73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
299s
max time network
304s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
11-02-2024 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
1788	b2e.exe
3168	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3168	cpuminer-sse2.exe
3168	cpuminer-sse2.exe
3168	cpuminer-sse2.exe
3168	cpuminer-sse2.exe
3168	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5420-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5420 wrote to memory of 1788	5420	batexe.exe	81
PID 5420 wrote to memory of 1788	5420	batexe.exe	81
PID 5420 wrote to memory of 1788	5420	batexe.exe	81
PID 1788 wrote to memory of 5132	1788	b2e.exe	82
PID 1788 wrote to memory of 5132	1788	b2e.exe	82
PID 1788 wrote to memory of 5132	1788	b2e.exe	82
PID 5132 wrote to memory of 3168	5132	cmd.exe	85
PID 5132 wrote to memory of 3168	5132	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5420
- C:\Users\Admin\AppData\Local\Temp\F5F9.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\F5F9.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\F5F9.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1D0.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5132
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1D0.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\F5F9.tmp\b2e.exe

Filesize
11.8MB

MD5
a132b15ca428dd9af883c530355ef778

SHA1
bfb8de637f523aa2c1aa2031f5446fae8040e857

SHA256
d26d6611457d0ee7bcf19cfb11161a1dc4513e7d54a058441e12068d454507df

SHA512
cb12dd3f84aa6947015b295abdf89b65124b9217fb466ecf6441dd139289408adbb78473a007f2b4d215b46aa19df4a1dc566b087acb4b9082e5391010e8f8a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\F5F9.tmp\b2e.exe

Filesize
256KB

MD5
18c91665349cf71648d4af5d21843ea9

SHA1
6be582f8587a42e96d73bf174cb6d6345761c192

SHA256
979d6a944f61f2cde2dea724ce5e0297005602c15fbbbcb917540ec1b1f3f937

SHA512
544d110b9bde470b9411a91f9195bf5e6914c1e5c59ec4485be08acaecd0e519d1c932181cf5a76d5241dedc362beb56f2fb407d808d554e43d408b34a621d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\F5F9.tmp\b2e.exe

Filesize
5.7MB

MD5
4bdcec75736bd6312b1fc4582a31869d

SHA1
7824f1c669cdd8dbbb7c0a6a74daf20ce0e54586

SHA256
6c2112039ca830371d0ed76282b001f8d22526ef55a61d94e1ecbe84a373c7c7

SHA512
f09914f1c5e537333332d917049a1acb20926029a7a0dd1b409cbe00c8546d3d267f04b21124de025a8465bf94aef28d017ddd07ddc8eaf4e6d38160767e9289

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
291KB

MD5
44a21b081239be1562c629c8bbdc7fd5

SHA1
5c4da028289a7dd9be57aac01cbcd9c3ee957fcb

SHA256
98f0ff9aef49b5e4bd8a3b28a27f0e792759c8736a46ca51ba8b885322ef79ee

SHA512
77f24253902e6f2412023f7cf6b7edb2d90775f88860d0bf77ddfeeab943717c219fc214ceb7fbdc29d49548c616fb41ffea129873c155accf82180233c3c0e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
256KB

MD5
e0c023f2dc80d8f2415830dcaf9b9e45

SHA1
9806d1f4bd0f76e044071f95f9210b09c2c09fd0

SHA256
dc7de4210ed002ed6ab8340d21f999fd77ff9c1fe4361227ebbe3324b24009a0

SHA512
76d594de32b07899a478e6b1fbe4a158492174439df3a65478b21135aea9695f47cd6b5006d1bb28398fb1b1f0e64f33e839ae16225fe755bcec4d25d3caf0ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
218KB

MD5
39da5460810185f7ce909ac757b174b5

SHA1
3e6558016f1441df26af8b57a74dc0d1cf3c7239

SHA256
4d1a514ffa0d9db08071882aff316cce8ad798c29163a5f2d975fc42d55b7425

SHA512
212b2fd7e805bf13172980ed48a8b97dabf45c24fa96ae92c013fea2fc273051bc8395cf4a1b915e7b4ee260c05a6f4b5edd43cf4a9517fa31c600d2cc4eaff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
107KB

MD5
a2b80847653fd1ae38c3c18e31090785

SHA1
0dec999b0184ede55f89038d3907a52e0d0e9961

SHA256
4aeb356813d8fd355e139fa9d14cb66fa5c3aa8cd4e60418e5d3512bc8c7cc3b

SHA512
d74241b2343772f038ba6c05f51a0d787e20f489a88c08e2ac6c3ffc5016989adf14e4d71e8abe9e1805cd78a6778da83a2df48029cadfb9d1ee4cd0501dad34

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
166KB

MD5
021f476e9a7af028f3be81efa4074bbe

SHA1
da593517e1335ce18ec2e1e83f4cead761592025

SHA256
32ea25d0453367fd48b1019e79d8d208b5193a59b953ab3da939320fa6195262

SHA512
252e94fc335453560c5cfe7768eaa7a4ed82fe21f431bca9e80854aacc24b76a3ff9ba8816fdfee0c59824ee56489b883cc4538a09b26beee723ae1a66c31dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
192KB

MD5
d73b46cd072058efc54c4b3885f47e13

SHA1
84771c2c4f5736ac08497737cba2a8634d9e9178

SHA256
3f62bb203bdcca4e489401897e0558cf33ad6fe890a9987f90f5c3894b965b34

SHA512
519c91b5b5a82c5a755d7d4295c040cfb6b0f029eb088a6bfc428db11e30d7f954ea6fd6de9b083d1781e1142737ea39572866ab5f669848dff7ef0ce34c79c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
220KB

MD5
5fac028083520a937d67f74710e9d2e7

SHA1
9e038a8d32b270395ad9ffaf1dedeb0adcfefce3

SHA256
9e205d1172dbedd74ae0344475d02277556fed80e6161e9e4e37becf24f4af0e

SHA512
e33750a9c7c1be9bbf10f7b8982a07ae631cf90726a4c402153c52a923b596867308f7fc9d42d270d5668e6af327b76c04e65c6bf1e353890f408cd99d7b080a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
109KB

MD5
8e7a466cc086a05a7ce84a0e5cff55ba

SHA1
63c5c6636d9faaabf1376cb26b7b271d7cab3f6c

SHA256
0cac6fc074fbe4ba824acce91cf8c14bc7f3bf688ab228052421d52a8385d4f0

SHA512
1ddd09b912d596b804ad2ac166ae017c4b0e86f96c2f7954037252a9daa0cf5479b35ad4ba073c810baf43e92562e109848ecf94118b9c43f9277ec98242bab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
101KB

MD5
e1e213ead1930fb000a297a264e49955

SHA1
bb93394b7b1603706573a9da8519ea847e9e2d7b

SHA256
78f166e9b95461a04009c4477a78d442e672251787dbf2f80b0b15ada567ba75

SHA512
331510734263ed92796c12c78b0a6cbf8576109593ed3428851986b9ff80d95a828ad2df08bbfdc2f96110921d15134d2e6d8fe883f6c2f317efc7ad2be35ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
231KB

MD5
c41352bf3f4eaa9d0096c58b427c5f77

SHA1
bc1979a5b3a5fb099cc13c9a97279003fce43010

SHA256
7ee71bb1ab73c5ce8626f71a99dc97285fa1832f5034435d25e0905c1cd5fbc4

SHA512
7f8d89de06e7cf26a4eea306b6c84cb0c8c432cff958d37eed208c6dda1454fd97b2fc32410f25cc01c5af65ccb2bdce44fdb2b55ab08b11e38b9ea76836c47c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
155KB

MD5
790209758faf8bd952d3899f6d600852

SHA1
85167656d26714039ab4dcf640c71d56fd171f1a

SHA256
9576b4246f0b2141702dc8974beae8cf0b63075fc2c589f80db5d91784d0b8f6

SHA512
d9dabd6b93661330ac2a3a1c929bb8f55b19009f247cec0f278ab789f64f10ae14c1ad7c1776e1d37a2bf4ed654a44cb372aee48d04c69f825bb9ab7dada4643

Download Submit
memory/1788-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1788-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3168-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/3168-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3168-46-0x00000000635D0000-0x0000000063668000-memory.dmp

Filesize
608KB

Download
memory/3168-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3168-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3168-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3168-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3168-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3168-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3168-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3168-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3168-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3168-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3168-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3168-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5420-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download