73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
306s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
13-02-2024 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
408	b2e.exe
1204	cpuminer-sse2.exe

Loads dropped DLL 6 IoCs

pid	Process
1204	cpuminer-sse2.exe
1204	cpuminer-sse2.exe
1204	cpuminer-sse2.exe
1204	cpuminer-sse2.exe
1204	cpuminer-sse2.exe
1204	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2868-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 408	2868	batexe.exe	85
PID 2868 wrote to memory of 408	2868	batexe.exe	85
PID 2868 wrote to memory of 408	2868	batexe.exe	85
PID 408 wrote to memory of 3884	408	b2e.exe	86
PID 408 wrote to memory of 3884	408	b2e.exe	86
PID 408 wrote to memory of 3884	408	b2e.exe	86
PID 3884 wrote to memory of 1204	3884	cmd.exe	89
PID 3884 wrote to memory of 1204	3884	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\Temp\9267.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9267.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9267.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A7C4.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3884
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9267.tmp\b2e.exe

Filesize
6.6MB

MD5
6e798356a224fa4fb1f4e625e316a342

SHA1
50d24189d987ec4ac8dffcd3e75edad9e7e3090b

SHA256
e721fc29f233301d719adad246e524973c0290891ba80c2a61997830d3fede61

SHA512
5f4b3e60e89faba1206e2374690cd11d167a7fbbaaa01ee978f7e82187d5acbd1e6d145e67d1070bdcea08213e25ccf0616500ac2ed15021270e012f26248ff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\9267.tmp\b2e.exe

Filesize
5.7MB

MD5
af594a0a24108c857b45d38d529f3968

SHA1
646d18b174ad42196c58c1b8618b06cbfc10b4ad

SHA256
22e216906c709eab435bb13efa26a7351fb9e194d478ee73bd7e38e38006d7d3

SHA512
acb4a316c45133f9a69496b6a999e5e455447af8255c298d7f57b2bd6c791ad61e890fd1e73f72be9687dbca1b1878ca64137b98b091730b677dc2ebd78f3df6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9267.tmp\b2e.exe

Filesize
3.7MB

MD5
ae8a7673d00c68c2d4b632b502ec5d78

SHA1
2f8a59a34ad281533eddb94d00c76370c8698d42

SHA256
d8ea941f5c0966730f1bbf227d8bd1dcd03948aa68597bb0604738ea42685710

SHA512
1b33c7de910856fa075aee6c72dfcc741a838ee00dcd1784c33ce324dab3c364072a0a39fcfc48bc8165012975e77254c4b5d259e772d9b4a535ae7759f60257

Download Submit
C:\Users\Admin\AppData\Local\Temp\A7C4.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
128KB

MD5
87bb74a6790018700645a8310bb9a32a

SHA1
b0e3e91efa12e0df5ed4538d3b549ab5d9f6c16b

SHA256
ee6a846f1dcf082d5216bf314e65e1428af13ce54dfaaeb371d1c54f330c5298

SHA512
702e12a0858a1dd987d6a761f0ddc88fee9bce38be3d71f8c9be3fecc8cc6e88763967140f83caf4f2e10109ab95b811bb70bc70ff0b5cce8f0f32713ad3683b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
124KB

MD5
c5d87cbb27deef3eef5991c92e18a470

SHA1
547b0047aee514aea32b1787dda7ced5611d8bee

SHA256
1718f58a4accfaa5638261457a00e214fb42383e14caccfc16097c4fa7aac0af

SHA512
826e734cd4ee80bb7025263e9ce1861c3acdff7e6c45a55abf1b1a92c1158262928ebb2d8e675a7bb9cb155973b1041c1ff078c759bc408d97e8dcc56479719c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
51KB

MD5
cf7a1511eaaa62fca91e887ab71f279a

SHA1
094101768c6598ec2e19233f648b07e132e945b2

SHA256
455635c3a900b624632f31beb79b3bc0014ee020f0526000bf2ae5c4dcef62b2

SHA512
b7698340bc5f71a338071ad685780a3c71bc3fd4a0a3ecbff13a05923472fe35fb4926cabe11fef6c4fa1a2b0d3c68debeadee2fe37a1736dfd5a3d93e10547b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
14KB

MD5
e08bc25b7143f5ad438a38a95d383599

SHA1
d9aeb555ee1bf78f0af69d576bb3dd1139f3b973

SHA256
999d6a9cc1ee5d8aafccee247c9ad40e8783473af3107fee43681284822076fd

SHA512
6ea8acad6df52e0e1c873c7ec66ae425ba783595f4253dab80cc343edd5ee60a999f9dd7fceb77f4cf273e1e89e0e0c8ce0505a65aab6b10fd09a82df081de22

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
1KB

MD5
d27bb4786bd7510db4a0a909181e1253

SHA1
ee39176b6998f20d072ed95b88e0e9e5c0476abe

SHA256
f82b8ec71b49c257046f0f7f09b026eb9a4a8879d2125cb3a5fe8722de2c8740

SHA512
9dc4bf61c7b5fb76a33ccb2fed698b9509dca2584b7b265724535f93c1a9c06eb5547e7575b0c4ec05c804c0fb104dd4ccc4bc59a932dd05840d971b45258fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
108KB

MD5
985ae41d881e4e3d9c74a87f5fa6c67b

SHA1
850e0979d918dc05df724fb8338f7c406847d437

SHA256
81010ad795e582166bf795dd1db946e6b67661ac7c67a797c48e9e034baacacd

SHA512
0b9634a395717498bf51df568f94733817ac38bbba7db2185b2cbe342dde3dfda8ec034715a24669319234048c1a2216a29ebf27e0f20b3094cbff5f14cd880c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
147KB

MD5
0d682a7e7c60bd27d95206dc5355adba

SHA1
4e131462a4af6bb07f6c7e113063bffc2aa5fdf8

SHA256
cef3a6ac851a31a2a850094855dae61a96ebc4337f3cfa4f0679481b503a98e8

SHA512
8755192a1e408c13f6cda518ee942f476899984ea4db1e9b43dba4084308ee8bc8af2025e7f6b647e00bb560208893838c3bad92a318b667d167dbb358af7b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
211KB

MD5
826f3506a4d9e3e0d530b4676d52f021

SHA1
c616fd899870c75dc36863b2658de5a5182f699d

SHA256
b82d8c54d42aa602c37a976a086aa7bb5484aff61d5f701d3ee5b117b10b0cb8

SHA512
02bcde12ae9e1a77bfe25d719d4b32ec0920f842309418feb4208f633c2c336f324fb3ffc76b92cf524b040c039cae5b6fc8def8b1081d3d33564cb9c329030f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
173KB

MD5
defe92eda464a5c2f73e880a282a9ea8

SHA1
7fbce7ae5d5d6e8ff15fc203b09824d75965d633

SHA256
766f931244a11069a5dc2ec43f332e087f33f7b65b9964a7668f7f5b14c2ee8e

SHA512
aef7dc8eae7fdb9fb532a35a11a34a0c193e1a09e854e1c77fb323c0d8310e4c7846aed1e871956608a924b74d2f0520798788d47523e99c8f2aa5df3353f853

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
79KB

MD5
12c8f61cbd71e5ee6b2926c55ba19f75

SHA1
55b788b1a1fd1ae68ad7a6dcba0fe9c8495c67ab

SHA256
3cf249f9aa8d29225f9043349af5cd00671c6926f3816333d3b40b4315092048

SHA512
02c9bcab193f557982cbb2e12baabe191e4772cf299d3bb2225f67b9eb1a51c3333d6470c1f8266c1fed69ae3151edceca8dee24f8581df1451c413adf143cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/408-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/408-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1204-48-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/1204-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1204-46-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/1204-49-0x000000006F190000-0x000000006F228000-memory.dmp

Filesize
608KB

Download
memory/1204-106-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1204-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1204-50-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1204-42-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/1204-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1204-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1204-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1204-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1204-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1204-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1204-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1204-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2868-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download