73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20231222-ja
resource tags

arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
17-02-2024 15:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4196	b2e.exe
2588	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2588	cpuminer-sse2.exe
2588	cpuminer-sse2.exe
2588	cpuminer-sse2.exe
2588	cpuminer-sse2.exe
2588	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1580-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 4196	1580	batexe.exe	84
PID 1580 wrote to memory of 4196	1580	batexe.exe	84
PID 1580 wrote to memory of 4196	1580	batexe.exe	84
PID 4196 wrote to memory of 4076	4196	b2e.exe	85
PID 4196 wrote to memory of 4076	4196	b2e.exe	85
PID 4196 wrote to memory of 4076	4196	b2e.exe	85
PID 4076 wrote to memory of 2588	4076	cmd.exe	88
PID 4076 wrote to memory of 2588	4076	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Users\Admin\AppData\Local\Temp\94DD.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\94DD.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\94DD.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\97EA.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4076
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\94DD.tmp\b2e.exe

Filesize
12.9MB

MD5
411b13b7db48cd58cf57c1c34744f139

SHA1
2d94f2714fda23d3c7d71fc2d7f5c32f27725083

SHA256
fdd920f94290ce959c3e6853f0613c0472d6993a0a756f1a514c87e993cf43ee

SHA512
14c8f0a1f1c1cf0182365747d3db37fa359ec9f337109c4b5d0a31fda37c654985f9038635147a9a23ec579afdff3b68b9c907917cee663c0fbee5a3b187761f

Download Submit
C:\Users\Admin\AppData\Local\Temp\94DD.tmp\b2e.exe

Filesize
3.0MB

MD5
91929eae2834ee0a0e0f0895a5e694aa

SHA1
e7da7a69e1760edf3f03b350921c634c8833aec3

SHA256
2cb7cf7e366dc928f714342d4192fae462d99a7b3b83b97e5dda0db6d57d5995

SHA512
7109bd14d6f8b6e1bc4a55c0b2d37c74a740f77475c3ef5872e6890a711d3da80d2dffe10341a2a96984b54edbd3fed1a91ba1c099be165577661da287b74ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\94DD.tmp\b2e.exe

Filesize
2.0MB

MD5
fdeff16ca964a2e9a2203979adac8aef

SHA1
63fd594b64440d14c8bbb531f900073ca93d6f24

SHA256
ec3b54b18cd56dc7a31df8ba96620e24f6ba98f305481e310b7f159ce544f7c7

SHA512
e892709e7c3ff823345cdbde2b4be9f51b3769456baed5ab824bda5ae849dbcff8c2a5750c7db79baa9636eda2542df5df5421b6e8629c827fa4db1abc188e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\97EA.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
339KB

MD5
faf5f66c405722de5257647ffdf9de01

SHA1
f41c2b6c3eb4d3f01677972a8718f5bb1f624694

SHA256
440f9beeba67bba526a9f3819b896ee8613b0652f12462daf2301f45f45b0c4d

SHA512
57ee76bb7a3d21bca68c4bd6c13f4bf525d208b1f2edbd902e1132043734ec418ab9d3ddab009b5321712d0e25bbb68d8598e07b977f7967b402cdc98cedab88

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
221KB

MD5
26878f073eb9b6e81e0975168c855b28

SHA1
74dd04f1b9c5c17ffe23b643ea1961428b9272cd

SHA256
6f6220d187cab9070a09def59c7c0edf17e900c71ec5f8faeec1678edacc26b5

SHA512
df50f95b0f9ccd8b97d6c681142de200d7c861c7036f43b4798d8add17fa1aa07287af39f0d5357f2be98252b94ae4e6395b716b108fd9bca34392644b4b063b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
244KB

MD5
e587d2ad8bbf06f13477daad064e5283

SHA1
d95aafb992a5d1d8b5390172a6c3cfd211dc5860

SHA256
3cff323bb7f7171882ea8d0a18813bbe0e55cd86f2ff3562a862a509d07736bb

SHA512
bf268bab6b4f265533d7a77b47659be6ed3a47e7c44847245e1e8c74a5e0e5306b73c9c365ad3b0b800ddb4e0680538727581793524b7dfbd640cbd011a5c30d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
379KB

MD5
b7283867ac53f2d3a2ae9a8a211e078c

SHA1
4f7617c410a10fab7971507fa8cf2a8f9574913f

SHA256
c562aa672464b03dfd092cf2e42326d84566bc8c9d48fd29119854c7023f36a3

SHA512
361ce86de9ed253d1b80617ab049b30b03a4be84e441b89efc76bb2db50dd09742716454e9eed323207e1db4a7bd8f4d1afb872a95b2ae9c25a2f6c3dc31189d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
314KB

MD5
cf65209566dd92fe9e7fbffe965fa418

SHA1
2b616996e259560252aa7565c6a0b84f86cf8ac2

SHA256
d336ba3c18ee08944049b2f719b374ca13f115bf0af25063b190b44bc81901b7

SHA512
25b36524c36b0c38c958a96db06337f3b8d5c0dc7b29ba692f1aadf88d05305a53a3fd9f028152f187655f44878790693f79ce4f3d577cfac4b27ee4c7dcf358

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
365KB

MD5
800d493f0788ef6aa88374f06fc307eb

SHA1
55c1b0c13e5f3304fe318d51a1282f5dc965f46c

SHA256
6dcf61cf6c57f249e119a6b05ee2f814923cdde8bda36c9f1a4b89319f1d23b6

SHA512
26f6bdb5afa29d72ad0f77eb35dae4cd625ffa28df07c61c975f94c4d5a8855bf32dbec5009b927756510c323096927f22c6ec576d1bcbc82d606eb49e41ba93

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
319KB

MD5
7e00a2cb4ad6187a03781562aab9f6e9

SHA1
0741c00464cd195b2ae9499fedc9af011f59586d

SHA256
44acc26547909d7f6ef95a02c140201606f103f066c2d38ff71ebf92449bff24

SHA512
edc7302a275fa79e2efffcd23879053bf3a4df2632a27e1257c20b09fc68c53ceed33c41cf487964f1f72729fdbf5cc953f4edd5ae4ba115e12a5130609fb94d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
21KB

MD5
d7c3d954d464cbdf17d66ce3828341e9

SHA1
039ec57427520f36a3c2d441e316bbd3b0dadce4

SHA256
d7d630827783069395f02811adedb7042a8422146b340f0dd8839673df727bc5

SHA512
4225b8e07d9c493e79b825de756fea44531f695cf36102ea8823c1b44bb79bbe467b2bce6d7faa5560e8d94869c38ac7ca039aaf47124db72c48aaa9ba166fd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
68KB

MD5
16c9549282405ac10d397e1c5b5d714b

SHA1
7da01cfc3f3a69962c2d750422a441f4e2baad5c

SHA256
632fabdd078f134f9ed15881a24fb280f09441d7c7f0c2fbe5db207ef2897bfc

SHA512
36795a1dbe3a5c252a4eaec071bd10a8b1fa43a0fd8639dd45a6f45d39ebcaab8e5e7c1686e9cdf43909e8c3575fe2392e27990520a3cee2c38b25ae61ba23b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
301KB

MD5
23334ef5ddec0b78dcbe98915a8cf4e9

SHA1
8f1fd34f0cf4971d37b1789db26ca1b8ab31149f

SHA256
fc626c487fa91645efa2000f663988c960a8f699c30917aa8f7a3c94dcb5bbbe

SHA512
ab3990a4678f9dff8a0ee3441ba7e51b830608c95d2ed9b4c71225a726ae009a501e01c361aa5a52db3e5dd143d1afe3060fbf594372fa1c4cf88db327fb1e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
219KB

MD5
3804df08d9042d63f545f320573ce403

SHA1
82fd11d522b955f5c826b30c32e6858b0433befc

SHA256
e46f015c7f9b1a00ec86a6fdfdcdf7fb6c890b13f180602ad08631fd9b3e883c

SHA512
d615ff17aaf4ff4fb96885c3c13a518f11b1c86b85d449c3f181c8cc5157e5fbf75c500c04f02bf99eb24818a0b8ee77389769d3db218fbf0e9597b004922cf9

Download Submit
memory/1580-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2588-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2588-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2588-46-0x00000000569B0000-0x0000000056A48000-memory.dmp

Filesize
608KB

Download
memory/2588-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2588-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2588-47-0x0000000000E40000-0x00000000026F5000-memory.dmp

Filesize
24.7MB

Download
memory/2588-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2588-50-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2588-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2588-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2588-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2588-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2588-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2588-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2588-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4196-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4196-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download