73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
301s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
23-02-2024 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2196	b2e.exe
2176	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2176	cpuminer-sse2.exe
2176	cpuminer-sse2.exe
2176	cpuminer-sse2.exe
2176	cpuminer-sse2.exe
2176	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3824-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3824 wrote to memory of 2196	3824	batexe.exe	92
PID 3824 wrote to memory of 2196	3824	batexe.exe	92
PID 3824 wrote to memory of 2196	3824	batexe.exe	92
PID 2196 wrote to memory of 4144	2196	b2e.exe	93
PID 2196 wrote to memory of 4144	2196	b2e.exe	93
PID 2196 wrote to memory of 4144	2196	b2e.exe	93
PID 4144 wrote to memory of 2176	4144	cmd.exe	96
PID 4144 wrote to memory of 2176	4144	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3824
- C:\Users\Admin\AppData\Local\Temp\44E4.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\44E4.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\44E4.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\534B.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4144
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\44E4.tmp\b2e.exe

Filesize
8.4MB

MD5
adcc8d169b8ae590914ab6d9c7290cd2

SHA1
2398449b48987af603fc7d6115970c48d3166868

SHA256
6ae6a35f1aa496e307ea69b04430126d98f13a5c10d8127114626ba0d94d020b

SHA512
fe6af6c3c0aac5f0b7a1cc04dbcb9825d8b29e85946df1e4ce746bd2cea074c62b2edb1cf05b12560c8b4e31a14618183c39c6b2d312c886980f24d83f6890b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\44E4.tmp\b2e.exe

Filesize
3.1MB

MD5
795001795b0611a860edeb34790c6eed

SHA1
d4549dad378d0a642f4290a19b7dbe7e4e3ee0bd

SHA256
f5a8c09a31727b77d63520fee55b7c78c3fdb3e9ad4d98591ff2462cfc348b4b

SHA512
e110e4df3ed10dfddf4d3b5db92a8102be541106396164771b4c591a4d9f96d19dbd37fa35a13da296c15ce3286023694c85beb04b357f3fc7f3913ad6f49b4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\44E4.tmp\b2e.exe

Filesize
3.8MB

MD5
bec4ba1595b4df62f3a4aa9e85c2d7c9

SHA1
e5dba611a167d9d028e7b5c960bf2d5836e1248e

SHA256
0f1cab0b73a31457335d8c80173f741711dd9c07f469b606ac2cac7a9d3fee03

SHA512
114c3b384b054b78afd72529373a71657aa82cd47c892271fa0b9c934e2c3da3bc45ed845ce15fcc37a869c02d9116827b4424489aef780fbdbd7104f2985754

Download Submit
C:\Users\Admin\AppData\Local\Temp\534B.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
611KB

MD5
c66b5d72cc08e07eeb49860422b01d7f

SHA1
be6b1d489aa624adf0758c0348408587a5f5e3f8

SHA256
37a4a4e151ce5bd532aa686fd2615ac1ee2ea2c7661357be022c2ffb28818267

SHA512
5dee0ad627286d329b1af13a943951eae79d339cd0d96e7e30c73730aeb0ad44d60f3ece08be6087a5fab9b6dc01e7cda0ee7877a069149cddb8fc3b7a2667bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
937KB

MD5
1717afd49f784847754e7aa3b5140bb3

SHA1
65e51042623bd1a220a98a8556cb51954c48fbe3

SHA256
ff5167b54009e8209464601bc81589f770c0c37f0636e142678cf91abe1f867b

SHA512
b6ccdfb03ec6faff2ba9c4b5ef257070a9bab9264abe5807af31a37d1d787edd38755ecd3e83c674f0dc3470f849c192320cb7c8a9d02b0e4c6d3e1074aba764

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
247KB

MD5
a6f52a915c1ce2033bf2d7efac2584cd

SHA1
8702072792e3e9d990b527cf0993eaa443e988bc

SHA256
f5a150f3c7af5254477a328e3028d222cd2d65e93bd1d31ca0fc77d77f63051f

SHA512
3890f5edf1ec66c0bdd94ed7cbef7fc7549ce47531f23ed4866bd6e260bd933da31f5f0ebbda7418d45db0da0ac8b8782af4cfdb2c2857c5901a1480edd730e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
391KB

MD5
16264c3cd2be2c0c3f8734c5e7a3cd51

SHA1
69aed59cebdcc9ce0cd37cbee35326cfa0f381d8

SHA256
c92b5e54cfac9ca1dbd5d29c1abc2e05c4d0dec28f28330d0a07f37c8e8401a5

SHA512
52f321a5a850e0a3a571d39f4e8c85ca4c95f35f5cb0c3b37cb64080d76bc33496b90dbb7a88909bae2234e7591622c8412540261be44c89b23e3298782d5f65

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
b3b5e7f1e25221ea29ef574e76ed5576

SHA1
8c3748505e7e3a50bf81b8f3e75d3bf740a0a6cf

SHA256
d77fb8b68ae7bff489148d309f382dc368f781f35e6d653dd5501aa6084100e9

SHA512
7e007849d1cc5a4138e7eb64d8ee15466ede7f33cb4b4f1502804edb3aebe3c3bbf1e10a4e16a2f52e89138924660a6b05d24b19ce2dfee8e1b7f6ce4c04071c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
447KB

MD5
66108987b9e7cb17359f33fefcc81f23

SHA1
911e8ca9a60467f966096198f390e317abf43eed

SHA256
b43deef14cbdab9bcfc31ee6a8ddb4ee257a599cda471a64eb33f333da82dbd8

SHA512
91fa93068ec60125aca3d6028f674b2f2f38a8cccec87c465e4ae15adc54e5c445d2e09ebe0850348cc46c0ed69208a7d9d853d47f268c25917bdd76b75affcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
497KB

MD5
827daca97d048adb553a7284da7e4790

SHA1
ec0a079bfe93e321916212ee82736ea89f94113b

SHA256
07f2a08e437dfa5e3f0de17d6770fdb0491a87ef8454c9ef87fa008820623be2

SHA512
b4e83ed7bb3b101d5094de4e6f67d3baad6bc1d17e6747eefd2f7af589cd38b950a1f9065109720c6865a1cf813f5b04ad7c975e591cd5b04fe31f14289f821e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
137KB

MD5
3daa2716c3f54c6156e21b163f513682

SHA1
ff4bd4059e3611229a3a7e8ba5e76911f42287ed

SHA256
644590fcb51f26fa708b2c2a2c157521102a2007d06d5ee2fb7fecf3d181e28b

SHA512
3701f59d8cdabb4cc36f6ed5bd29d2d59109278e57c2df0d7085300fddc91d93d01ca36ecbcbb47616d54eed0e23b537de762876883506a17565a7543fa618ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
181KB

MD5
c407137f7cb1b2a5732ea01d1487cf4d

SHA1
f4e21a41190672560b5b8c251d19bf95aaf4dd96

SHA256
dd8fe88238ac862e8ff3b4ad0b4815815067f4e9db034ad3d74b968ee3c0269a

SHA512
8c5e7a155df0ec865b99ca765118eebd00701fbb28c08912ca06a5f4c67137753e0fa20d472aba52e4dbdf7a7f93ec242accfb9d0a3556621f922b029aa3a225

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
358KB

MD5
c11a055a5c502917fc66345e2befadd5

SHA1
3c66a85f10dd3caf7f5b971f6e928bdfda5f603b

SHA256
e2bfcde149563ef0d811e7e732782696289782102e8b5fef4781d3bb55762463

SHA512
413e77096dd9970a8a2b2d264ece4108af3e6c75b3cf7ea2795d62a8e86f41399d3a0426f3d2cce8818795e90883e5a42e2220f26c503cb547162688e6389f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
410KB

MD5
08ac671037a3a476b1a7276e8573f3ce

SHA1
7e4c78c340c655f53389276fc4c120420477c0d6

SHA256
35685d70195e2b745228ca32a118398e5b08b019c3bbb49da5a52d38be9ed8c3

SHA512
c086b9d2c6784dd10f633ec51b2a53d1f25b76d9078d7996ceb1fcb98e8664deb3bb93b73438762636d5734885dee945a4349bb7ed4a2b84227d948d2565de07

Download Submit
memory/2176-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2176-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2176-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2176-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2176-45-0x000000005EFE0000-0x000000005F078000-memory.dmp

Filesize
608KB

Download
memory/2176-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2176-47-0x0000000001160000-0x0000000002A15000-memory.dmp

Filesize
24.7MB

Download
memory/2176-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2176-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2176-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2176-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2176-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2176-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2176-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2196-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2196-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3824-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download