623e2e1f6db8fd54d78bcfb124e3a6

SHA512
0d165a1bac245d9a82b70d822169c636afde3dd5b03d27c0d7beb1469e7f22d673b147437e68cad2d3e613d6f94cc89b30f048695948ee9c12e0b34cadbf086c

Download Submit
memory/1184-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1184-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5036-47-0x0000000001050000-0x0000000002905000-memory.dmp

Filesize
24.7MB

Download
memory/5036-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5036-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5036-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/5036-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5036-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5036-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5036-46-0x00000000635D0000-0x0000000063668000-memory.dmp

Filesize
608KB

Download
memory/5036-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5036-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5036-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5036-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5036-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5036-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5444-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download