73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
304s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
21-02-2024 16:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4632	b2e.exe
3832	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3832	cpuminer-sse2.exe
3832	cpuminer-sse2.exe
3832	cpuminer-sse2.exe
3832	cpuminer-sse2.exe
3832	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/492-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 492 wrote to memory of 4632	492	batexe.exe	83
PID 492 wrote to memory of 4632	492	batexe.exe	83
PID 492 wrote to memory of 4632	492	batexe.exe	83
PID 4632 wrote to memory of 2040	4632	b2e.exe	85
PID 4632 wrote to memory of 2040	4632	b2e.exe	85
PID 4632 wrote to memory of 2040	4632	b2e.exe	85
PID 2040 wrote to memory of 3832	2040	cmd.exe	89
PID 2040 wrote to memory of 3832	2040	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:492
- C:\Users\Admin\AppData\Local\Temp\900B.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\900B.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\900B.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9664.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\900B.tmp\b2e.exe

Filesize
3.6MB

MD5
6f41ee6213addc2de3e8570201942881

SHA1
d997279cd97fea1a9579498a933926fb98ac7877

SHA256
17fbe364defbb72967d736c6f17f27e6ce39ae2320fcf991ae3f97a348fa69f0

SHA512
8914ae28ced906da3ebba66eee1d6ddd67a9fe697eb70b8896c0e06cc904bd7750311001551f820219c5ac2f07e627fe611ea3481e128abff201948e698aecf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\900B.tmp\b2e.exe

Filesize
6.6MB

MD5
6e798356a224fa4fb1f4e625e316a342

SHA1
50d24189d987ec4ac8dffcd3e75edad9e7e3090b

SHA256
e721fc29f233301d719adad246e524973c0290891ba80c2a61997830d3fede61

SHA512
5f4b3e60e89faba1206e2374690cd11d167a7fbbaaa01ee978f7e82187d5acbd1e6d145e67d1070bdcea08213e25ccf0616500ac2ed15021270e012f26248ff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\900B.tmp\b2e.exe

Filesize
7.4MB

MD5
d1a23c525cadfa5c6ab9f27f0135d7c4

SHA1
25afca5be8691a6e83454cb611e5c2a8f7ea61eb

SHA256
a9049353b2a7d703222156baa1cdf3d3a2f00d0c7eacc30ea538049fa0e79268

SHA512
18f951fb9da9aeccda2878dd3cdc85d10bd25b866d0cfc1a36bdec4346a37fd12bcd585bef45a52a9b5b43761a71127ce9744e2872a3c772ad19ba1e8fec02ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\9664.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.1MB

MD5
d6a2651ce86560ec77259efc3df246fa

SHA1
1e72d8e5049a66e1f257d00847fae193c2f8bb02

SHA256
1703f2c16ca81fd8d53d899d0c191db61af986281cdaf3939e9aafcb2aa377a6

SHA512
eece650394d481935c42793702efa7220ae51d92e50dde346b62026d1946418011f665dabe217b6e775b79d65b7580652299a816961a23880abff400ee14201b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.9MB

MD5
5263b3c42459f298245563a378085583

SHA1
8033595357cf0fb205cd2f07211e6dcddbafdb94

SHA256
c9590a9d9c5852277010621562e001f0ae7b86e0da536961370234cc68f55c68

SHA512
88f340b1f64450b01db7892fb1d3a67add59a96823bbe29eecce507ab8767255fa910a89453e988eeb611e6a5db871b97ebc688090fe019638ce4ea5fa431206

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.7MB

MD5
1e9f85c2f0775fad9062c4353b786616

SHA1
6022d9392d840ca887e54b25822fcdd33da85c71

SHA256
e12062782760feb5983ef38a672d759883368d4fa517e33401e76424651a5849

SHA512
7077d4277e97c174a49d4d5e94a42934dbbdcfc84ae568855d30af5df26f3d8834164a4bc2f8a776ccc6f9262fe100d6af22c9790caf39459057f58da2991e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.4MB

MD5
14d44de2a376b1198061fc01858e2b2d

SHA1
8a1b58e76c5e430eb5ff096dbf2a38f26dca3374

SHA256
8f5659ad955880f7cab780654c4de0e32e7891d156f9c13162c7eca5a930da70

SHA512
bd606f91db78afeee442dca17ee6d96d49af8498d746e622e882ce5350dbe170d089fe9c3e3d58ac533e05a49c97a685087395e74d28499aaf28deef66c3486c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.2MB

MD5
e5ad741b50e51cfb77f8bc80e669acf4

SHA1
19a1ecff5b7aa7008d0b1d70dc2aa4b1b2ed9e86

SHA256
c9edf0f5691a3cab0fbf0d94c28b2dccb6e155e541a871b29873aeeb1a7f1c1d

SHA512
1342b8d883586a5946bf83d6e31a4a078dcce1651a0ed2eabe3d539adb1a3b0c14f821161f82b228a3d3814bf39bbc401ffd5128c80805afd8cd4b37bbf04e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/492-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3832-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3832-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3832-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3832-46-0x000000005A280000-0x000000005A318000-memory.dmp

Filesize
608KB

Download
memory/3832-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3832-47-0x0000000001020000-0x00000000028D5000-memory.dmp

Filesize
24.7MB

Download
memory/3832-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3832-53-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3832-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3832-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3832-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3832-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3832-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3832-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3832-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3832-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4632-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4632-58-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download