73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
298s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
14-02-2024 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3944	b2e.exe
4616	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4616	cpuminer-sse2.exe
4616	cpuminer-sse2.exe
4616	cpuminer-sse2.exe
4616	cpuminer-sse2.exe
4616	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2508-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 3944	2508	batexe.exe	83
PID 2508 wrote to memory of 3944	2508	batexe.exe	83
PID 2508 wrote to memory of 3944	2508	batexe.exe	83
PID 3944 wrote to memory of 4200	3944	b2e.exe	84
PID 3944 wrote to memory of 4200	3944	b2e.exe	84
PID 3944 wrote to memory of 4200	3944	b2e.exe	84
PID 4200 wrote to memory of 4616	4200	cmd.exe	87
PID 4200 wrote to memory of 4616	4200	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Users\Admin\AppData\Local\Temp\8E65.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\8E65.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\8E65.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\96E1.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4200
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8E65.tmp\b2e.exe

Filesize
5.3MB

MD5
113bc1b3fd819d2fd53c95f1d16faf53

SHA1
ee4968a10e98bcb49d76cc5ed359f75e42bb1cac

SHA256
4e20dc60b1a66111fe788e2f4576636ae4af2bf0b3638016bfadf36f6ce5a1ff

SHA512
a593dd6dee2ffe7806649a6cec587bedb9da8621aa41f07c379ebaa1c57650c876ee93f37a4eadabd8678d2aed40df2067b33686255ea647fae434597231f231

Download Submit
C:\Users\Admin\AppData\Local\Temp\8E65.tmp\b2e.exe

Filesize
5.1MB

MD5
1b546d2caa291c2c02e3b1c5988ef57b

SHA1
6f5ac43aca3151f9b8178c4e680c412682d6d0f6

SHA256
73c2bbc415f0bc7cd1b34bfa187b670f0004c90f739e1261504d2c1f191ed79b

SHA512
fb45b619cc5856b59fbb0589301484754f871af75fcba3f62be22f5041d43879e5e17abae710b0e1522df23466bb4139b5a739091f8a4437291d6b915ade2b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8E65.tmp\b2e.exe

Filesize
3.9MB

MD5
9bb69f62c98e0b73bde84b6559475725

SHA1
e3330af31e2f1bbcd3d53767c356fbb326d51e10

SHA256
318412c21ca237d3868e9391c481e673134b937e95bac0fadb755a9c2eed6034

SHA512
bcff8ec36f18391697f7e5dd45d3ad58158bcfab54b19548a777c39c7b7e94bdb0ccc716281b91bc65cd48a4b342e12690d5256b0cd7af01390f41ccbb45e0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\96E1.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
698KB

MD5
bc72f3dd568a621b905b0ba328b6a705

SHA1
ecb725a84acd605f4e1d99de4d4235539c67a652

SHA256
f1938d7df7cb2d496ac82fc517c012f2f0ecc9b7cba8602bc58ac0fccff89fa9

SHA512
e23c00a03629406363ba78c02ae8053ca3b802c1f1a13eaffc2a4f6d648fcd6712104c89a127fe649ef0511c1f47747bbe157147b2e5209e14ba35e85b469726

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
564KB

MD5
811f818774216182a3874c3b277aa929

SHA1
d0c5d5f55b6b22ba0999f5f792675b39abe8bc16

SHA256
6fe8e3ffef501924f94a491030689206144a2ab0d0fc153d5ff9f015fc510598

SHA512
c5175eb8cc0f4bf79269d81b964ae3aa9e7672b26eb38f9dc8408cf4c4356a743013e087f5044b9e18d132f5c65a5ed9a09cb06f8afb5ec985ce88011f266e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
704KB

MD5
903e2cfee96d720dd5200a922b637d07

SHA1
f6d639d7b6bb586abcb5f97b1b212252ed6c85b2

SHA256
443ef0fe0e5e9cff04e267b1bbbbc98b547e5bd38a853eb79d06a43a8e7d17f2

SHA512
c9c357be28d1d97bd5255d88bc64255f452867407c3aa4c99b286913286780da1204691a0344514f070b8bad391980a88b165eb1e8e9ee97f77ef02eb85071c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
576KB

MD5
bfba8ef054be5bee0da072ed080beac4

SHA1
090e6e60a6f0f1e351978e91b99e8dce8e63413f

SHA256
81f3865864af4f5ae909e3cb60ec0e0fd028e37909315b0e3de8663a34391be4

SHA512
85a8d0b74341c10b3563209566415727a1d1503433908c26c3e861592c397a66afe3cc25bcb31119ec64e15fa078db361bc308474de1ec3f1a8c367d37c622b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
704KB

MD5
538d0a2af59454daf4418e27268ec013

SHA1
dd5e047f232d3827ba6f9c1da4f17928557dd6e6

SHA256
ef618dca52a4f65f6fd72fd721744185c44cfeff6ff90928f56481969eab4126

SHA512
1c958d315013726aa6ebc24552fb4d712a30ad6e5621db0f9037924ccb8cdf45063a01ed6da3aa50485ad084248a9c67c3513aabecf9d324eacaaa2b75f0a7c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
433KB

MD5
1e4f04ff7559287a57d253cab5ee573c

SHA1
d56fb28e15d7c8db47569eea2be91da217bf771a

SHA256
7366866a078ff7c0b309a442e00d01db9d457b30431e1e98262b3aad87786175

SHA512
d3a5ec7aafd462214a300c16e757d80979218d90e152c5be3ce285496b143e2908e988c7e4ecc88ac4dc191e18e797c6494d4c390019dd6b69f65e26d4ca5b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
577KB

MD5
0b63ebad3420f02d06b807f8b83b5700

SHA1
3b2cac2a164b0870b07b419fece9387d93cfa92a

SHA256
e98d3c48f8d489cc6fc00b9a519719f52f262afccf37076cf7477cc1d368e4c6

SHA512
eb47951b7ec64ec8610c65d183b65a7693563488986289b8645da390cc609dccdbd1e7139cb2ce42109cd691f4fcc2d3bef93d86a019df839642c2366fd28ad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
384KB

MD5
4cb3a8d3af58faf78da4dd33a03029db

SHA1
5356e4fb04a7047f6fc82a4e071e4803f97a0f3d

SHA256
86df790940bd442466ea58a434a31aaaadd1d23a9e9bf5e6fe625ff49049d620

SHA512
244237f4a13a7666e9f9592451dbb8bb18ca1f828d66f97e2890fa8f6be690d8890848102a8be253542c9f4b154d9f0e1aeeee5a867c866b78b64f9949f48c89

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
398KB

MD5
74349e5a890fd35c34bcd60236d04eeb

SHA1
553efa7cc430520c8ca30965f3f3b50d7f32ce94

SHA256
dd07608c933e03aa96a24a9230de6091e5c45c23ba3c72cd031ced6819bece34

SHA512
02ccc360c473330dde3adee51beeaf10f9244c7455877cdd53cd146caafc2a198d559e475f70c05c4bd75552f12e94d7e5e6806706816aeab0f86a2190afc5ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
385KB

MD5
57cc74f144a23298b00ae0b030cd15e3

SHA1
7e1d1b9ce9f9d1240e5a07cc7ab22cbfea0800fc

SHA256
2ee93f1b17c5b9c30ebcc769e1847da131667e29cb6a1a85b4a34354dda260ee

SHA512
f2c7bdc833b971c22f3d2cc7e7cf7ce4a380e4e15435999e9eac21b45e98709ff79070891f38952b2112c66b040cddfe5d1d5a4ec80d3f1815b52b59f269f0d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
448KB

MD5
9d1a04f05f75671a5a3ffeb995176c52

SHA1
a45018bb6a5dd52b310c1eb77262354365925a76

SHA256
c777e9d786f5d1d13f78a925453804bf53ee430a38f893f115c2d1ac0f2f07ff

SHA512
d19ea63c26c1d41edd5947d0c5ae70e2461c876563c2baeb1fd4a3986254f7919f8d4c32a9d6b9f4c51c4d5a23ffa90a2011d293a106a0a8813295b2bee06e1f

Download Submit
memory/2508-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3944-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3944-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4616-47-0x0000000001020000-0x00000000028D5000-memory.dmp

Filesize
24.7MB

Download
memory/4616-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4616-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4616-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4616-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4616-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4616-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4616-45-0x000000006FEB0000-0x000000006FF48000-memory.dmp

Filesize
608KB

Download
memory/4616-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4616-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4616-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4616-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4616-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4616-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4616-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download