73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
303s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
21-02-2024 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2808	b2e.exe
2708	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2708	cpuminer-sse2.exe
2708	cpuminer-sse2.exe
2708	cpuminer-sse2.exe
2708	cpuminer-sse2.exe
2708	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/232-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 232 wrote to memory of 2808	232	batexe.exe	87
PID 232 wrote to memory of 2808	232	batexe.exe	87
PID 232 wrote to memory of 2808	232	batexe.exe	87
PID 2808 wrote to memory of 1696	2808	b2e.exe	88
PID 2808 wrote to memory of 1696	2808	b2e.exe	88
PID 2808 wrote to memory of 1696	2808	b2e.exe	88
PID 1696 wrote to memory of 2708	1696	cmd.exe	91
PID 1696 wrote to memory of 2708	1696	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:232
- C:\Users\Admin\AppData\Local\Temp\62B1.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\62B1.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\62B1.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\66C8.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\62B1.tmp\b2e.exe

Filesize
15.1MB

MD5
519cbcf5daaab133d8ed79b8a40edfe9

SHA1
75376dfb46fff78ad75971198e395f0db9750d6e

SHA256
a2c2eb423852f3fbdf147bc95bca463719966662ec0d8560dee08fa2a2a425d8

SHA512
4517c6f77e5c837164364934583787fb586dc2199ab72e427c1fb3eb95a71361aa6f1a43790a773d982ce801339c7dd0af1e84e83777d3df7834d177761da1ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\62B1.tmp\b2e.exe

Filesize
3.8MB

MD5
8a51974691a7d2ca16d572e14bd72f6d

SHA1
fd2dd3dfccdc9976061973f46ce4329c67f3f0ff

SHA256
a2addb927e64405558879e1fd87207ff63e04116bb14da2124172b8b6e31a675

SHA512
3cdeb7616bc145f4b5e401f805b05a130769be4660a9c08ec09a6f3247477507143307ad5098485b1b39b3cbeeba5c5037a575977eee475e954903414911becc

Download Submit
C:\Users\Admin\AppData\Local\Temp\62B1.tmp\b2e.exe

Filesize
3.5MB

MD5
2d7c84f1593d50261e6278b090a38e66

SHA1
8b8b5bc865e3929a18fc3125e64412c672947488

SHA256
174dd76b5aa03dfe25aad4fb92ab4fc11a90edc1db791b2a93b80fbabeea2145

SHA512
3a37942ad2c1b257297f72ac5f9a872583571007dd0d3def0c9775f102b476a6617989bd4c7c38bb45f0d2bfb8a3a3855c189fca2a63474e20bfb01dd86d9853

Download Submit
C:\Users\Admin\AppData\Local\Temp\66C8.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
211KB

MD5
b93515491510207e525d78bf38591c52

SHA1
7e23ef8d7386ecb94865281d81bb72184df3a011

SHA256
1205a8136f7664b4a5758e81d069dacad275781048efd8c77ab7d0d86051c01e

SHA512
e1681b0e76ac154430e75eb8c89e5fba1e50b0b72edb92af5948028d4439cf283c071023ebc43684bf6a2bbce45057a553b662260f91b82aaccfb62b459af825

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
349KB

MD5
db56fd7fec73da8dd3fef4f89e88e3c2

SHA1
25981e61ff7b1d0f9114042c64118c077183af2b

SHA256
fab9a68efd8b5eb270f8a585ff1366d13df7af1c4fc31ed9cd7e138d2fadda37

SHA512
0352a0685cf833bf3749818b650f071c153cab2d8d18c19bd0e5bf0f3277062509d5d97687aa48f50dad7a3ef04eaa27d0b385ea6be4dd6a8dadfc5be35face9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
103KB

MD5
97178e660a2ab396dc0d282f6a833bea

SHA1
a21f8187625b6bb1dacc9856e0255c18c682b9f0

SHA256
447ff8a7fba0de344d12b423ae7066c750e453290c39f2f0d10463b851482c33

SHA512
4c941ba95b23c505c9af9cce31876c4263207c1700ca84f5f2526e1b5099fd370201e31036326862c175951935f1fde899f6949f4905f1c8cc60fdc46670ba88

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
171KB

MD5
95d7000ed32f3c7386efa2af62398b56

SHA1
12e3188fb4a5b31162dc6c6c22047337c81922ef

SHA256
f7b1114a1cc756a91820429a620a540be24545ac2f13b9f67b0ad2d036c126a6

SHA512
2423071f603b333f947fa4be30686624be9c67fcba523954ca515ef9da03e86fbc5028b32410cbca7cfab38d3b4667566dfe591a41e50a620be3503b94e87fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
33KB

MD5
e7de7cc779edc1fcb23c5420a87d78ea

SHA1
079e4a092b042123c2879b81fc23707eaf330920

SHA256
116492fd069100626d79849759676ae513cb71267399c493bf0fdaf678d1ccd1

SHA512
c0a0430ac5b5b9306fc111f88d58d1f413a133e47937121c0f253620abe96ee64b6cba792f141211f2abb37782c116417d5dd76e2e00f6148ff53ba6aff6aa0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
129KB

MD5
f8c350ea46872735e864b8e9a651f93e

SHA1
c9dc1e288085e133a603d47389b3caaffeb3745c

SHA256
af968e303d9013bb0e870cca348f4374b5e7b4c6012dfd57cb24dd4fd45a49d2

SHA512
0b0db1f1cb73281adf74e97885480ad90ff12a8a577260263c5d33aad45eb5ecc5c1810ac096d8e959c7c04d676c8d28a3e426c5178dab2461433d27a1d71e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
2.1MB

MD5
f6ff763a4cd2007c32b87aa8f9428e10

SHA1
81d3d2ce8efb770f1e10e90f80704758091a037b

SHA256
c25036f1fab64384b9ce534943e91d23d96edba488d654ffb8db0180861048be

SHA512
42c5b7eb04ef9e7487e27270be49f821707abe7c7b7fda4e30751b81e6719a6375a3bcda897be2e664bd40e267193b4bcf384fcb0b290dea8fadb507aacc9d14

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
14KB

MD5
5c37dcf3e37dbc99177c5bcf977be61c

SHA1
44b8d5a15e30792b04ebbcd38b18779b66b5c07e

SHA256
29d05cc85bfba5e047fa07d67fd4832259ed2cd8e651e1d0719d6d1fe4ab1c5c

SHA512
7653829956b1e040b59d78d1b8d3efae81a65c906be1a5538d0ec6167af3fce5f0cfeaa506290d3ab23d192ff971a408c5b4a74736c83ba3ee9e6faa6b611d7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
77KB

MD5
9793672da488413a6ef79c427b72e1f3

SHA1
67cc7056f9d844e4a32414bc655b45d9c4f48eca

SHA256
f21b1dd056e1361dbe899620f242dbb338de5a7a89a708cf4201aae1230ee3ea

SHA512
77f68e6069f03e4719e2c12645691f2783dc768613d03478a086a2f4348af3427651649922e50ebf5ee97fe07cb9c895d0eb1b3907b33db2c90ed06661a5b931

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
22KB

MD5
50237a81239365f13bce1191c9dcf4a1

SHA1
97d18ee2715a1cd6b4672b16c4403280bd3998ad

SHA256
5c0f4b3ca7a2be7fc226631c4d7794d616f7b582ab8e74c397738f949be4850e

SHA512
9076efb2e4b24c9641af352fce663c2a9bd21e08ea846b1a161be7e4d8c8bc9bc4ee76f58ce40bed9e44a90f08a70a56b1b69013ced50eb04f81bba23e749da5

Download Submit
memory/232-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2708-47-0x0000000001030000-0x00000000028E5000-memory.dmp

Filesize
24.7MB

Download
memory/2708-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2708-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2708-46-0x0000000073C10000-0x0000000073CA8000-memory.dmp

Filesize
608KB

Download
memory/2708-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2708-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2708-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2708-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2708-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2708-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2708-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2708-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2708-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2708-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2708-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2808-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2808-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download