73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
298s
max time network
304s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
19-02-2024 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3540	b2e.exe
3016	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3016	cpuminer-sse2.exe
3016	cpuminer-sse2.exe
3016	cpuminer-sse2.exe
3016	cpuminer-sse2.exe
3016	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2136-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 3540	2136	batexe.exe	82
PID 2136 wrote to memory of 3540	2136	batexe.exe	82
PID 2136 wrote to memory of 3540	2136	batexe.exe	82
PID 3540 wrote to memory of 4496	3540	b2e.exe	83
PID 3540 wrote to memory of 4496	3540	b2e.exe	83
PID 3540 wrote to memory of 4496	3540	b2e.exe	83
PID 4496 wrote to memory of 3016	4496	cmd.exe	86
PID 4496 wrote to memory of 3016	4496	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\84C0.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\84C0.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\84C0.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8CDE.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4496
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\84C0.tmp\b2e.exe

Filesize
10.0MB

MD5
967c0cd98d2a5b3ac87faae2c3d1311e

SHA1
c0b0098b54daeac0f5845ad60811ea319b9a8f59

SHA256
83b4ebfea670fb7e7de877cb4c01e8d68d0be386f50bae5bc61ec8bae8af2edc

SHA512
d2b0a172c3e49ac41c7b1651049495fe9c44d5d05c2aa46f909f35a76cc4b57b1af0cc6940be8102ba5dde09116f8f54cc30bca6f3506b4fb3162b072261a3b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\84C0.tmp\b2e.exe

Filesize
4.4MB

MD5
6817714e04354a199e62ac01b6e06f03

SHA1
66550d231ce6fd69a1c26ba144c42a848b1bc4f3

SHA256
42ff8a648e686c200a1e06670dcde1f6a9cfc68502b22e926eb8c28cddd49e48

SHA512
22047de875bb689deeede284a092c6fc23de6d1733413c5ca0ac25503b41c86c2374d5af5a9778620fe9b49d75ad39549355f273095bab65981213f49f1e2e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\84C0.tmp\b2e.exe

Filesize
5.8MB

MD5
3e1013b404e151ba6db0005cccb8c0a9

SHA1
391fd36ed9cf6d51faabae5ae796d497b222567b

SHA256
021a7a4bdaab52398a87cd5a0e332386ea2e0411a8fe00d777ef87b8f9cdd2ac

SHA512
27fb3f1c5530b91bb903c4768861f67220ad44a44224c8bc0cd0601f6873afcc94586514be4aeb5f8763c0ecbfa7b365a9f55eeccf0968df907c1d5a7b47bc59

Download Submit
C:\Users\Admin\AppData\Local\Temp\8CDE.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
960KB

MD5
5f088febb9167d9fa27631de416c40d9

SHA1
0e7cfc61e5cd1bb82c846c939d71388e2f9d5086

SHA256
869740b99a3d66f9e9decc133d9c3c4a2c14c3e7c62c512248da76f002387fce

SHA512
65e4cd0d550b852f50e426e53ff47bf1419a5cc1aaf07010b10b96f392148525950fd11dd3b1e8acda0916d288414629cde845cdc959ed7092e565ccb8ffa920

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
640KB

MD5
0f6af9e19fa927d88313e98d54420920

SHA1
0aff9c72864126107d6c630aafb9ed6512042afd

SHA256
71661d7077b93e2a5e53d7093e532bec1b66d34e3929bcb314eab7f431b84734

SHA512
bba078e2f4eb5ca45956657356f7419767a81679f34d9991bf28a1d44e412340d1002517f74a15583ffe20b32f1f25b60c47f4581100552dc1e651b3f88547be

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
832KB

MD5
9b527cc7775e3fefc75ebd6cf497b81b

SHA1
7405b4528854589bc404f55c0e591d2e534d8d63

SHA256
eb4270d5203fe07ee63a7161093d69577ada5ad4ca659a6181d63953a69bca72

SHA512
6471f61ebc78e6ab30cce7cb444c582a8a24cbcbff1a8cc3d22d20d299d53c6377127e76bcc2a1e2c9108cd65d6fb89d42ddf89b04140c8e225f5115984a4b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
768KB

MD5
e3f15c79f945604229fa814f57c79274

SHA1
19a7015dfbe622ab86c48693ee1605b26112a3fa

SHA256
7b09ee53447ccf77a0f2d7bfe25908f963d681433d3cba5a16c7f45646c42175

SHA512
12dc1df8a947caee13a12eca5a976feffd7408402b0495e4971d4bd7181e8d353ebc17da044d2ce6d1c273bb05a0ca5ddf7492394b355786d8b14b0997de162c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
768KB

MD5
fe316f2b417e142dffa0e03efb65e1a4

SHA1
907805b2c3bc0a0791086cb5fc8e3a950bc78e6d

SHA256
aca06866767d9e0bbe1e9bef7efce1152d34243e1acefc5f7ac4f6a245456671

SHA512
8ebfa0700b00c4064d1ded11fc1b4001f01238ee0c4cf88a873e0ccf38c30a574d600649bfdef85f2e3aec5c279a43680f7a66604bc6f27bbda0219e3786774d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
832KB

MD5
2bfa2b9803bf342837d2cfe9b2b57f64

SHA1
e89eec3559c4904ce523943fed97f3fa2534ab39

SHA256
38710a4ce8976e3e452fe43563f28f9a8259165fd68ca94f5d64f5f4a299b6ab

SHA512
d099f07ca1cb598bdd6f563d917fe3ddcf3f6f37b589f68da987426e416492acf3dbfb2e18387d9afb168308d55c9acfb568c3d31735ab307fc070ff4da93793

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
576KB

MD5
13746f79a51eb8ce3107de99ffc6b56a

SHA1
64a00c99a805f8775f08cda4e4d06e1150195347

SHA256
2c04d5960f13e859d49c78a8858bdcb0c53914306eba52746105a76d98f5d205

SHA512
d0e69c6cf0078c858e8258a4038098e644d611b544b6588b2b1c9d2d2937ade0472edc96257545f5935514bfa18970f5762eb393def612c5a7027727397ca8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/2136-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3016-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3016-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3016-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3016-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3016-46-0x0000000072160000-0x00000000721F8000-memory.dmp

Filesize
608KB

Download
memory/3016-47-0x00000000010E0000-0x0000000002995000-memory.dmp

Filesize
24.7MB

Download
memory/3016-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3016-53-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3016-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3016-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3016-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3016-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3016-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3016-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3016-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3540-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3540-58-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download