73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
306s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
22-02-2024 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2872	b2e.exe
2452	cpuminer-sse2.exe

Loads dropped DLL 6 IoCs

pid	Process
2452	cpuminer-sse2.exe
2452	cpuminer-sse2.exe
2452	cpuminer-sse2.exe
2452	cpuminer-sse2.exe
2452	cpuminer-sse2.exe
2452	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2968-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2872	2968	batexe.exe	79
PID 2968 wrote to memory of 2872	2968	batexe.exe	79
PID 2968 wrote to memory of 2872	2968	batexe.exe	79
PID 2872 wrote to memory of 3592	2872	b2e.exe	80
PID 2872 wrote to memory of 3592	2872	b2e.exe	80
PID 2872 wrote to memory of 3592	2872	b2e.exe	80
PID 3592 wrote to memory of 2452	3592	cmd.exe	83
PID 3592 wrote to memory of 2452	3592	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Users\Admin\AppData\Local\Temp\7470.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\7470.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\7470.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8CAB.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3592
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7470.tmp\b2e.exe

Filesize
5.3MB

MD5
9052fdb24dd5c4b87faaa785c836d7a6

SHA1
f300f1f81a4001d1f8ae4196acf5a615fb859d21

SHA256
adf48aceaa3e2c7b9c55dcf36c9ef045f2f36ba5ee3596cee31e560e3323f60b

SHA512
6b4b6e3ebaa72cca6d091ead4b64d70ed06d6900e5aa56d445a2b5e353b29564b724047fd022766f85eb45caf3020a2109f81c55986f5fe1f96b48cf5399954d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7470.tmp\b2e.exe

Filesize
201KB

MD5
dc4bc52486622ba16c0e762b233c38f6

SHA1
c2c295135da51d8e808d19ebddbde8e10bc669c2

SHA256
598dca4990328919429abc7e53d8168f9f6231fdb2865aac9fb029df990405ac

SHA512
651c0e72e26fa4751f1efd0ee55252a3a5d1aae65cea061ef3650fcfe0cf6ed792389a961123187f9e853c2724ffbcab07490f77b9ada0b1547fc4c9dab1fc3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7470.tmp\b2e.exe

Filesize
219KB

MD5
bbd5dd967591acc0e3d108b4d5f4ad0f

SHA1
2a2afd596bf68b937c30376eefafcb6c62805a3d

SHA256
d5309b92dfb61bffd7a0306cd39b961bc8cd145a14a03587707da739f93dd449

SHA512
dd5467e7fdd6d0959c07fa57f409120d6274dfa610b0301232dea2f46b91e01d4859c91aa4b8fe65cc6a538544da0f412c0894f31a4899b2e31efe0b05775214

Download Submit
C:\Users\Admin\AppData\Local\Temp\8CAB.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
95KB

MD5
0e07d26839d71cbf097502d7bfad34bd

SHA1
2ac0b97c484617cb5ca007e35bcd6a70ef503ea5

SHA256
c35d8a17811542fc28a198fab9d88f947d5240adb4e946082e1303274925c1da

SHA512
4d8fc2c235a9bcd6a0001db2bc3a36161e44e365ae78fe9525cb2198d5286f16bd99ea4575aa7d9daf08126b1b8a5fbc28e8d3c214aad992843f3a093f4d2572

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
128KB

MD5
87bb74a6790018700645a8310bb9a32a

SHA1
b0e3e91efa12e0df5ed4538d3b549ab5d9f6c16b

SHA256
ee6a846f1dcf082d5216bf314e65e1428af13ce54dfaaeb371d1c54f330c5298

SHA512
702e12a0858a1dd987d6a761f0ddc88fee9bce38be3d71f8c9be3fecc8cc6e88763967140f83caf4f2e10109ab95b811bb70bc70ff0b5cce8f0f32713ad3683b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
658KB

MD5
26dd60e9663932850f082d2d23a76811

SHA1
48b56496b91ce298bf7fd25bf6a5e065da6d370a

SHA256
f13ad7f9092385cedac9327b7e3dda2867b6d150e202fadfa475ee91c8734d4d

SHA512
97ecb8cf8f453d9eff63dfa39210e4fc50649d4ddae371edfc6d90f927df8f250cb2beed5923eb7306d9e47136322d49daed5f11fa57b8ec82463666f8ea9311

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
134KB

MD5
b8a23acb955562d273d5be79f4e050f8

SHA1
f6775d0a7dec34318a0e5c02928cd8ac41ae373e

SHA256
4cb1afacd83aca825dd0dc6125cc8413a913f7aa82295a2da44c8f18aaac97a2

SHA512
6494f58b9369e2e3394a62969d5920a6a4ec9f3b26181e579fd6a5f000e2f87778154c27b4611cc9a3a3cfd7a35056d48f25ad2962ea1791e5d95cd573574f01

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
89e1a0631c6e8f00c971b244a73c6c58

SHA1
2de3fdcecc3526bb203cfbbd59cd6d127fb49f55

SHA256
548e1f13a61e24dab26db74662bf517c21bd1a74653572e956ac9036ca12bfbe

SHA512
f8fd6e900d85f81e145aecf02b454f1aa85a7e1ee047db4dcdc5ed7fe5819ddfc40ec4170d35af674fc403eb12c9ec3f89aae33c187bafd013274b53bd4f30e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
882KB

MD5
62ec0f098d0305ec4ad5cff32c6a81ad

SHA1
27bb122f4b53012811af6511a4e94455e918f72f

SHA256
9982ab2246f124811896bd05d174da08d802a19c16eea1224122edc71382765e

SHA512
198e33db302852ea007e060971168761e04587a22f212f52891cacfba6064349f85b565e705a9811104cef180c51e916afcf6a32f15cfb2eeba19e25012c67ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
83KB

MD5
cef59cd202d6ca7af45ee0553032391e

SHA1
2b339fcd7b59d7151cbfcd6fb243175b66516836

SHA256
0cfdfb8a00ab08f2f681c936155cb8c7eb8ca79ad797b8250439cae6e73e2715

SHA512
165a652764c82bbff77d34c78e247a8ddde42e661ccc1bb0dc3490be0a01752f69a8c6d069f87ea81b23d0e171ec478e12e5ba511d5da98def8a01c0ae5cc9f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
44KB

MD5
efa92c07b1230dd72c9b376ed3f21ac5

SHA1
584cc61b54c287d544aa12b6c63276276bfab5f9

SHA256
02d7fd4ea00c8a767de6fb89ce037ef5beb2d0ebe8c11b8173c45a9db0c84f8e

SHA512
739cffed20b2b9b76f5a9ea37f09fb42ec0a3d7c65e822d8e4206c9acb6c77f51dd019336b37992a22699561d8febc99c0c4186fc84fd9b5577a5181746a2d03

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/2452-49-0x00000000744D0000-0x0000000074568000-memory.dmp

Filesize
608KB

Download
memory/2452-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2452-106-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2452-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2452-46-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/2452-48-0x0000000001020000-0x00000000010DC000-memory.dmp

Filesize
752KB

Download
memory/2452-42-0x0000000001020000-0x00000000010DC000-memory.dmp

Filesize
752KB

Download
memory/2452-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2452-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2452-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2452-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2452-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2452-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2452-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2872-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2872-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2968-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download