73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
298s
max time network
307s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
17-02-2024 11:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe

Executes dropped EXE 2 IoCs

pid	Process
1032	b2e.exe
2084	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2084	cpuminer-sse2.exe
2084	cpuminer-sse2.exe
2084	cpuminer-sse2.exe
2084	cpuminer-sse2.exe
2084	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4576-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4576 wrote to memory of 1032	4576	batexe.exe	85
PID 4576 wrote to memory of 1032	4576	batexe.exe	85
PID 4576 wrote to memory of 1032	4576	batexe.exe	85
PID 1032 wrote to memory of 5024	1032	b2e.exe	86
PID 1032 wrote to memory of 5024	1032	b2e.exe	86
PID 1032 wrote to memory of 5024	1032	b2e.exe	86
PID 5024 wrote to memory of 2084	5024	cmd.exe	89
PID 5024 wrote to memory of 2084	5024	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Users\Admin\AppData\Local\Temp\874C.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\874C.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\874C.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9110.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5024
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\874C.tmp\b2e.exe

Filesize
274KB

MD5
c4935179e8254b551dfb900002824d77

SHA1
cb7055cdaa30a2641d045659c8acf8c6c56a1c30

SHA256
67e051c296ff678fd9ed8ff64afa26f1d15f6c504f31c7d0c23cac4d5d702103

SHA512
54617b380b92f8fc2f044609bf906450e8c30ffbc03f596850493741b40b59d28be2ff835aecf01c438d419d33a7a4576f0e6cf528d39d37791a3d440fae207a

Download Submit
C:\Users\Admin\AppData\Local\Temp\874C.tmp\b2e.exe

Filesize
956KB

MD5
a0ba2cf075726ce8b617a2c2f9719a6d

SHA1
e4938daec6beae943d1f4e6de6a5e2eb6c790fe8

SHA256
bd324e9cf9146f0a962286112c0b1c94c6cbb61da8bcd61cf44ecfbf4257d686

SHA512
5796e47d8ec8200636c396064364a0d690c96f9c51474ee5961e5c657dee3e9b7dca40bf56bca70a37f8f19f7b02ae4cdee4281b77382f4dc46b8f188e7be3ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\874C.tmp\b2e.exe

Filesize
1.0MB

MD5
5b46d0af50a7c18798c4534733ad05ac

SHA1
7909cebe8ef54b02ce13789ba3be772924255c68

SHA256
abb0260455935a1a5605e8f79c06644aee312b136e8c39eca7e8a6471bfe345d

SHA512
61126f4749db3eca459da0d5e2ae4ea764c42122ac9156c891bc6f90ed2286a1e151920cfb352ac82cb7aa3204c32d23bb3cdfd762cfe323c127bba65838db9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\9110.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.7MB

MD5
daf7119f1adb67b609bb94a868413dce

SHA1
c053eadb41965fc94a8affb24994564198ee315b

SHA256
402a014269267f0e9e8a389c2f6640ee0edfe0bfe34f2f5d6b84b8d5299b271c

SHA512
5ecd9298fb009de6f855c96949f4a0fae673a1444f2331d119e126ae2df717d58a61011f8f639c013ed284024da0c5468ad27e81c16587eb3051adc3b7f775bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
729KB

MD5
2e423d72336bc53ad5a5ca2dc0c8d82e

SHA1
3b0d76f23b4b55bc17eaddf114f7f49f9c89774d

SHA256
2c94302f157270d96c11ae17636207eb94fbdd645a8394670ab8c8842ce6df94

SHA512
67212924ff71725db7db600f9cf0194c5d1c73bd8f2d4f4752dc2fd1cb1ca12c27165791b7dfb525bb11fd7088b776ae32930369e99d509cc4900cd1e5534272

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
717KB

MD5
6d4adb7933ef48108857bdc028eba86f

SHA1
dc1cb46280098faddb8d6d1cb061581435fcc90f

SHA256
32e7fa120cf8a9014c24372cf3177d5f135ef7402287de1a41017c81056804b0

SHA512
cdf25dfa2c13cb01f61f0b07da2de9077cc5d3ad1e3e1d81741f38d559d91c17ae4c74cdb3a9f57f4e25d4e256d250bfc0b729ad96dcbfceeca908f353bf7a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
732KB

MD5
d5ce8cdcd0e7cd015386112a3faa5ab5

SHA1
f870ba11871c28106963653801a0d9e59f0e03e7

SHA256
6c8236903a6dd878d131207e34056ef588d1cbbcca3c611884b80306a0f693c5

SHA512
51d4b12b2e35b57cf6eaf2cd62466a5b3c27f682fafb27931204aac2cad4aec7c04b48dd85d54d3c7c32bfe5876c46892ee22852f263605c26c17539f6b8e410

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
720KB

MD5
ca12cc46032b68863eb8ba6e0a6d11f4

SHA1
10ec985a4eefb527682a1300778e9e57d37734b5

SHA256
a33611fd793a86e4cedbaf6d22f4bd0b4ee14735cbc850b3de973710b1606822

SHA512
c69044efda5efa1e62e6bb00164027a3c8f04ad8b3608125ccc8bd6dccf5e2c9f2c90710eabfb4c066858676e728a5ec040594da32418f0b7cefe63808986a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
702KB

MD5
5ef7dc2047de2645c61a9ba559899faf

SHA1
dfac62e52baaae38ec55adc4b2213ce371435ff3

SHA256
7efda782fbf13641ff8a751edb7a69b79e00fc9b8676b2c5942a939b8ba9b800

SHA512
b8dd4ffd369802f43ddb35583ec5af9528da0541795e927a1a8d608ff0b094ba86704a4c9eb08f09e898d0286a759d8b2f1cb70bced156f4fc82f5cfa72bb585

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
10KB

MD5
d7ad19e3561778a51ccf6e7b5f71ecc1

SHA1
9373b2418992ede3664905cf562e39c75327a3be

SHA256
e9afe4b1b342c92fde2df4c6a49648dcba87f09205f9f1c255bb97e8ae44375b

SHA512
8bc5a5078b494c4052afb1cb6c892af97a6c574c2380b50c2a53124bd729ffe761425dad7be4f0f18a54e2750007d2a445437fb3f99794244de6df3b8613b52d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
884KB

MD5
cdebd70a4b8a2ded567779a877c60414

SHA1
03c0f9130a34a2d8f4f22fd8a5635dd171cf3f2b

SHA256
975c01eeb6c97d9b9226dbda4d04c4b52d71109bad0fa52797f701210e1647ba

SHA512
dd988c19a05cd5c1c183f8e45d3aa350aefcdefd6976f120b1556205eccba7faf34513861afc87ebdbfdf721c5122a3007d4a593148f481a8afefd403fef38df

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
466KB

MD5
e2c0b0d3b170055388a1e4f1e8e89484

SHA1
dab33d18fcc11a85b48065370a6e3cd5c330640e

SHA256
00a60ed26b010233f61751857b0c29c93a0a9ba9d29f4e354442bfa9e49db08e

SHA512
a1ffeda127693c8bc361063f11363e5e17d41dbd8dd3f7a4a87cda6072175a23172a7923c38fe53b604d98dcce58230d744bbd84be38f26283911a1b82aa68eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
594KB

MD5
558f8c607626fe8e6cdc6f46328b5599

SHA1
07b4cc038f796d332f842fc002a06a91b92a2829

SHA256
5b705203947f68273454a3fac5c38f48556f153de56447500e3fe84f5848b442

SHA512
704bc8a71065dd4de87b720e32369ab6460a70fe6040b758789af3baa616f0a6b8b6ad755d60e52045461d13bc62deb5c68f0e3fa09a5a27d9a0fa34b9d21637

Download Submit
memory/1032-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1032-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2084-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2084-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2084-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2084-46-0x000000006F190000-0x000000006F228000-memory.dmp

Filesize
608KB

Download
memory/2084-47-0x0000000001100000-0x00000000029B5000-memory.dmp

Filesize
24.7MB

Download
memory/2084-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2084-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2084-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2084-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2084-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2084-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2084-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2084-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2084-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4576-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download