73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
300s
max time network
307s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
18-02-2024 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4044	b2e.exe
1028	cpuminer-sse2.exe

Loads dropped DLL 6 IoCs

pid	Process
1028	cpuminer-sse2.exe
1028	cpuminer-sse2.exe
1028	cpuminer-sse2.exe
1028	cpuminer-sse2.exe
1028	cpuminer-sse2.exe
1028	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2044-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 4044	2044	batexe.exe	85
PID 2044 wrote to memory of 4044	2044	batexe.exe	85
PID 2044 wrote to memory of 4044	2044	batexe.exe	85
PID 4044 wrote to memory of 2516	4044	b2e.exe	86
PID 4044 wrote to memory of 2516	4044	b2e.exe	86
PID 4044 wrote to memory of 2516	4044	b2e.exe	86
PID 2516 wrote to memory of 1028	2516	cmd.exe	89
PID 2516 wrote to memory of 1028	2516	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\32F2.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\32F2.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\32F2.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3E0E.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\32F2.tmp\b2e.exe

Filesize
5.2MB

MD5
b6b770012cdc15d7d0e66c1998e13af6

SHA1
1ad19f8778ae9dfd4b961f361eb7f475c5bf6e2b

SHA256
adb463226c20ca6d6cdd52e88f3c7b856d2405986a9712aad09cef0e50ac4851

SHA512
0757eb991c65834e6592c536130acdb2d05bd40c9612c4091a03565b90190643c26ec4def70ba091121b9eb1f52a3d46901aef957309ba87a9d056d0ce169e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\32F2.tmp\b2e.exe

Filesize
1.8MB

MD5
fed226671f9daab029aaea0c1bf6c527

SHA1
bacded51e7bf4d82a756351748d561b93e5d56ba

SHA256
e7bed9d6ba6c3e79ef43fb8bf34f6748645e87d47c743fc8ead2ad2003a41304

SHA512
d25d032e623e053e35bf23ba71a5432f3ac3b31eeaf9810352d0561d05e8335837ed0afee8cc0008fb1915646912ca08f134ef9e4aac9170aa63d6a254b57fa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\32F2.tmp\b2e.exe

Filesize
2.0MB

MD5
fdeff16ca964a2e9a2203979adac8aef

SHA1
63fd594b64440d14c8bbb531f900073ca93d6f24

SHA256
ec3b54b18cd56dc7a31df8ba96620e24f6ba98f305481e310b7f159ce544f7c7

SHA512
e892709e7c3ff823345cdbde2b4be9f51b3769456baed5ab824bda5ae849dbcff8c2a5750c7db79baa9636eda2542df5df5421b6e8629c827fa4db1abc188e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\3E0E.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
804KB

MD5
f7b4bbe7bdaec7237f0fa61f2193ebcb

SHA1
73f5358398d38a70c6686501c6a5c727eee9a090

SHA256
0cd235512ef1ea24d1716a1b55ef7a97d1a15e08768243fdd667f0b5ef77a76b

SHA512
36a1fc3026c48276efbbd9f2ea887961b2d7f773c8eede4719a1f9355beab49f4799700ffbf1f367c3b0be79df5cac556e2eebd230b2c76df28c9b09566230f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
597KB

MD5
83263aaf8acd669d86af4f81cc4a95ef

SHA1
ce048ce7b9051c0f7e3249cadcf9b755cd18c347

SHA256
dc4c517803c358e441be1efc275ccee3de0e944c62fcf3ffca3fc42722f5db20

SHA512
5413efabaee995c785d86e5afdc8587ca93ec404522be8d1bd66907a9c98af8a78615863cc44db7f4c520ea32215e45be7132e876356dfa7f6523d57e5cca537

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
392KB

MD5
302fc40a7943ca245c3f563761c5e84d

SHA1
a09112a4eb445e264097b2007bee70e211c14538

SHA256
24ac354766fae7d9d8d2488d55698862ee25ffbeee7279f7ccf77416ca3776b3

SHA512
6a6e25cbe4bf8123e4b5c773a4785f65f9f4f86757bbe24e1fb5dd14e65f6629f82f877a0a4be7b52d8fda24d538be90f6f2da6757755b602c9d3187c1878703

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
295KB

MD5
4666827b6b169fa56075374ca216c6f0

SHA1
4af8dec15f2dfa337f417ac139e6ced177285146

SHA256
ab63fdf9c6381b2d0770a4cf2c7e03b5443abb17d464d3331cadbf04dac0e4af

SHA512
d5641580b5929d5769a6a2f861e568feaa95451845c5e38f151d8a286c8c81ace1cd80b22e45efcfb41e007b71276f956157e6b5fe23ff4a7def0b2c6d2e32d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
80KB

MD5
56c4022679b165e898d992046009d9b4

SHA1
cf39e0991d023d15106f050d0844afab9cdab09b

SHA256
352b856379728b8d59e8cbb79a5214a158269c654a8fdda6a70db0163918964b

SHA512
92ad5ea2a1c69132dbbf341e131a784f1885e65db0a59e96583c58c9b05c4bfd58fb0301c97f18e6f702b440bb5313c321c71360d097995fbfabcd373469f348

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
637KB

MD5
2dab7be10d29086807e5e28609239921

SHA1
b7df369d9e66b45b5e129b5b6fc1ad3f829d7258

SHA256
47c0571673a3b691a92214a367748aaa9dbed1c705752fb51a1bd38a83100e7f

SHA512
20407961672801a513ed965a05e53d204dd1f42620718185937e6fc5f41a501bbac73d4d55cf378dc5132bcb211be4ca610aac660786773baf124cd76b0c144e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
219KB

MD5
78b582834ef7782042f012296e372fe2

SHA1
7b3fd9a4a3cb6dff93813627af1ce92dd554cb90

SHA256
db5f9ea4c8d706b5955335eaf4289a118d933dfc4b3f4b92d1455c75b15431da

SHA512
b4aa03fff6787d106833aa8e483fd0204a8e04c1ec36afbd47857c07d613b2c97e660e92d921c32372f305914c7d452dd22cff8f55bc326116f4bdbedfd57333

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
237KB

MD5
e41307cbcc47ad9f21a322f471f2bc5a

SHA1
57e669928689a976a048191cdecc21a2d74e0e8e

SHA256
4e608ac6005180ccab5120118d9bfe2ca81d8a1e5268cb694a05dbd6f948328a

SHA512
36d303c4cde3bffcab699c13aefd948772097d0203031f71cd48b185c2c62550f0a13ab0f4c5951c87b246f22880b987cd48e1c2b8c8c13112c71bff6360b72b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
361KB

MD5
5f7c206bceede2ffa63776d39de8afee

SHA1
8f387d3b1a06765eb449735400367753bbcde8d0

SHA256
3a6cf1ee262a4531387ebc4fc9a79dbc75f7314af843cd4db670514b4920c734

SHA512
10079806a6d09957eab74e3f42855abee01767cd735174960e188d5eb1dbbb742e9dce8b466837157e0af77eedeadc25ed04aba7e3b492c34e4c957889497017

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
398KB

MD5
3fca18131da9a4e58822435a444e8ddb

SHA1
fa54f0846895a5e3900509655192118d062c23ab

SHA256
7de1513ba9569c7cc61f4190593ac45165b4f5b2a00c5ff782759f3c90489bb3

SHA512
9248c199e3340ca89cd7cb13a5495efb2b577b5f916061939f075ccfd2b2ae5fee095524d608a6c27219f38390890695f05cfdff35ea99f182f69b5f8a2f3b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
256KB

MD5
eca0c37eee65c31b869788d5d0bf00cd

SHA1
33a5c0cd2f0a7296a5c0169699ed8e065b57e5e8

SHA256
1d2b7bd4ddd99d627d5111252baadf028dc9910cf414892867502e5951de962e

SHA512
5f302da7772fca0a6d03ffd8732850f526acf5fcc33e189d2d906a33101454d970d5cca2f829a006d15c4a857341d72c7876cb2e7af84ada4f158695aba5a4dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
135KB

MD5
88bf535be372c77438d3d94afffcccff

SHA1
2e9b5563eed88ef0e527d32940e096ce016e5037

SHA256
6ff635214c789c2e65f06933ee24e3af27f0d8655ed024d1fb5f09c88f0c2a93

SHA512
344262bb30b99c23bc32acf4a0b842740e845948a1bec5efb5412e99ec22a542fe3fac4a9bb8c2244288b6cea3730a91ced2fd64772fa3ab2c98d248ddd6c02e

Download Submit
memory/1028-49-0x0000000065FD0000-0x0000000066068000-memory.dmp

Filesize
608KB

Download
memory/1028-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1028-106-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1028-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1028-46-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/1028-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1028-48-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/1028-42-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/1028-50-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1028-52-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1028-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1028-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1028-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1028-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1028-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1028-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1028-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1028-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2044-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4044-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4044-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download