73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20231222-ja
resource tags

arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
20-02-2024 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2152	b2e.exe
3148	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3148	cpuminer-sse2.exe
3148	cpuminer-sse2.exe
3148	cpuminer-sse2.exe
3148	cpuminer-sse2.exe
3148	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2748-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2152	2748	batexe.exe	84
PID 2748 wrote to memory of 2152	2748	batexe.exe	84
PID 2748 wrote to memory of 2152	2748	batexe.exe	84
PID 2152 wrote to memory of 2240	2152	b2e.exe	85
PID 2152 wrote to memory of 2240	2152	b2e.exe	85
PID 2152 wrote to memory of 2240	2152	b2e.exe	85
PID 2240 wrote to memory of 3148	2240	cmd.exe	88
PID 2240 wrote to memory of 3148	2240	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Users\Admin\AppData\Local\Temp\9579.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9579.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9579.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9839.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9579.tmp\b2e.exe

Filesize
7.3MB

MD5
5293aee991857d47139b5aa383f59dde

SHA1
00cef2065c48ed9e69e6c9d6cdb2e7d36fc5fbb7

SHA256
f4954c715f622498aec8541931e62e7b7284d99bb0fdb9593c13d81663d544f9

SHA512
3b5d9c230f15a09b207df3817351951df93a2794bfa0fc305f05019bf101da0044d7c69a45e008c76652c51fbb7fb9ed1ac643c08cc0886f0d18fe6928a8d9b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\9579.tmp\b2e.exe

Filesize
4.1MB

MD5
55075aad2654558e78c79389d328bd6c

SHA1
3c49741995c4eedb25ab33cc269abeed7e5a00b8

SHA256
778ee0f65897dd81fdfe44499a01fd879b1c237acb9015a4b8afe1020809e440

SHA512
0060002f1ddd8ba3d108c627afb31818998a107e866db7bf1de6ce534e4974c520e8a4a34a0925c1ecac868c5f85543afd169b1ad77b81521b88049bf784ec5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9579.tmp\b2e.exe

Filesize
2.1MB

MD5
bb0948bca36d7e796486024a6bb4928c

SHA1
420b62d2464f52552f0a276b2a31101d24a99d8d

SHA256
5f1273acedf115aa0999905ccf9f774e8f763c20f81dd8ce28f36c266f9c56d3

SHA512
a9a968780694096b3acf114f774a5ae2c1eb6c6ed7cccfbb29bdd4e3d2de9326b42ca3d066f9b0123807d8b188f175350570e681b5da712b345d65f3f651a7b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\9839.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
310KB

MD5
698fa1dcaed9a29a8ae4034b8de40c8c

SHA1
d15cd01b454689d16b2b13fae122b3ce8e399fc5

SHA256
b07f5b927b739ca999e5e6c754fcbd951db96897e8499025295eba37754830b1

SHA512
b802284ecf01fc22b48dbad8e66e60efafe3dc1e0c5cfa583ec8ca5ada708f5d4393a8c6e584b0b8703b869513cc15891886ae85193fb5cf9352e4cde893d6c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
325KB

MD5
0ed8c529f6eb45743be476bd6c97be45

SHA1
016e90d1ccbdb5b591857c15c6a33a61ff68997c

SHA256
d006110cf2c4171a237bfedf8cee0b5e4de7e201bcb182f660a781fe21c5a3c1

SHA512
d22da71345f162ec6df0364296490f9e33d1d1f315486538b4d11f7fbcd9350cbdb7008020bf9df3594bdd3168d901dbfe3213e617fc3d6fd315f67a980bcbc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
387KB

MD5
ac3930b0c83978566b3141a5bfad85c7

SHA1
549ebe07fba7729e405a7daf657a70122f2ee57e

SHA256
9d4597f6edb5242768a7dbf27c12549fffc227c56b241a20403304b507f4f4dd

SHA512
a27e49b75fa1b0126e2c9326d017c3e32af0958641019279de7e717201bf36338606a1d0423f902fab6e09d9382c32408b251dfecf8b945c9c97118711ded8ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
486KB

MD5
da280597474e0e3bbcb8783089346368

SHA1
26a1b51196d49c0c035dc437d4dd0f0d8d9daca5

SHA256
62b08c3f6daeeeecab4932fafa29a8d953f72d3402ee726579c5e752fbc4408d

SHA512
68899f2383ce2c45daf942f6ccab64712ad15343c417f15ff171c4290c4cf0c458d4543ba25422f5e6bd06db4f0ea339306de8fa5cf948953d6ced3ab6eefbae

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
218KB

MD5
c6dad344449ee1c65c24fdfab16cc92f

SHA1
571ea571b03bf27f7d3dbffef080edb960c0165a

SHA256
a98a5991a4b4d4c3679a4b08572cea1dcdf1f34d80d5b0f887fb43203bdc5ecd

SHA512
70ca002b06e683e1a89ff667b8abeded5b496e1d08b960233a56c10f15721862620a965ee4c9bae781077cba73e72f1e7388d6a777f32734bd18dfd6eacf881a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
342KB

MD5
546ff6e53530c377b230422ed6557df5

SHA1
f8e3d87117aee5aef06a997e56b40ebcc187dbe5

SHA256
97031a589397cf9127c5e262039d8475eaa54f8d657a9f7c3a6b117e1f4cdcea

SHA512
9dd100ca247e9309a3bdd15ac0ef4fa092a6749b0a0add55f594a126477a81e099727b1f2a024dbb72eabe665788cca49403c50227bf1d0e288ec153c6a0904c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
284KB

MD5
baee6b5985129d40f94cca2f70ed06db

SHA1
69a853ccde76c9c99e489d4d929f6f5257c4bbf6

SHA256
4b10daaa165f40ef631685703f81c22195836f2c32a49dbe0ba5a30f1574c270

SHA512
62be1cdf9c4868e9ef75c94d2b6a7a8bcb1e9bbed48a50749551146c1200f7dfe78c2a7dc23b00379e16e18851e8de6c9bbd53c5fad9f9d03c12504721976d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
65KB

MD5
12c078c2a2021a0a31f7381838020a07

SHA1
b13f77a45d5f37711fd2e6ffa225b5b6fb574b3c

SHA256
4b44959c8222c83a7f7bfd65481834d4c77fde0c392a92f47a080a11f054cad2

SHA512
5ddb0dec5d5e0288f336d8301f85e9481118eb8ce5ce624c53edc76e555559c07adc0a211567e874b1c1ea6d065a9de3b17d81439bea78037fb8fce0d7dc7ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
201KB

MD5
75af272b019fe4af6f43fee59c877b9a

SHA1
d5f73bff9a64a1e2243e2a3ee37fb30dfb52d4bb

SHA256
9420c0059d72a67b13c53ce96daa23b659c6d76af99348d0bf522358172d2171

SHA512
1d531a9580ba49985f3e759b3260c5dda982c2d9b4ddce5e21ee0562328990f8dc10f893a89bdfcdd964cf4457d42d13183943bbd96d8dfd001e26955f4acea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
271KB

MD5
f700529e04c603a005091163c5d6bb4c

SHA1
3cf1b4376aa6494685041954efed3769ac93d47e

SHA256
b018c8f730a9cbb8cf9db37d8bddc3927e6ac77f612f5fc26e9d4ac117103caf

SHA512
57efa7ad094bd432970ce902b3f0efcfccee76e19423465dd57a236de3f12f0b8b8be9747028029fa7a7de1537ba8fb4a9b5107589be1bf9e8bafa27c04fd96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
342KB

MD5
2360ae0ae070a223624a531d0be5bb1f

SHA1
7872267a7a84523f49bea84039487442b0b3c807

SHA256
fb563853f0e4ac085f5892c60cca0c762aa28c17b5551d384a0e937b839e754c

SHA512
30d6f3e7d61ea58d49f5b280a7d84167131b3758bcc395b2420b2a808d16fa498c418630d940d104e8dcbb5d4c5c130a82017828f6d8f321c279cbfc4861b975

Download Submit
memory/2152-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2152-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2748-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3148-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3148-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3148-46-0x0000000063360000-0x00000000633F8000-memory.dmp

Filesize
608KB

Download
memory/3148-47-0x0000000001140000-0x00000000029F5000-memory.dmp

Filesize
24.7MB

Download
memory/3148-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3148-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3148-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3148-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3148-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3148-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3148-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3148-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3148-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3148-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3148-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3148-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download