73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
302s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
13-02-2024 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
536	b2e.exe
1704	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1704	cpuminer-sse2.exe
1704	cpuminer-sse2.exe
1704	cpuminer-sse2.exe
1704	cpuminer-sse2.exe
1704	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4916-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 536	4916	batexe.exe	85
PID 4916 wrote to memory of 536	4916	batexe.exe	85
PID 4916 wrote to memory of 536	4916	batexe.exe	85
PID 536 wrote to memory of 4760	536	b2e.exe	86
PID 536 wrote to memory of 4760	536	b2e.exe	86
PID 536 wrote to memory of 4760	536	b2e.exe	86
PID 4760 wrote to memory of 1704	4760	cmd.exe	89
PID 4760 wrote to memory of 1704	4760	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Users\Admin\AppData\Local\Temp\6A53.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6A53.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6A53.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6DDD.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4760
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6A53.tmp\b2e.exe

Filesize
7.0MB

MD5
c5887ae73f59c059da3fde8e6d13f808

SHA1
2777ac785cdadb6f351b1e39d3f74425b584088a

SHA256
b2237a6f8357a9fe5067246d963881fdf85b8f889adae455600de5acb2d64239

SHA512
febd27b91d2f524658744cb53bd33c2807095108f7211e4d2486edc902eaba7538da6d8b0856bef507ebc374838d8ad2cb5a3565e8fd4f2f66d2870b8d87ae37

Download Submit
C:\Users\Admin\AppData\Local\Temp\6A53.tmp\b2e.exe

Filesize
3.2MB

MD5
10880faf5bdd18a7cf987525cbca409a

SHA1
04bf6a65febfd98e4e10d4eaf4a341fa0ed879c9

SHA256
b94bbc498f12589b25d98db3df0db4149fac159bb1eb6c916b10a20496bd7ee8

SHA512
6437c8bbdeb05689b033aa0b6956661bdf6f166f7d6732e0d67a9e934f5100d1cfbe6a1db6874245153dba81cf1fb55fdd20b9cb517baa4697cbe2ed88675bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6A53.tmp\b2e.exe

Filesize
2.3MB

MD5
5d877861912ea66962f7b0ca7b5aae72

SHA1
52606059de10877e56b83d80cfd93a766ea88eb4

SHA256
effe30cc9a72144cded5f83832c13503a653db19d00f5324838d9d3564890158

SHA512
c69e1046e14f671dccb6879ffa9d3aa03ae09caf2455d5980427db303e9a94c93bd14f6842a94b7192fcf9644c1c0dbddf137ca70a7780e1dbbaa49902096da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\6DDD.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
443KB

MD5
0ccf80a5027312bf7cb43277708d26f1

SHA1
49b8b92b4b7fd5fbb375824d13460b94164ea17f

SHA256
f93b7af52f156eedc6efc2e5718a5f472bc3e545f2ec85662bd8113854bb0350

SHA512
39d3a44a613a127c48964ecfd06f307012f4c06442615c4f3479bd8ade855607916e777ddd963f87b55c0f119559bb55c93c6498fdfd832a01980f84316856d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
364KB

MD5
9eb2d8578fe9669a1bf4e99dd1af5665

SHA1
1ed4d0b338badad2b296865ea522ce05b13483b6

SHA256
f14365024910a9abd1ba62c9ef95406764cf13ea9409a341f272d3beecd4b641

SHA512
28c371e942a09545d0196419e145284a610bae603faa0af3e45fa6d482aceeda79fb9cedfbe555cf0108b09dd2430f30dc99ccbd2f0c574a6e80589bfc63442f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
465KB

MD5
a60e996d9bda8da631f288c6346d5739

SHA1
f42571e174616f4d026ad325465f92e939f00479

SHA256
7d8717811fa6ccb5ec9d90e51c9124c0aacc731e9a32706501e42276d5df799a

SHA512
df75f0effab2b83b075a14b9c5edd9581c71d650851679d5b2f4bec00e08e54c10b98235424296663c407f7938e43b29f3dee0b2d8d83c262482dcd9c7a2dc07

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
540KB

MD5
e2f8299ae1f33630256042e0845469e5

SHA1
f8b231604bef25d7beb76ba3e73efa9d96b0f5a5

SHA256
1b74e7a5194c39cded43e3e48137e27706bf7caf76882d7e0c635bf23f854978

SHA512
4ad17ec7f8ca5466aaf852655252f29f5021af69c6720bfddd45b43b0c98e4d56255ffeab1eb0f3dca178cda3d69cbb9758b49b0c75fd37c60263ab434590086

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
390KB

MD5
83b70b8b140873c73cc76304e7859ba8

SHA1
b3b4e6932ba50a6ef373e4696c917379097022c8

SHA256
6734a9c25268a158f254a0a63a190825cbeaa469a8f8fa66be39ab789874a91e

SHA512
ac1540ce85bc2d946b6bb8f9c12a00a296d2a89b27dc7ea567488bba7dc7b56ad7510d24d767791aac58366a3a935445f539e88ed07f9731b404bac7863534b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
466KB

MD5
76670ac95b72d3f7bf0823876038e071

SHA1
826c2d362325e71e4629a93c1d6ff4c365b3960e

SHA256
a42be4a244655886ee5b9ad14637b300217950c0b67c446892ec613d5c1e51b4

SHA512
ae797585af1af3b0ea9b71dc2484e6f338b42b96d05fbeed855acb54aa1c2196075522f49a3e291a868fa75518ef96f3d63fbd438fd2266e9d498c672a5f308e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
518KB

MD5
188e4d681c6fbaf8a8ba2cd4bb819f26

SHA1
f25acf76f34c0945eaae468e8d83a2d4e134d8e0

SHA256
f66c68ec60491c8cbd1e5738f3be81229d705475bcdd9447a0c6fc5cc0d7aa82

SHA512
580123c305deed073698b0fda49223ab2b77aa08d5865621ecf2023871cd072fed216ed95d6c18deea05bede3c5863bf6ec087cd8493f875f1075bad5a07e4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
519KB

MD5
65627f92b93e945e6d46f4eef742f3ba

SHA1
6402241dba0396297d911735019341db38ce4f8e

SHA256
fab7627b8c4dc80fa51dab540180e73ca4c41c96a6e5f50380fa1e43ec4d2d75

SHA512
890e1135f577558ecc6aec9e4235be69d79ac871cc7633b560126f9fcc993ece2716e45faa031b994797e5b49f23cf148d39bc56344942e391c1be9b325a9a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
494KB

MD5
90c966066c11f9e898a5dad1993d5051

SHA1
90af2d064f93064b7cda935e1f49c2c4707b4e2f

SHA256
d8dd74ce37b7d716b31b576c93d3507bcec5ac143c2a7e04f6857f42eac36b7c

SHA512
3565df8f7ec88ed677d497ec12624a3be208ce6c31c2f0125bc7c0bbb032609a0f40fa1763bf80cbf78303275b49e911b337d440b34ead2d9f5e343bbea161a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
520KB

MD5
e0d0f9b055bc6efb3590c95b113a8b15

SHA1
830b0828513850311ff1ce6c07c18c3f349fd070

SHA256
d1ef5a94ad98eee9d8eb11354a20161645a1eef8bb3d6e52189972ee466f06e8

SHA512
b94d927abd491e631d9380832ae05ebe5066cee321032f34ea40286888ffb745378d256da11f9a3de6627f4957f8b6022dd7506c683991fc7a7d20661ea8ffbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
580KB

MD5
5a229092863c4b12b80c7069041e42b2

SHA1
419210aef74f70d465e3d26e27918a66ba1781fc

SHA256
8103a3ae134b428daf9d671d1037be0fd9943ea3927f14fc839de6559b1ea552

SHA512
1fc66e01587287f3b5e899817cba62a1bbc30eddcddd7b09a440211b7ef449c220d2ecdffccc2109bf461e8eee3d23884d999eac05437f3892000e321d4f2438

Download Submit
memory/536-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/536-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1704-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1704-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1704-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1704-46-0x0000000070B30000-0x0000000070BC8000-memory.dmp

Filesize
608KB

Download
memory/1704-47-0x0000000000D40000-0x00000000025F5000-memory.dmp

Filesize
24.7MB

Download
memory/1704-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1704-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1704-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1704-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1704-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1704-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1704-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1704-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1704-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1704-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4916-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download