73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
22-02-2024 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4148	b2e.exe
5624	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5624	cpuminer-sse2.exe
5624	cpuminer-sse2.exe
5624	cpuminer-sse2.exe
5624	cpuminer-sse2.exe
5624	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/6036-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 6036 wrote to memory of 4148	6036	batexe.exe	90
PID 6036 wrote to memory of 4148	6036	batexe.exe	90
PID 6036 wrote to memory of 4148	6036	batexe.exe	90
PID 4148 wrote to memory of 2404	4148	b2e.exe	91
PID 4148 wrote to memory of 2404	4148	b2e.exe	91
PID 4148 wrote to memory of 2404	4148	b2e.exe	91
PID 2404 wrote to memory of 5624	2404	cmd.exe	94
PID 2404 wrote to memory of 5624	2404	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:6036
- C:\Users\Admin\AppData\Local\Temp\8750.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\8750.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\8750.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8B96.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8750.tmp\b2e.exe

Filesize
6.0MB

MD5
fcdb5801632a282545c79b399d790baa

SHA1
129bf32d14718fd53436699bcdfd900cb5648ea9

SHA256
896db79925e012b990482c3bc33f62c1cf183257a7194fa775514dbe12878794

SHA512
64b9e61be46de5e3a4c3ef37e8e4ee6e5c9dda53a7b720df5bd5f7d331bac0ca5af87bbee41a225e963dc01c8d563d0ac55333ca5e6908f03ff8d77396074707

Download Submit
C:\Users\Admin\AppData\Local\Temp\8750.tmp\b2e.exe

Filesize
6.8MB

MD5
b49798d339820278682e18694551ed5a

SHA1
7892b497fd23a511c73e3fecb623d308ea2500a7

SHA256
9988b4f9caf0f85e5728599f3e5dd954ca2cb1cba2b505d794c2194d67c33950

SHA512
7896cf36e9ccc2696577b639723b15b09c3932454525a24113181cccd121b1c07d709f10529efa21ac3c04823ed064568a9625ddc2c8fbd027648f6b74c1f1de

Download Submit
C:\Users\Admin\AppData\Local\Temp\8750.tmp\b2e.exe

Filesize
5.6MB

MD5
70942e171bd93c94dd3bf34c93743ec4

SHA1
39c53e0aa0da3e477fe57c9579a61ee48beaabdf

SHA256
ad953f80e56a69927349022bc28265df44e47d4cb5da8c834222b6a41339d319

SHA512
ebf29bf11bfa2415206ed8bc4ba27d2bb567a7f8a9a1bdec341d3218b9cb491cdae079eb36810cbd62f042ce82dbff27f4d08db7c8e9b63a647769d2ceb88fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B96.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
679KB

MD5
7efb310b916d7ff736182770bd02235f

SHA1
9d4251fcf4cd50797d9ce2584e61664648116cb0

SHA256
8be5e3a8bdcaf4c25791343e196e2a6bf4dc5426dbd1ac7968fc2099b4738adc

SHA512
e50fb33d15296f32a36f2a30dd85bf82011c5b2fa5d7463f7f3d2414d161858e0a75fb04e56cf467801b68e6e1b7db3ded33c97b9b574576b0afcea522d34b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.0MB

MD5
4503368c6e7adf2f0425d0309fd6e145

SHA1
12df80b890f4e16419a6ccac3c79b759117cc782

SHA256
bc436a528ce5d7ac0ad870b56714879ef7af4f002798f0b92c84a13df9fda36c

SHA512
00dbd5fa46ada3bc074ad9e2c638c7b22ea822f5dbb33cb229fa2f8a483f5ce5bd89ec62149602ff1eec0e624c5f129ec14f6384ac18c13aa53e66424931c0b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
634KB

MD5
43f9391badfe537a0b487edfe70b0425

SHA1
741243c8784709b84bab9f2794540bf04af87fa6

SHA256
b7550d00abebd13bfd1a3e71c64a711bee0c34730af55d0963dfa9378eadbb57

SHA512
3e63bcce6ac6f9f8ccb6b3b5ef31a21ad7d8d81a98e917892a2b6db9fa9df258f9cbdd42b0e80e860294dce91275e970e05e05c7ad81a751236488bd7268367f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
747KB

MD5
cf5045acdb84e181120ad702be00d0a8

SHA1
4194f5090ba99c2bde21be2dc85f37085ee3b68f

SHA256
5097110bd58db6c5d32616f1568c5bc808ff8c61cbc6016a810a7f90a950bf13

SHA512
261f5904d0a1d65cf3cf4f0651dc4c93173a48a1f4fc3e48cd7f1e150dcf08c7bb12b2d8f4771c191bdf07839d52d027251135cca0adf1563281e81c87068592

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
835KB

MD5
2a95bf78289aba3b2da8ee0fc0defb1f

SHA1
893741daf22953a722fc6fc2619a442a90320a2a

SHA256
8b2f8033ac30457342da4cb874b7a5bcac35b67778d8088dc5b208181b240fc5

SHA512
69ba4a1a0808760beb4ac6a90e623bfcecce20cbb457feb0b53423d0c38b4f4dfc6bb7e427e1c563fc22dea34478488969a3880b8c8147754c03cd1b5fc00c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
768KB

MD5
fe316f2b417e142dffa0e03efb65e1a4

SHA1
907805b2c3bc0a0791086cb5fc8e3a950bc78e6d

SHA256
aca06866767d9e0bbe1e9bef7efce1152d34243e1acefc5f7ac4f6a245456671

SHA512
8ebfa0700b00c4064d1ded11fc1b4001f01238ee0c4cf88a873e0ccf38c30a574d600649bfdef85f2e3aec5c279a43680f7a66604bc6f27bbda0219e3786774d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
896KB

MD5
4ece07a08273d0d0db84220926c3d32f

SHA1
d90712e2e643311a963676e87f6afad0c421d895

SHA256
d82c02350e5ca5ebe35d4349a16c3c9986aaecd8be71c05a00b1af09039a4cf3

SHA512
fa010b4c3c0e6d38bb281b4541c0e8b124e05d2feaa6dc11cb6e9c1d85145d5885a5cd61c1bca283f2d9f30295b197343311306acc9d5393aef64793067cdcab

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
636KB

MD5
cf94335b480114911b8f13d819b22d66

SHA1
75753378857eaa52660879a36ffc05b98fa4e351

SHA256
395bfa7a5bbab82ed9fc30c7dfe713b3e59c196cd71471acaca2fb7f5082b864

SHA512
40b244b4df08d56a4844414a4015696d09894d60041d6a3a61805da9c8fdf68f46f4f4ca60555db2ce061808e782361bef51fa79b5267f01d352c90d859ac003

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
601KB

MD5
0c4234261ef8017e43ee6e0e40fbdb14

SHA1
b8391cff6a9c765ba92f2fe130707240fb1c3133

SHA256
703284b4a9e77e014e447d40f9502e5fd41792e61a90cdaeed8b80bb7843d254

SHA512
8d0f5e8798b449e260fee12268206c8ef1403169e837e83c66cb77cab85269c424e846570c77115924151bd5866544670d64c4dd31588cddc9d69463a2e94576

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
574KB

MD5
2d27ceb0908b097aa7d3dc5311eef9ca

SHA1
d5178222fde33597065ef5304c14154724caeece

SHA256
7b99d59933752e14673a2f7d12d47dcbf3d9f31c03e06168a1541ee4d9730657

SHA512
aa6c49035213ca507c0dc481a21bdea5a9d9683f9afbe1d86468fc456d4a4bb78f733731ea3d288ab03128e4cd3b6b4fc3d47a02232d14dcbd6e246db3be7056

Download Submit
memory/4148-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4148-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5624-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/5624-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5624-46-0x000000005DD80000-0x000000005DE18000-memory.dmp

Filesize
608KB

Download
memory/5624-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5624-47-0x00000000010C0000-0x0000000002975000-memory.dmp

Filesize
24.7MB

Download
memory/5624-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5624-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5624-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5624-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5624-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5624-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5624-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5624-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5624-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5624-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5624-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/6036-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download