73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
311s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
21/02/2024, 02:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4692	b2e.exe
3188	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3188	cpuminer-sse2.exe
3188	cpuminer-sse2.exe
3188	cpuminer-sse2.exe
3188	cpuminer-sse2.exe
3188	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4664-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 4692	4664	batexe.exe	86
PID 4664 wrote to memory of 4692	4664	batexe.exe	86
PID 4664 wrote to memory of 4692	4664	batexe.exe	86
PID 4692 wrote to memory of 2424	4692	b2e.exe	87
PID 4692 wrote to memory of 2424	4692	b2e.exe	87
PID 4692 wrote to memory of 2424	4692	b2e.exe	87
PID 2424 wrote to memory of 3188	2424	cmd.exe	90
PID 2424 wrote to memory of 3188	2424	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Users\Admin\AppData\Local\Temp\9819.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9819.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9819.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9E24.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9819.tmp\b2e.exe

Filesize
2.1MB

MD5
099e18cf84312ee05add20eaed01b2c0

SHA1
3aedb8f0362d50274ec7bf1e79bbd3923b47cc13

SHA256
8856beb3ce39073034ad1cd1b72251224cbe3b2861af9086947470096666312c

SHA512
70c26948eecb460a2c035d8bec9f100588244a0c621fe26c13826bef00464051b54e200abfd73cb07bbe76c6c807317dc90b4974a739be718e37aa2621c134ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\9819.tmp\b2e.exe

Filesize
180KB

MD5
abff3d3dc367728e1ec57fe40178c6cd

SHA1
62ea45fca3645bf0adb69b4e118b24516a8e3ec8

SHA256
59c08ad4d67fd8bb9c76cbf66105c0adad65c42085df303a6441ed13f5952113

SHA512
85433cfcbabae4e9b82987fa07eceba8d622d1a3db22f0c687fe14e9ea7277d79cf089214d390c102bef71c84473c9c1e458ed8a0e64f863ad09526b4c6a4044

Download Submit
C:\Users\Admin\AppData\Local\Temp\9819.tmp\b2e.exe

Filesize
3.6MB

MD5
dc38ae04f4500a107c2193a063b43194

SHA1
de8bbddfb906b5b964b95aeddb05b309324c0aae

SHA256
fc0ace44adf508be58d4737b0caa96e544767c55ca02e3602dfb625e95b40276

SHA512
b66dba0e17aeae848d424463c33b900cef8eddb058a94f2f261fa7ca8a5cabd740deeebf060b24e2534eff282be040d556441fdbcc19ace5236d208f02f5acaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E24.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
928KB

MD5
0dfe45c928dea4dde121a7f6047d2e65

SHA1
1397c1b752006020274cd8c7ece5ac37f4e00ba3

SHA256
29bdcc6a1429f5ed001f21297ea001d6b52a27dfa7fa46699b636d1568f8f5d9

SHA512
cbee498d1980600c4eeabb32079a5c9cec07184c1d650ab2910341f5e681b9710a47a78d5c92f828914c67ccf4ba989077b0b789056cd9d81f9190fd2c97de58

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.1MB

MD5
aedcc789789b7420c5c7e20199471a9c

SHA1
9660ad320c3756186365809db090d8f23c06633e

SHA256
374e693ada7e3ea6224f37fe4bbd35273c34d509f913b33352f8b98a13f4868d

SHA512
97d16a39ab4c331c6e3fb0bd3f398580ac67a7bde2076741e4c7d39561412effadcf632758a56e14db60023bd5567ee0c4e57a50de5ddea112781e2c079d0efe

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
245KB

MD5
280a8ac2c5453c5d1cab208c9cb678ed

SHA1
cdc1148d43abd8302151e01a624d2e8a342a7b1a

SHA256
2fe465baffc8202f804b38cded89a7dec37020c5a0462eb0633dee8a4f35c144

SHA512
280ee68a382f88340cad7b0b62fd1ac45d73e23c067615a6205b9c9d2bdb6602ed0e35ff097215434b55eae9a06c9176efe077dcee927f368029496995169a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
718KB

MD5
64b8e22bb00b59a96698e9e7fdf784b8

SHA1
3deaab118b5eb0d06f0e191fc0291612b0d5b3b4

SHA256
ec68552652d4e69de0d1c4e4c567346b70df5e4dcdf68a085002f6de826bc1c8

SHA512
a86453f0d3fea2ac96aceafb2e9da93e11cd752ef1a9fa7486652d2fcd206b05fa2f6aa5ded154258ca144780db3bb150ca9730aa0c6360f560c7e4423101e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
871KB

MD5
36325d3b19bc46db6002d3c968a37a41

SHA1
42a5f41d7b92df8cc62378a42bc0d22c6f4e9d1b

SHA256
5fbab7dca394fe1b05e6ab0cf53a414101175baecaf9533a73f9ec09f4b293a9

SHA512
cf0348d111fcf06e1718e8aab95a88153633c00735b428ccf2a2038b8ad0985718ac4ef50ffdf63c4bec0a9a4324be5479cdd725c3b2210c88f969e38745540a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
832KB

MD5
d33f0e6bb5e8d2b9e111a90544790dc8

SHA1
df4e81d22638d511e761744e886c33bc12096c48

SHA256
40729edf62213c039a1818c9adb9478aa0284bb26dd071bd1ac4de1da2470048

SHA512
ce4ebeae054117d4de8b3fe2403d95a6d819483269f851618958e864887e9b2f42fc9c893e1aa207dfa2d94900c8f4214a67796ddeb2a80ce655d69ec290d629

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
486KB

MD5
c41aa7b7932997f054ef3774bdb1b390

SHA1
57263a35f122d8b2f9c8f8152c00559d1b16da7a

SHA256
b5acae262b7dabaca6dd036a7a9d772d244b241b6d02a929fe73690c14905cd4

SHA512
4671c8f06c2690372cac57fb736db8100b4aaf142a815f6a6f56201e54d9afd0c405b0820d6fe4b01d8966fd6aea81d8efd71ed55756059ab2d1ab517cb480aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
586KB

MD5
13399a8ff86c1d5905f64c02d080211f

SHA1
1cfe67abaa3ae0683116dfe84c36929576207e34

SHA256
4900a2613458e87a3fb376390fad555e6630ed450c86d8436f5f21214d9ca4ef

SHA512
ef8b604726caf0b3fc95628b9221fb11adb7108cc776b770812caf89da2a8c03fbf0e21c3248828c0636fe64a0684888a7535d897d700c2cce2cd624471f1e75

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
647KB

MD5
c716fcb31789ac62975bcaf7a37bb3ca

SHA1
d567eb8ac439f058559af3666b63647ec4a90e10

SHA256
7ff8c2aabd0d0b62bc765b541903b06da8fc8d5b8b963fd8dde336a83b716f51

SHA512
bb3f47d03181622b8e4672dc09c077e9b4181cd67d78833a22b93ff80fc8df011ac2cc07e53a4307bbba727c808afdd62fabf5044afda897d2169e54de21ebb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
504KB

MD5
de385aba9417716d7e4f54fbc412c08c

SHA1
ad610a0c98435c160d98638c6e4a2e8543cd5f7c

SHA256
01717dfd79031c633aa6b09846064de2dcb75ae245a471f98825020f0a8535e9

SHA512
e58f51760df5a4185a0ca5a258b704533cbaee37aa65112260f9c1b8bb16ee5a32ec6a872c458f0807fb379de25a8cac1ff39e189e802651b400d9f5bd36f80a

Download Submit
memory/3188-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3188-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3188-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3188-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3188-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3188-46-0x0000000073670000-0x0000000073708000-memory.dmp

Filesize
608KB

Download
memory/3188-47-0x0000000001090000-0x0000000002945000-memory.dmp

Filesize
24.7MB

Download
memory/3188-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3188-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3188-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3188-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3188-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3188-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3188-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4664-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4692-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4692-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download