73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
303s
platform
windows10-2004_x64
resource
win10v2004-20240220-ja
resource tags

arch:x64arch:x86image:win10v2004-20240220-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
20-02-2024 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1888637039-960448630-940472005-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1888637039-960448630-940472005-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2088	b2e.exe
3508	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3508	cpuminer-sse2.exe
3508	cpuminer-sse2.exe
3508	cpuminer-sse2.exe
3508	cpuminer-sse2.exe
3508	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/224-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 2088	224	batexe.exe	87
PID 224 wrote to memory of 2088	224	batexe.exe	87
PID 224 wrote to memory of 2088	224	batexe.exe	87
PID 2088 wrote to memory of 3096	2088	b2e.exe	89
PID 2088 wrote to memory of 3096	2088	b2e.exe	89
PID 2088 wrote to memory of 3096	2088	b2e.exe	89
PID 3096 wrote to memory of 3508	3096	cmd.exe	91
PID 3096 wrote to memory of 3508	3096	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:224
- C:\Users\Admin\AppData\Local\Temp\5DDF.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5DDF.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5DDF.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\60BD.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3096
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5DDF.tmp\b2e.exe

Filesize
8.8MB

MD5
b898d5a3f9ee6358b77ff766ef16e635

SHA1
4bd5722962727bf3ddc9ba6d848ac4786e5d837d

SHA256
47350731b84eca46584c95d8a361ab7f1dde01249c94234392fe213f2f357dc7

SHA512
469c6a02a5b252ae705b5ed5005068260f23a5733723149a23552a02d56e66025f95856788710f8d973679c8bdddf2a5af79388566201875710f221f9c3a3cd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DDF.tmp\b2e.exe

Filesize
2.2MB

MD5
5e7f9dbdb4be3c4af7cf66dcef7f8682

SHA1
b2091a5f37f8f5699183e11e3539a0c5b78d9f00

SHA256
bd84ff28c17d838d6051f736f15e6dfcc66c6bc729fca080f5ce755ee8432743

SHA512
b789e6f9d1e9e62ac4e967690bf25894ea1c4489c523391b7433d3ed77131251a7a875c6366a6281e8688925032ae3d9106e8a6817f3167035a3ca491d177cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DDF.tmp\b2e.exe

Filesize
2.8MB

MD5
1cd1f1463362e82070bd38c1ad8de2d3

SHA1
02b59eedcca64d1bcdbebabb05228cd292c1fdde

SHA256
80c54200113264848b0a02dfef414bee7e1000ae8db116136fad1a6474d43e29

SHA512
f67290611bf4653411f513f696f93add280763b3da208f3ad6a5c2b171fde413daf0d6e4909a13d93a08eed4946e98332ba40d07e39ba686cf356da9d87c355f

Download Submit
C:\Users\Admin\AppData\Local\Temp\60BD.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
791KB

MD5
07808fdba34831c841a01c155929f841

SHA1
a3d533a465e58d3d0c53c9d0329f54a0e2a1b925

SHA256
2d4d28d1bc113ad708af5be61e925de470eb5f0078dabd6650db9ea620c4949a

SHA512
15fcc4a12e9766ce9cf2d498075dcfdf42621153b87ef23c5604a7d9380310d6d82638bcc5be11bdafea460fb109df54ff29e9a0e50aaec02cac16782d55b4f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
804KB

MD5
6fd455df910c536716488ff5da896162

SHA1
770d82e7673703920ed7c36f73c0a0274aff84f7

SHA256
ed445975055f44637bc8a78cce47c9245e259ddb77e01428e83bdb588c9895dc

SHA512
89fdd00a3b80320b8a0acd8e25e5ebef5da4bcdf24a13403785f8059217ac546cefa8b5c4b1242da45300f0fa81e1d454de2ec11ebbffa7cd75b40c429ee3ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
762KB

MD5
8b81fcab935fa7636c1eff4b68cac7ee

SHA1
45b8192f3a19c3baeb850bd1c71ad3499e50fcb4

SHA256
253b994baf31afd523820449c5a2c5f3c3f32d7c0cba915362501f24fd7049db

SHA512
ba4177f762d8a61babc21a2f08f9a54959d5ae9a579d599f2efd76ff730ada9ceb60b4b5788853d3414316c10891bce08f02f7501141fb299577eb030d72f71f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
453KB

MD5
fdcf6b59e6bc9cc0f56b055cc65044ab

SHA1
7dc01e0d81a98cbaf10c2668b91e612b6e5e6c33

SHA256
e9daf7f3afc821dce22408fafbaf7783b28996dcb8faf8eb9150c8a766088ca0

SHA512
d1e55808e11048571ca682e706aabcc97b484b51171dc20d182081ba038a965ddc4e7c216855f333f96159db85f0a66246f03b61bf66459df9e5839aefa46289

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
654KB

MD5
e895a65a8aa21b26fc97e592dd8806f7

SHA1
11f0942577c53f742536d2fb02d3e15bc3ea314d

SHA256
a89c4337e77be0d177f44e5edf2ae7ba99925df0e6ab9f3b7ec67ec2daa0246c

SHA512
524f42d0a0e57db88a3688bba7d67ed9683af7a1d5d2ca16ac58fcd3f8fa25ae398b5ae4b2fd0dff4293af320531448f910a01fbb8d98d642b6067278b76c754

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
791KB

MD5
44d6c3f7ed4d309680867d1e5f771ae7

SHA1
2631d60792f5ed319eebe5dba92d7d8f61cd7850

SHA256
16cd1645771a557d5f2b0a9432c31be0605194d3219c373f5fca53a1aa41cc8b

SHA512
871161096c6925e1eecc19d3df6a21ba6c98a20b9786608009f6bd0026ef941ef689ee35fa4196a0b61978455463458f42d20fea715489f3af0643a4144592f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
583KB

MD5
59ed6902083beff42823312278bad223

SHA1
271c58f4207d079b568f78911ec816abfcf85845

SHA256
6d7c8d9ccede6b662e8af3d0e8f709f694c275e0a35d9a6347e2e24f9ee33967

SHA512
021b948737a2d0c30de1a0e1d8475fbae68a87a323f16bb12a1b3642d34afa2a5701a0abe1987a2737c82d17013cc3d82d8f69180a220fd22b235388d0e3b700

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
661KB

MD5
92877762e4248c22e9a2d555d8737544

SHA1
d2674e8a1ebe060a088800cae333c65a6feba2cd

SHA256
0ac728bf17b916b8e2785cd28a8a31db69d649c5f0251d9673841c5cb7580a0e

SHA512
8237c268970316e157dabd50376ac84d8f6693b8e4f8a835ca43f451567d9c7b0d3a8dbd2c3b5408ed77ec285775706d589ad1d6dc3b5d3a79582279e68a4371

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/224-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2088-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2088-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3508-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3508-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3508-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3508-47-0x0000000001010000-0x00000000028C5000-memory.dmp

Filesize
24.7MB

Download
memory/3508-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3508-46-0x0000000050060000-0x00000000500F8000-memory.dmp

Filesize
608KB

Download
memory/3508-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3508-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3508-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3508-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3508-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3508-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3508-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3508-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3508-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download