73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
297s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
19-02-2024 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4204	b2e.exe
1516	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1516	cpuminer-sse2.exe
1516	cpuminer-sse2.exe
1516	cpuminer-sse2.exe
1516	cpuminer-sse2.exe
1516	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1992-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 4204	1992	batexe.exe	83
PID 1992 wrote to memory of 4204	1992	batexe.exe	83
PID 1992 wrote to memory of 4204	1992	batexe.exe	83
PID 4204 wrote to memory of 3920	4204	b2e.exe	84
PID 4204 wrote to memory of 3920	4204	b2e.exe	84
PID 4204 wrote to memory of 3920	4204	b2e.exe	84
PID 3920 wrote to memory of 1516	3920	cmd.exe	87
PID 3920 wrote to memory of 1516	3920	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\9971.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9971.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9971.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A0B4.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3920
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9971.tmp\b2e.exe

Filesize
2.0MB

MD5
d73cdad2d3e46370f2ebceeaae3dc5f4

SHA1
2744ea7a9c1e7ee11e4a4c2330e4e549ae588b8d

SHA256
f05b8235336e75aba9eafeba2e0beea394b21afea1e99c81221401e48e90d178

SHA512
b769719249d54b6f9c40d7361ca5153fae5a6f0a130813a9c730fb45f458930cfe831dfb8a2700ee87cafab3a1a962b07ef35bd6ecdff711f4d71c4d18a1ba47

Download Submit
C:\Users\Admin\AppData\Local\Temp\9971.tmp\b2e.exe

Filesize
128KB

MD5
272c54a9b6cdfa558e23cc257343048a

SHA1
7f26d86cf2a3625ce3e70c9cfc9b0cc075b8d5aa

SHA256
1d7e7ea2934d091cb7ab81c31e31b4015e05a9f86b213f9d78b0297c88fb3415

SHA512
5139de29262ba7091e5ab0529232912aea9ca34fdeb16165021d3ccaba1d351abc59f2130eaa6af8c3c0510db5f649095f7043ea837267dc9eb4ce0169fa18ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\9971.tmp\b2e.exe

Filesize
31KB

MD5
eaf422aa472d0a2d6246b22e59ed7024

SHA1
292e720c7b45c3a626adb7786bd20654c9bc1cf3

SHA256
ae842488ad1c691afdad0a9c4693b04345662949aca2df841d710669a828b5a7

SHA512
75d92d120e8605a2512644847411713a2a52e4fdfd860dadcaa6f27dc85f7bd2eb5c93bd9f3b1acdbf82a635e7d7c9f78f70548a1a7b03d691109fbaf4f6ec93

Download Submit
C:\Users\Admin\AppData\Local\Temp\A0B4.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
2.3MB

MD5
4c04147c386ba8792ac6a03069572a8a

SHA1
dda67789fc1d0f2469ca95f01a5c81034853ca6a

SHA256
c7739a1e940a282703d06eccda7110426d306f390e97fdbbd9df18472fd132cd

SHA512
a8b5a0b878a9a7d30cb38feff814e1f4dce24d000158edc10a43ee9a89920bedf7adc92eb7e3913098b6aab7fbd0531f56fc09f508b5c2769992a94e55d153db

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.8MB

MD5
0579f29bcabbf3126c887746a6ed55fb

SHA1
bf792d983cb778e792b03fe2df1aa7926472ee87

SHA256
ab7c4ff76ef2d263863dffb9adb16ef29c440c7a96a48940ccd6c88e72e423a1

SHA512
47d61cb24148815cb3339e1ef99ec75f68644fa21fbfc928bd8b3825da292d9930755f305cbc77d8dba7a79da6b2630b24d9dbe09db6f4d855a6add63ea3262d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
725KB

MD5
9944c60c8c6fd938b90eea53b0c0e7d1

SHA1
fc872f05aa2f662bae023482d2d28e97fdaa18e9

SHA256
36ad80c23820a8feb6571e630929bd0b524e729f32506f30949c57a453adc544

SHA512
f7a38c7afa4ef6e940835575a102d41be3d31dc7fcb977668f929cc8a53fafa324f7a552c0e7eb504cd389393788679507a2e455e5c9a669c4acf8296a43acc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
982KB

MD5
c7b20d2dc0b09f57e112afc8b549c7dd

SHA1
34b792121f83965c0b3f46fab5cd7344de9675d3

SHA256
9ddabc3499bdce5d93fb288143db6b6e995ac9578294610aecb8c48539a0d1e4

SHA512
3c22a2d3e434fcb149d7ca248dac39d8878f0bfb9bf3fdba554811ef5492c9f30bf52525c20175051d6c310256b15195ec8ce597117da331a1478dd9c81e9196

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.7MB

MD5
1d3b6d56da4c1421b280b644a7b7267b

SHA1
c8581966f3ba10654110f9668a691e4642e398e5

SHA256
dc9cfc0af43f72238650e4baa07a89f3c5504d76c8f11f7a0a471a89895e358f

SHA512
eaf9f38cd7acc958e4e34f4e6c3337bccc26b46b61110216f1e22677df5af19e9d3daa7f664f2bc67cb74c543b7c5710399529178ff45a2e3708b61ca1c0999b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.0MB

MD5
2456d007d6f0b8105db96930f7ceb392

SHA1
a7ed67af6f96a149d9c008c6b920fe8c9b12de80

SHA256
6c2521fb0bc0248fec85c35b62c107b47165242b5d6e7cb0735f3579a4d4bcb1

SHA512
da9fce16dd8cbcf30195198d49d7d37f57e20ba15f69bb27851b2298919242d2d58d589a83231c9f1e017f35105be8f5e249ac379632b04ae9622ea230bfa3fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.3MB

MD5
fe2493bb678b7089a1454e3416372f66

SHA1
a096d46933a02e8488d41d6b251716ca04d48a43

SHA256
5a459346b9007f16b596a7aae6cd7b0954ab1ec4bee2a625551f6cbf9df4c981

SHA512
2878ec153637b35801baaa2e092b0a71e5c65e3a74fa7ec42383b0cabed437cf8a79985881a6bc9988deeb4951934e5c634a11a7d593febcb83f22e280091a16

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1516-46-0x0000000061140000-0x00000000611D8000-memory.dmp

Filesize
608KB

Download
memory/1516-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1516-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1516-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1516-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1516-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1516-47-0x0000000001020000-0x00000000028D5000-memory.dmp

Filesize
24.7MB

Download
memory/1516-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1516-102-0x0000000061140000-0x00000000611D8000-memory.dmp

Filesize
608KB

Download
memory/1516-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1516-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1516-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1516-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1516-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1992-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4204-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4204-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download