73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20231222-ja
resource tags

arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
19-02-2024 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3684	b2e.exe
5608	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5608	cpuminer-sse2.exe
5608	cpuminer-sse2.exe
5608	cpuminer-sse2.exe
5608	cpuminer-sse2.exe
5608	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2340-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 3684	2340	batexe.exe	84
PID 2340 wrote to memory of 3684	2340	batexe.exe	84
PID 2340 wrote to memory of 3684	2340	batexe.exe	84
PID 3684 wrote to memory of 3300	3684	b2e.exe	85
PID 3684 wrote to memory of 3300	3684	b2e.exe	85
PID 3684 wrote to memory of 3300	3684	b2e.exe	85
PID 3300 wrote to memory of 5608	3300	cmd.exe	88
PID 3300 wrote to memory of 5608	3300	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Local\Temp\956A.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\956A.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\956A.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9867.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3300
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\956A.tmp\b2e.exe

Filesize
12.9MB

MD5
a6851dd2a994de337e03bd68fbc1a5c6

SHA1
0af492f16a5a1bb6e339110b445c54a6b3929e6f

SHA256
8698d1fee7d595528baae44059b4fce94fad815fe455c30bf89a2a03b14d53e7

SHA512
935b60e8155eae4ae5a845ab0f058cf0c3503ec4e737628c41a775ba43c48121affe19b66ebefbdb13f5a276c59cb2380f7a63e7f24cf7657a6e34abc9c785a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\956A.tmp\b2e.exe

Filesize
1.6MB

MD5
1e9446ffe80055b0d0681a975585d4f2

SHA1
e2b13091250549c39e6156044d3d826cfa7cc936

SHA256
6a5e65eb48e3c9f4a594a64b60d57436418cec87e75c9cf93d55746ef761e17c

SHA512
fc3ca72c1070ad153cb9f99b6a1665efb80d83005f575d70437af8d87164bff1c689305570feb80d84889a31fdc0ee1b375576fa9594ee303c2ab0776bf0e2fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\956A.tmp\b2e.exe

Filesize
3.6MB

MD5
2a58aa86deac2c99323c788735dd53af

SHA1
eeac6b8cceb22a47daa1590f4dbae8e3c7c27c92

SHA256
fbd061c4d55ef74a2b1fbefa8f244ffb9e63df4a7f16083d7a9920fee83a0305

SHA512
22598586f1fc5ef20ddc7f840402716a660917caa0f26628eb943928d458688f698e66094d3cf2cd6865baa1b32ba61d1e05103abfafe98e72d30668a6b7ec57

Download Submit
C:\Users\Admin\AppData\Local\Temp\9867.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.4MB

MD5
e470b4bdb828e9ee94bdd7b42b664c0a

SHA1
b79a7c4683ff1ca2e9dc9ec165e617cf2d5ba740

SHA256
ed00c36b16284c3c9920a60eaa4ea4158ed81aa46e97f8d49fc2bb79672fd2b7

SHA512
3a6df92a0a2ad7c9116f657edc3552e16fd36f3d6b63e1b94dc8dce6a900e0a2628be8de11e37171e41922760427aa8995774cf7ce85cd545b8e3727b93566d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
641KB

MD5
207caeef8d7ceda3192d072751ae97af

SHA1
354ab307b8a75d2abd6820b43206ffd1667c41ec

SHA256
ef47da20460f5776fa291a793cf8a0621e1de4f028769b8f9d38fa053a8dc3ca

SHA512
3bfafac8c11ec5ebec988d4c2613f3603ec42b1aee1df8bae0262c8b69f9bfcf17a4bb94702acb67cc972b26fb40631a90424b4e3b22ff9024c865f8ccecd52b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
814KB

MD5
d8ad5e1ddc5bf7191e05cee0608fe428

SHA1
988fca8f1dda1c34a26295ed3a63e1d973a4e959

SHA256
16d2275a073c7d8bb12cbf4dbd5f530da4e45ea9adc8240973fe90c3044a4257

SHA512
53c3b8b8fcfec307844e3fdf1aab84a93360cd2ce5195f1cd7b9d5750f3bdadc3fde1e505b3ec23f1277cd70de8f77d4d333a97f5ed7f9d563f0e6ba70a2a877

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
728KB

MD5
5c9374aa9d7850f5d26205796383fadc

SHA1
0dc28b22d0dcf533f9801b845aac0696e3c2613b

SHA256
72bd74dbb1c60e87bc1255d9417ee86a19bc51b9a02d07a61417f81617e423a9

SHA512
287601489a3f3ba61c3f7f0f6b68b1943c770a4bded8efe2abe8b6cf876c18310cd3074af01c8e99c4f36264e457695d8785ef9bfeae2b8c0a537864f1149771

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
630KB

MD5
7bd2591f5719653922e39793bd0f5dff

SHA1
80c7473ddbd7b34e949021f5bbd18ea59c286acf

SHA256
fe3a4291ddebb4ed882e439e94e15d44d5a9b79a931226a75490625a8a2bbb28

SHA512
85ffddab5dc5b604bec9eec5e37aa0313640faf332813c5e7a41dd9ebf39db5b5e0d509bf35e0c672269dcdd0d9494b69b21b9a66c3e1130fd23be3fa75e43b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
512KB

MD5
6162b21c54b88c5c990e82aee951ebb4

SHA1
477384ab8ebe5f5a5d5a91603736d9ef53c12fd4

SHA256
462eb68967c7205145d0b92e4f3b69297f616187b07a189178f35f288063aff4

SHA512
6264ee49c4b8a6eaa69241e10ff9ab39445f85a57b756b8bc0530b45d77827d05e669dc06b689d4693db34e4161ef11b2cfe6f1954b0b90bcd434e81a938a40d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
676KB

MD5
c6bd55b1b87645e55ce55748ee2a23b0

SHA1
4a32ccaef5e258a5c135f1f28c0fcec064a64cca

SHA256
a2ea0977aa5d1139f4f76485a699c6ff45c9a8bb7848f50f06f7010544d5abe4

SHA512
af1a876796e3ebb076f4ac7ce7722965f387be8e80127cf4088bd26fd34cde8bf67dc1ff788a3d3443fd80c2555b35ca4c18239a5f8c948d45d7423e66c8668b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
448KB

MD5
ca123cec7f705c0af114e462349dc686

SHA1
75f90b4d95f6774b2f66e4ba790755ef118ab222

SHA256
7f141cdc0be9c965e21310bcfb0484b20d31ffd8a6a970f8b5a53c0e8974798a

SHA512
650125faa9ae6733f1118caf3101ca6850473f78f9bfc3a87e908eac1c69935e3bc269ffb5de4dd6e867429c1af35c7f3b9e62eb698fa7c9695d68e7115f3f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
422KB

MD5
95b7718b505f8c67d0a6c06f1fed5fc8

SHA1
63cf3928cf4fcb285a483ee7cf8660880daeaff0

SHA256
c489bacfd6520414fd0eba937eadd717b675be0c962cd94df7174072a76df91d

SHA512
5e85fd3401d9fc61ecb3c14c0123b073287cfcb5fa2c0df4394e981c947b827ed98142f5d70bc26e67134d1612b66400c24b771466486507115b5305098d5b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
524KB

MD5
eff09620e9e60f98785045b0c62df297

SHA1
7ad8392e6e3553720a5f8ac88867af2c0dd590c2

SHA256
e083fd32b83e4c3848e428f384abc391cb503fda79ea0b2fc29061380af2cda0

SHA512
92d6c1118104132391d51adb35b197985e088c10308a0c67c46ac7ecc5bd478c41391e31c6050dc14562efa3b34c0cbd307876b2d9ca97132cfa825b482ecd15

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
445KB

MD5
585e4bf774cbf4c8036f6a2a24782b3b

SHA1
a58cbcc3e7959837c556bbc345170595f937f83b

SHA256
f32678f2397d27ca63701fa9c4bbfb1d32c6cb6f138716b896ba8b9eaaee98b8

SHA512
462793b47eef864d475a9b6125f5299f801ff5ced7a82c40789b5e2ecb730beeaa8a29b4a1806b73ea758995e754221e8611d1c81f84d2d35c24713eebb3a55d

Download Submit
memory/2340-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3684-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3684-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5608-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5608-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5608-46-0x00000000569B0000-0x0000000056A48000-memory.dmp

Filesize
608KB

Download
memory/5608-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/5608-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/5608-50-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5608-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5608-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5608-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5608-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5608-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5608-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5608-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5608-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5608-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5608-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download