73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
292s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
13-02-2024 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3976	b2e.exe
4872	cpuminer-sse2.exe

Loads dropped DLL 6 IoCs

pid	Process
4872	cpuminer-sse2.exe
4872	cpuminer-sse2.exe
4872	cpuminer-sse2.exe
4872	cpuminer-sse2.exe
4872	cpuminer-sse2.exe
4872	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4756-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4756 wrote to memory of 3976	4756	batexe.exe	85
PID 4756 wrote to memory of 3976	4756	batexe.exe	85
PID 4756 wrote to memory of 3976	4756	batexe.exe	85
PID 3976 wrote to memory of 3620	3976	b2e.exe	86
PID 3976 wrote to memory of 3620	3976	b2e.exe	86
PID 3976 wrote to memory of 3620	3976	b2e.exe	86
PID 3620 wrote to memory of 4872	3620	cmd.exe	89
PID 3620 wrote to memory of 4872	3620	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Users\Admin\AppData\Local\Temp\3091.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\3091.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\3091.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\40CD.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3620
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3091.tmp\b2e.exe

Filesize
6.1MB

MD5
d365a291ef52b895dbcb3ea0124e01aa

SHA1
e1a39126b28348ad0e09066d4e0f9522f6e01845

SHA256
893d4ebf9cb121b99825af49e4e7abb9ea32dac56bf90aa0ee86124053ad7a74

SHA512
8f0ae9ea9326727fb55ad40586a79df623a71c801696f8efbb1ed8dca2642c090d93fc9bb911c43a28d4a3b0f71e0bd457e440e96f3aae70b464825fc0ecbb35

Download Submit
C:\Users\Admin\AppData\Local\Temp\3091.tmp\b2e.exe

Filesize
185KB

MD5
0c9f0856620e8814ff7662ca266e65cc

SHA1
bb2b11e21a4d95505d0f6b57906916afc36838ff

SHA256
6739a312fb01794dd839af78e01802902de17a783ef72735a0cf372b95ef6f81

SHA512
ade0910814c130aa2322d05da80006e82421e86437009e320cc37f22afafe62d71cf6bb2638b193f765e716231fd0cd462082ef0e56b49fb7929fff9b635fd74

Download Submit
C:\Users\Admin\AppData\Local\Temp\3091.tmp\b2e.exe

Filesize
3.2MB

MD5
0f8009f4c4282c12e07d0b95c37ca9dd

SHA1
341ccafdab6b7c946fbc9619849bd5a15c6d5ae5

SHA256
d8575dedbb09e1eba2977e668b475e0f8078487600d7640cbcad519fa73dbfcb

SHA512
0bf62dd5171924e1743eb7e2cba171d154025da05307c99ddbe9ab2faea44040f0b71ad5a3e8d111fa6a6c886ddba0b1b70dc355ff056101190b864d185a3442

Download Submit
C:\Users\Admin\AppData\Local\Temp\40CD.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
552KB

MD5
bebb3c791e26d788ce4bd35d87de0a12

SHA1
11d5f2e17d10b66008deb7e09213fcfdb0af77fc

SHA256
ff2d185eda76e51bc6ee732a6b6f2ea4af59eec2a413ee50f7665841a42653f0

SHA512
bdd0cbe0261e1832cc0330c90590350e3a28bbafe59a896877010420b628e1ac831fe2b59c6614308e1d5e56db0d39c754af3fd102d37799c26a33e968e1b07e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
908KB

MD5
feb147948534e3f9965c6aff7793f46b

SHA1
9bf73d156f997f59586a6a43e7247abb2b733ff2

SHA256
eee54547f80d419fd1f9b1ef57ee047cc96ddba4cb20fce3dfa92dbd24514974

SHA512
a199a83bb342a11a63a874a918c0eacf624b73d1f285ee960fb149c9387e1d9a097aa53f86db644d133f5fc64ce434f53cfb9d1e02a292000fc7d65338fd3fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
694KB

MD5
3f6ded0425e8e2edf3588ee11fbd256b

SHA1
3d183f06a9fc5617a3c805a929af76983ec5b377

SHA256
ef891a0b0cccf0c618f6e182fea8891861efb0b2908be0dbc95db085798f41da

SHA512
1e6f2244ca46bf528745bb520c9c90ca4889783a07360590790d56d22eec9ea4c4b121bf2285b2a4ff99dd2cdba97e7af58eb3f16cce320a39cd3429b48d226c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
695KB

MD5
d92cf522839d2809e165393d6a779390

SHA1
252998ed51bfadfbaaa719b65975b11368856e50

SHA256
3f633df0e14431d18063113a58e50cdeb0c320c5446d5cd5f9dafb77bf64d3a4

SHA512
1fb44b5c53798179bbb68bcc3d969836f2325e2ad4f1ca56d922a1fb62041e73b79d3d39456bc1c340da67027b21413379fdff1e78aac71c10a0d32d867927eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
755KB

MD5
0033aca40612085aa0462cb1a450c41a

SHA1
411157237f89e58d8827c5e5190eb174d4db4a44

SHA256
1668735fa855641cbd85c1dcfdcaa9ca681d3712bb168706befbf901d2d99354

SHA512
0cd9e5b89ccd91c441981e6c9619d14f6c30295526da90dda65371157867516190fb13d78aafc0945af034b0db8adbdc6a659d6da013c79611cfa19e92944b91

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
983502006fd1ae8a4e48b2b4861a757d

SHA1
cccc93247fc4e1892f167e70ec5ee27dd70ea588

SHA256
4929e727d78da756d54dd2e4ef636350a37b1ccfd30c40dc89c5659e9f20a80c

SHA512
0b67561a8cf75b4bd4e645345a7629d20dfe48c9601d7fd73da232d849e007b25ecde3c2367604292dce823f4ff18ea7c850c36328a59884a334b29ad8171ce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
559KB

MD5
5153fe3eb594a4a426b5bffde9637d72

SHA1
c977eda2f59e1c2d6ce458eb6fc1a41039190dc6

SHA256
761ab77d0017f80d1e5bd230863e58488c93c4b1a56166829e83be25bc7b7f64

SHA512
f99eeb37fd67e628353d6c3506c11a0ed9d996358c13a94c300310303e604344f9f6243222565a9a08330413a90c5c59a1488deaa61dcfc931f3305caa09c4e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
611KB

MD5
d294d6b27bf1a9b30b1f68379cf6e7df

SHA1
75d4a79c1d5c45d204319897deff9f073d122758

SHA256
f2f0523a2485521a57d92930b8368d7a2fa328ad386736e986cc8478f0518884

SHA512
28c667482d4c2e832d0737dc36af8b4dac06e3a94577de8c7bf4ea875b07397a818662ee54cfb58b0ccd1174d9e5963583c43e186503bb98494b406eb7eea971

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
987KB

MD5
2c2578cb7c371f843139365b4f90dafc

SHA1
fe2dac86d24bf492bb3cd0f4ff5f7808848a8c41

SHA256
c5191e7245437f6a89374acc0e07bfe5b3c7fc223f55453f77118c167d9e5938

SHA512
39da1faf1b63f1ab44fad5f4aed5d02d12091359e71030894d933e1cd072e43257f3759d9fd31379f5bfccf08256435f228a02e29ec74bc31dac88e16090795e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
640KB

MD5
470af915314779363c44d539f9ece3b3

SHA1
7e9adb2dfb5cdd04b6665132c091c9fbfbc2997d

SHA256
6ac49ddc719b43ea8c084988b1407e750b4fc94f0809502a2c819ee74b3cdf89

SHA512
ce2e1ef9a65a3cd9223ac45fff6424a537c03cf4642ce9f47ffaf4a7aea46f1e8677813c995bd60bf1a7656a94c6aece9ef8c32efa5b1ebb17a73a099b43bdc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
382KB

MD5
927fbe882a59f82209556e4074511b88

SHA1
81ff6fc816758c43d0cf0b901fa3cd6adbc90a12

SHA256
418d3d40e4f6020f9ad750feb9387f0004143ce763c8ba9ad2c634753c37cf1e

SHA512
7eb616a0f0864ddcdec69d982f62cb1b07373b542f1765e968bc36e4d2d72c6dec30d8db1de6af81dbf289870549235d2060b779d034c23fd93c95e6d1779783

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
487KB

MD5
375e081075d6580cd335236ffa779c3c

SHA1
beb7654cc690369bfc0ff085ce548e627ab84c82

SHA256
94a9ec3c069efecfa31d9b192097d11a08f735c71ab62a5a5e739111448ef44c

SHA512
007e0addc3e9ee58f404bb4e7bbed4513101c13b1cdd8bbbd8c8b85f39d8b997152bfcdd8cb20c72cde5f6fc14ff7aac70383821446fcd92388a4ce9f00b12d5

Download Submit
memory/3976-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3976-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4756-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4872-42-0x0000000000F40000-0x0000000000FFC000-memory.dmp

Filesize
752KB

Download
memory/4872-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4872-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4872-48-0x0000000000F40000-0x0000000000FFC000-memory.dmp

Filesize
752KB

Download
memory/4872-49-0x0000000065FD0000-0x0000000066068000-memory.dmp

Filesize
608KB

Download
memory/4872-50-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4872-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4872-46-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/4872-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4872-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4872-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4872-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4872-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4872-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download