73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
300s
max time network
306s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
21/02/2024, 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2716	b2e.exe
2228	cpuminer-sse2.exe

Loads dropped DLL 6 IoCs

pid	Process
2228	cpuminer-sse2.exe
2228	cpuminer-sse2.exe
2228	cpuminer-sse2.exe
2228	cpuminer-sse2.exe
2228	cpuminer-sse2.exe
2228	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4192-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 2716	4192	batexe.exe	85
PID 4192 wrote to memory of 2716	4192	batexe.exe	85
PID 4192 wrote to memory of 2716	4192	batexe.exe	85
PID 2716 wrote to memory of 4816	2716	b2e.exe	86
PID 2716 wrote to memory of 4816	2716	b2e.exe	86
PID 2716 wrote to memory of 4816	2716	b2e.exe	86
PID 4816 wrote to memory of 2228	4816	cmd.exe	89
PID 4816 wrote to memory of 2228	4816	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Users\Admin\AppData\Local\Temp\3236.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\3236.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\3236.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3E7B.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4816
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3236.tmp\b2e.exe

Filesize
4.2MB

MD5
540b62dad5461d59c508100a18588118

SHA1
ad1f6d89338ccbdcfc6998efee3e2aff52625366

SHA256
b0d5e4c4bcd44911b2393843c51ae606be468652300717902275bd5b975121e1

SHA512
1d7c988c6abe1ecdaf38f889fe82532510cd0b6ad4ddef0089522ddc37f56df647976d505a90b727554a6d3e1c87ae19d6f44d1152aeb36a096212281ecdc0b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3236.tmp\b2e.exe

Filesize
320KB

MD5
88364d3a1722b83013616c5ae51fd6d7

SHA1
d6727613607431104a14f30001a7e1af8e2bf026

SHA256
70ea586c99e68feae0fd4579a9d93d4e0fd46b623f35b3cdbcf4fca2f6e3e6d4

SHA512
ba46a975471bad7f3aa1f333317fb152eab233934af7d648454cfbf2bd852d7745906fc407c5a4a6c60d78368486587f21aeaf9f12dbdf684de818c8e06a9e43

Download Submit
C:\Users\Admin\AppData\Local\Temp\3236.tmp\b2e.exe

Filesize
316KB

MD5
f759da2759bb28f3ab8f36b7894d6b37

SHA1
d4b1cb100977303b128a5e8dadcba4e1d0f367ab

SHA256
1ec538af53206688f4fe33c913a9239673fe7d4f2b72c2385ddd8f4cf1e91e5d

SHA512
90cdcd5e800b28229240a31189b1ebe070a519e4002c8a3bc8e39b6e5e91c949ca58f2dc93ace1ccb52db02738f487731f84ca54818e44d356be9627cd0a8022

Download Submit
C:\Users\Admin\AppData\Local\Temp\3E7B.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
219KB

MD5
dae282cf994544f02dc66be21d97bcc8

SHA1
b7ee1ee6311967957c12b68eb12ccd6de407efde

SHA256
ad584ab10ee9e448dd82513dd3303149c8d451e401391168c86799038ae46034

SHA512
aabc9361d8293254f9ec257c851e01b0c19484f5e67cfb1ac4f5cc006a9b52f616987057c2823b2722bae6ec15986981e0debf94a6128e2dc80be08bc54e362d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
118KB

MD5
5d6ff4d80d3c683b80a41ef0ebc1db19

SHA1
af10e8d321a7c994b169c8788e8f6b9232f62f29

SHA256
76ebe7e1401c6922e6a8c5590a78fcc3a34345c6b6273e2dc5089f9faa7f32c2

SHA512
75124d6472148c90be859b25d37f76f29efa6e43110a47467bae72e1bcd4ec44f225343f5b89b64c67acd3bf4bfd9480b13f863968e1d8de334777360f310116

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
201KB

MD5
a2aeca4211b0ed95ebc1ef8f5aa13ef8

SHA1
98e7ead1bb1c5621265b83c02db8e3b73b1e714c

SHA256
37125dfe4450f4c931eaee7e76c5293840b1f529caa004ba8f7027973b366621

SHA512
2037a563ee499223ea60efcf8d5247a7e6baae51424340978a62f9065b6ffd10c945d22efe4ac7026192ed5717248c0f012eb3355b250c492cf3a457d8435510

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
127KB

MD5
94e5c71a1237e8f019668f16a1e4c508

SHA1
489b92a333989c5da859fd8bfc21b6e6a6dc8947

SHA256
7e8de75a18b7ce1317b557240dd89a237054f45dc6042a11f8efb1530f905667

SHA512
f05be44382cf824d8a1a88223e893b75e7ca9d1be3b84b0ec3fcfefbfdfe3054346d6a0f7ca3adfa4e3aef9d09c271800bd99b7e278b940389c5a7983a620982

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
233KB

MD5
d0ab67d04deb3145ff151f56e1ef6042

SHA1
7895d89aa2d5a3662622f416c62cdf14ab0e6046

SHA256
0eada52db22a5369cef5ef2ce948e40a24753581c9e29276c0285eee633a447e

SHA512
3e72f2d21fef1adecefe57c2531944c84026e53d6a367b92007f6877e790fbd989d77cfb475b4242a794dd3037cc88c81f210e1f869c7ef40b5ce6a37bb6fbff

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
101KB

MD5
5d2f27136555911676c7cb1b1ca2749c

SHA1
bec6b8ac99d27f95900e6eee74ed4308b3013420

SHA256
e499c2be10dff605f0a573fbf2a89c083a9979072ef33e8900a1fc8d73e5d074

SHA512
b3c9984f54ec63ccd14256210f8dcb0eb9e99f8b4837f4f61c9e1b61cf3858e0ca30913f7ff39a1c2e9f05147db431dfe5872d9497f94016ece82a48f8dcab09

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
128KB

MD5
5946d56d1b49a9acd91305cc22e084d4

SHA1
110fc84504e294cc26896b44b6fac9f213e5188b

SHA256
a11307aba8188d2f7f709f6c43227a1adb1cd611852aa43f13f5b75da63af725

SHA512
0ae024a5d54ea9041f08f01bd11378a5e4831fd0dbdf64a1efdd11ad50be730fc8f27751cb3a32baf3e40e60019cd44e826689618db024bff9f514dfc4a1f106

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
243KB

MD5
45f6abbc29c6466a4c85e24f86d99d6e

SHA1
900bbaab1d2518c0067fe68fc6e99b9b737f8498

SHA256
9c6168beb36607799e4cb8f47f83419865be56211cd5f4f615ffe63908cef247

SHA512
0a3f87cb1f50dcdf9cee515a894d988ed333e8217cb8ff2baff5ba883c05ccf4bf40a31db4173650b085fe1e16a244166084c4799480a7ee093e2e110248b2db

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
311KB

MD5
b2f91b4520ad15c1af77d920a4537b2b

SHA1
80cdcfd997bbcece25d2cab2c144b7b27c494848

SHA256
c2abb2c21a9270f9a092c1149ac976efc57a1e7b7efe24e306e1c8d37a868976

SHA512
9914db1530ef9edbaace4c0546c783ab8ae99cdbb64ce205ea96f1645b232e24068288b33941b9ce85f8aee2cc67cd3d0cbee3f4197c2f75c823b196f302d493

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
197KB

MD5
4d7c6d903667b618231fe484d8217257

SHA1
0d12f4c7be9a8cd95886e30d634d014369dc36d1

SHA256
91a9057210ebeb86c760eb2ab96d406d5a695ea6cd8d4d9af007b61681898941

SHA512
64aa8a524f730832a2c901fe42d6b0c2952d2c617a3491bea54fb345c8e4c13317addec40fb7f7038ad87064305278b3fe5b80a36f5defbf7d6722e1f2a5e254

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
564KB

MD5
7c914681b0ba00e5236338f3453674f7

SHA1
10a0b7c1e884ffe9ed5935546d007e8514002dd9

SHA256
63b1adbd7fa51e4ce612f6d779f620a62087e48b7576cfaca97ad43387824115

SHA512
45659a67292dc49db063e6bb37a85f73abdb4fa6d40ca7b649af8b49a9de3894c0b450971fde643310e0e086442f27b861fc0f5e223bc4941f9bdd8b50d2fff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
411KB

MD5
2a4bee36f029f7c86f49d3c27ce3e4ea

SHA1
fe40bf61f941b038e2702301851fb58bec45fc7f

SHA256
4c5fbb264b0706da5dd5832bfd320feec00516a3f236b2fb006294a40e4c01dc

SHA512
beb1f72c954368120a269eb6684a5af3a3afc51f480ea5247b7882cfb0e7a59aff60da97883fee62d6edd84bfc276017708b426cf2e5933961906b6d396dfa21

Download Submit
memory/2228-42-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/2228-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2228-106-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2228-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2228-46-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/2228-48-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/2228-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2228-49-0x0000000065FD0000-0x0000000066068000-memory.dmp

Filesize
608KB

Download
memory/2228-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2228-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2228-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2228-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2228-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2228-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2716-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2716-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4192-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download