73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
292s
max time network
295s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
21-02-2024 15:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3716	b2e.exe
2988	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2988	cpuminer-sse2.exe
2988	cpuminer-sse2.exe
2988	cpuminer-sse2.exe
2988	cpuminer-sse2.exe
2988	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/244-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 244 wrote to memory of 3716	244	batexe.exe	89
PID 244 wrote to memory of 3716	244	batexe.exe	89
PID 244 wrote to memory of 3716	244	batexe.exe	89
PID 3716 wrote to memory of 3556	3716	b2e.exe	90
PID 3716 wrote to memory of 3556	3716	b2e.exe	90
PID 3716 wrote to memory of 3556	3716	b2e.exe	90
PID 3556 wrote to memory of 2988	3556	cmd.exe	93
PID 3556 wrote to memory of 2988	3556	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:244
- C:\Users\Admin\AppData\Local\Temp\564E.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\564E.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\564E.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\594B.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3556
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\564E.tmp\b2e.exe

Filesize
12.1MB

MD5
8865abf47b6260ab151d9acc41e417b5

SHA1
eebced6e4fb08a26f38775d856c0054c36be48bd

SHA256
040b0186cac4b012ccd5c596476ce814c9e135fac8b62dce76e3a4e00a7caffd

SHA512
b416d66b27573adf65fb3fda6707aa18102fca61de38b66e9db7a13cbe13535bd7fca3ac062dc43c2edb22c9a14051209708e2e55372279769e7ea67091a9584

Download Submit
C:\Users\Admin\AppData\Local\Temp\564E.tmp\b2e.exe

Filesize
4.0MB

MD5
2557ef8e90f69f4d5e680b477f237554

SHA1
b2ca33f1b7a29dd62a2cdf602b63419302c334ec

SHA256
bcaa24a6f2732c8c64192974d3121e75c116a4a9532fd289ed4d1df75eb1aaaa

SHA512
865398dcc3469ceda6b726ddaa6bd559785d4b3cdc4a615ca6e43a8dad566c57440e11337867909738467c2151ce09127c699c3d622dbdca5993dd8053c8da4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\564E.tmp\b2e.exe

Filesize
4.5MB

MD5
70224551b454a2820767a3af2cb203aa

SHA1
634bec1dd741649b14e3203ba3dbad6601e4f7a5

SHA256
742eb03ab86cec245e30ed0b69ebde00ae3e5405fe492ddbaff39bb61da5ae62

SHA512
476aad7ed88ab9222eaffa62671bba1791641379e3ca87c012231858bc4abca3218082306b19216334f28dc881ef1402d5ed4fbfdee48a50ba5190f5cae98109

Download Submit
C:\Users\Admin\AppData\Local\Temp\594B.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.9MB

MD5
b2d8e21054a4ddb28a62204fadc42445

SHA1
ccaf276bd901cd354c40694a2b7476bc56d7f2c4

SHA256
a6f520d0837d5233fc5d30acbfd8317af57d2edcd8bbd2f9dc294de3d0582b81

SHA512
38584fcba5b87a33d5773ae23d4db6888d9c9acc71fadb91d38ad2a845d3c2270eb456164460ada17b4858a72dc126f7410b3d00b507645214b7be9f8fecdc28

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.4MB

MD5
2ef40d5c3b964c66392be6a3db51bf84

SHA1
391a644aa11504129db4b42007b054f2c3bf5414

SHA256
0ef835e2576ba8fbfcd733a66284579607cc8dafdc2b26fe3c0091dc66d8e707

SHA512
0b568c8b5ef88af49c00801cd5eaf3e7262367d2a3356f1a685d36e3c1dff63babb5dd049d5a1e7fbe214cab35e6f271d0a105e073a1fb2c281bb5c0279b7107

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.4MB

MD5
6209d231684a8f2e5e435f52c37246d1

SHA1
b86fbebd13d623ebc5765543b2ef075f41e57c7c

SHA256
d63535da6cdab2c1a2fe1620c6a418ba16e60f52545f5719bb88e7313f63de9c

SHA512
9d4d2d39827ebd76373a3cb02ccdc6b70737b4842aa9e9949f3c411502feda78d8c60e0612261f2b0491c928f3807c5d43030fae8d7192f265cd42fa356c9f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.9MB

MD5
952cf9c1c9be72c2375e13cf518f1eb8

SHA1
12e133ab6e333726ca2b047d8b0f44db463ff0de

SHA256
1d21d4eff55eb52c29c48cbd3f68942f53b5d7f9b84cd2e5c100d2b792417c19

SHA512
c4ccb8985b9a81e03624f1fc4326ed696a16418754aeb55435e98cd9ccb42b55c7207c082803da5b145fdb68108e53bd0b9946e6b8380a58e0306f79da590631

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.6MB

MD5
23757130cac416b44464e82c6836c6cf

SHA1
fae38a88b9a05d1f3ce585e8e1bd45e4990d4248

SHA256
82b432050185ef7667c9b754300da49215d9ee67b7d83abc6a37eaf7f0fcb164

SHA512
fcf6d16cbe815d46946f5047d995ba7b00aac6728a549be610de59e3d6bbf5ef83d523e4ab795a19852965dd59d3fe7b58aba490dad8c327f871ffe1b13d15cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/244-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2988-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2988-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2988-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2988-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2988-46-0x000000006E470000-0x000000006E508000-memory.dmp

Filesize
608KB

Download
memory/2988-47-0x0000000001140000-0x00000000029F5000-memory.dmp

Filesize
24.7MB

Download
memory/2988-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2988-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2988-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2988-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2988-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2988-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2988-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2988-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3716-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3716-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download