73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
309s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
21/02/2024, 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
1184	b2e.exe
2524	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2524	cpuminer-sse2.exe
2524	cpuminer-sse2.exe
2524	cpuminer-sse2.exe
2524	cpuminer-sse2.exe
2524	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2916-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 1184	2916	batexe.exe	81
PID 2916 wrote to memory of 1184	2916	batexe.exe	81
PID 2916 wrote to memory of 1184	2916	batexe.exe	81
PID 1184 wrote to memory of 4492	1184	b2e.exe	82
PID 1184 wrote to memory of 4492	1184	b2e.exe	82
PID 1184 wrote to memory of 4492	1184	b2e.exe	82
PID 4492 wrote to memory of 2524	4492	cmd.exe	85
PID 4492 wrote to memory of 2524	4492	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Users\Admin\AppData\Local\Temp\5E7.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5E7.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5E7.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\179A.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4492
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\179A.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E7.tmp\b2e.exe

Filesize
919KB

MD5
3681609a330b36d851c1a47d91d5dc8b

SHA1
fd167bbd5c6a63e8acd4ab08def1f67cb5f15ada

SHA256
bb5830ed15c167e68a4fec99dfdfaec52312a48917a91ea0f59c307a7c3a5c5a

SHA512
449a046f93adc8aaa6b7c79331631f7cb8fbd140393fd5b5ff3c9535cc43b2660640f66a73ce40ff16c3e869010a265fb6764e2459c43826c2b37485103872f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E7.tmp\b2e.exe

Filesize
1.9MB

MD5
aedf6fffbb76a56eb05825b41f0581db

SHA1
63a052233dafebe7e930b1d671b66ff30519aaa0

SHA256
d7ab0635210990f64523557c2454bdf32b7de29d76847b1133b9eeb1f324854c

SHA512
ec1cca81532762ff0cf62c09780a0461f37c1320d4a1b66f5213de3356d4404ae0ee12491c4a21615c2c96486b5145c64ee3ac470c82d5c0f4d305f2973fbeb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E7.tmp\b2e.exe

Filesize
1.4MB

MD5
e46b9d164d26f83a0a3aa0ffc173e335

SHA1
66d6dc1ba2279c44c21c387644aa467a5d23468a

SHA256
e6a18887c2765b998b9206b8078ab0b378ad08c07d4e8bb39f7294a8f7da7aa9

SHA512
b3aa7c97359f054532e0176068d29efdb30773bc4767c48c63316ef01adff035ae5702d57beeb6967a212c9714f94893bf0d23dfdf5473ce5202e2b451234e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
808KB

MD5
1955fd54b0fbc7db4afd9150a0ec32ee

SHA1
a0961d78eb5294b588b6746bef661a69c41a2c3d

SHA256
2d435ac745a2bbdfe475f57c2847e43b8d52ccfa6780441ff1b7f0015dd8818f

SHA512
93cd171849632586e9605a4e9a41ad0aa3e47b2b0288950d80dd7e4c6992e82572ebe7926d672ecd108d777352f8a63ea9325dd623506a6a6de89f51b6dc6652

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
310KB

MD5
0ece00bdebaef7e6d6c718286e21aba7

SHA1
61abfe80fd404ff15c4c34de04a9741d36549d67

SHA256
5a4e8b87e1dbf949306d6d4ad2ca70881aa703f8b8c9dd339240b933594be118

SHA512
71f48f8b350cd9897342120a60b829a540e47ac9dbd628d1c698c5b172e6e0386f6d291301a7a084a2c8a36fa56ab296e46de018fa4e6df4b29dc86dff33ed24

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
579KB

MD5
01d3d0f7af174336e95aa8d333d5db81

SHA1
385138ed5febcd9beb3aaf9cbe6e17a14b9f470a

SHA256
75b654e85a05d690727794b206a6ad412f7edad57f0b292e8b64925381c1cdd9

SHA512
7ec920b3ef00977aa55861b211c7df0cce6877030da7eb8d09ea0cbdae7b5b85fa595481cdfe2fe7abadb7a6a6127ff1798301116a7512909d89d05c4b1ef111

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
467KB

MD5
de39be938c75f84f656a5c0c9e38297e

SHA1
153090f1578f7e47e793e4d476c6a496f0f9b23b

SHA256
9932e63b63e64f82c51548b7f32a267807c12e1d61d40393555346c5179120aa

SHA512
ac8d577afd74686eb2b4e43789077b71602d5c0b093996bfe112559680318b9c93739a3790e96db33545c51978e482ef1ef6c795740f32d9ee4d8694a8d76a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
369KB

MD5
83bb1f50c511cac8e99ede9c8d74d5ca

SHA1
eec9dddd41778a9ea6e7a826205a9e72f6420769

SHA256
0e0ae26fcb74f3e9e3f377ab86311a742dec2684fd50041b94656c4ee70384b8

SHA512
3b6032806d4db37081a8c71fb36779b1a809fd31dc5f5d689e77ca357bb38c8682d89468a970b44608569a2e9711fe9e1942633f4edee1f614cdc412388f074b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
595KB

MD5
5fa36e74b26fbd1e40da1e0e9d22345d

SHA1
c3b3d6c64153fe1b876710bbf10815ea20c6eb7e

SHA256
433917499a11f4bc1fa71998a3aa27af2914ef338b93b052efe9a5a20617993c

SHA512
4ccf6f823b7c039cb4a7dda636a9b52e7e38e34a96d6fabaa88aad240f1dd26d291c69636935161a0e7f2b84831165402018799955aee9759bdcaa6f9ff840f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
397KB

MD5
1d753d364f958656ee5acdd508724b25

SHA1
8b72f2841c39a31a8826d3e34ab3bb5e5ab8fd55

SHA256
36bf1678eb343731a6fd837c7ff7bc0c25deec693d4d6c7ef3f6fbb89aac50ba

SHA512
4c996c3545079c342ea1303270db74c7ade18c6648f4326a5b20975abdc53d038b2c5b5f38725931e88d8d4fef0cb661922208896769010417b768b6a4e56922

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
530KB

MD5
77de914d74557c09062bdc751ee8361a

SHA1
23ccf3569e08422b6fa19722d26533fe4dc9d52b

SHA256
55fa7071938bac4a2703e7d6f1cc9ae88bcaa4d1f849739aa7a9642475d5019c

SHA512
dee5af81d3a9ca1e68f1e66f8de5652a7cc8b89b44c6c311a0ea4ec7fe65e028cad60675dd300d8dd408bf5cf3b99af1584ae480f6b40d7248a040600743bdab

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
597KB

MD5
48fbf1c266cbefca30f3387ded4a9013

SHA1
ba165d870c3ce00fec709c79aacafdb98755fdce

SHA256
f2ab67d420fa3dc6f4222a4af681d246e5eef0ebba79876ca699162445eef39b

SHA512
00761555786eade2c34560f4f468b7f5ed7b3903350f77e595fc257bbb73313798641d5dd40bc2cd54743c4f8d07bfb01ad9313aa9108d933064ba8df4986050

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
354KB

MD5
ff94814423223dd19eae87cb1497aa2c

SHA1
da79a2086b883fce94db2f22947cab16ddbd6f7f

SHA256
28033fa74a778509548d658830cfc600a963e76b158a7c40da953c1ab08fcb7c

SHA512
1ad31fff1e6c01a71bbecd8f91003092ff1001edcb92b64baca8055e05fb9a5a6f7c5addaaa2b760fb3214d7b6191510b9cc1b2b39f221ef30a2fae5ac202457

Download Submit
memory/1184-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1184-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2524-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2524-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2524-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2524-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2524-47-0x0000000001090000-0x0000000002945000-memory.dmp

Filesize
24.7MB

Download
memory/2524-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2524-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2524-46-0x00000000635D0000-0x0000000063668000-memory.dmp

Filesize
608KB

Download
memory/2524-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2524-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2524-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2524-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2524-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2524-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2524-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2916-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download