73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
300s
max time network
306s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
23-02-2024 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
952	b2e.exe
3464	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3464	cpuminer-sse2.exe
3464	cpuminer-sse2.exe
3464	cpuminer-sse2.exe
3464	cpuminer-sse2.exe
3464	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1832-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 952	1832	batexe.exe	92
PID 1832 wrote to memory of 952	1832	batexe.exe	92
PID 1832 wrote to memory of 952	1832	batexe.exe	92
PID 952 wrote to memory of 4004	952	b2e.exe	93
PID 952 wrote to memory of 4004	952	b2e.exe	93
PID 952 wrote to memory of 4004	952	b2e.exe	93
PID 4004 wrote to memory of 3464	4004	cmd.exe	96
PID 4004 wrote to memory of 3464	4004	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Users\Admin\AppData\Local\Temp\459F.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\459F.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\459F.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\51C5.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4004
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\459F.tmp\b2e.exe

Filesize
9.5MB

MD5
f013d1481f3daca0d30bea71b3e54ee9

SHA1
afc0f31f4c314b4f43c3faef7a598bd22fd3c6d6

SHA256
2ed90af424346a8e1efe13b8a1ad60657211d12e833607c9ffa78820e2188c6b

SHA512
b8e5957697d52f963ec32078151ba705b4d7ef9163681c5f1d9ad14f14a8de41d87fd09bd6851ed9c16ee86f3bed2a7b491b033f35d5d6393069d167958801d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\459F.tmp\b2e.exe

Filesize
2.2MB

MD5
04752bd7778d9f012c094731e7b327ef

SHA1
da22456226e6058ed1b58c9b4d846be1406e18f6

SHA256
fe851bd614712a288221bef7f691b1421364e4aa8f2d3d5b6393c79cfa152a12

SHA512
7d9a18722e4b83ce8868ca724ae3608874f4748f82244b47ed6ad55dbf7aa6f99a5c103875416d75b52cbcd3751a202289a0b4009dc93c12335e8fe11a1d91c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\459F.tmp\b2e.exe

Filesize
2.1MB

MD5
099e18cf84312ee05add20eaed01b2c0

SHA1
3aedb8f0362d50274ec7bf1e79bbd3923b47cc13

SHA256
8856beb3ce39073034ad1cd1b72251224cbe3b2861af9086947470096666312c

SHA512
70c26948eecb460a2c035d8bec9f100588244a0c621fe26c13826bef00464051b54e200abfd73cb07bbe76c6c807317dc90b4974a739be718e37aa2621c134ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\51C5.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1008KB

MD5
52d5bb30fc0b7061082dc64588fa2284

SHA1
b63450223b5d25e07e048d1e8d04465ea3a64348

SHA256
25510addbc1d2bb777c994bf06de708bb7dbafc57bc3658aec94cca955f27cab

SHA512
3785b69572dc42cbea9931569ce35c5a0b9022f66a75e3a03ce15b0fb40749abe3cc99a94f24eeedcd893fd5b8a8b633b7a4f02e1aab9a33f842fd0bbb7dbb9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
544KB

MD5
fda287193facfdf3ea195f8de111c1b1

SHA1
5c048d21c06ef24cdf118c49d290cab80bbd9cdc

SHA256
5140fbdf6937926901db8df15f236972b5dc666eab7d94a782218d693e8ac52b

SHA512
e4791611f599a7d57cf02407d2e198aabf138c7b3862e9db95def61b28c43173ed497cfe99ea0ce51fbf7c29311baa2857bec2c96d43e4fdba7b3080c1762e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
672KB

MD5
28a7f69d1db9a566068293b842ae972a

SHA1
6747eb653e68a380111e4f8403255245ace6ee42

SHA256
8785ba1ab33a8cbc193fd18ef09212e90c12e57fa5fdf958d4f54773dd6fa101

SHA512
b6c7f913e8cf45676b6386d71bfe1c7b348534d1e909d6a9be3d8f88b55b411273bdce056e22c1dd20fb60b1904b928df54333e5ddce24da7dd943436991055d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
529KB

MD5
7a16e0ae419e66bbf4f0f0a110369ce6

SHA1
f75a72ef7491ea3da77b5e94d9472ead8de70a05

SHA256
73f61eae61dfb76e4ff2b33bc7e6613f27d6d0bb4c10e578b304a20c8614fa35

SHA512
14f1305ec7e4d6a950038fdeb969c6dcbe7c87d8938172e71e60feafc900cf52aeed24d07d9722a1ae86510678d9268108a86aecb7c35b8ff13c741ea783b6c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
687KB

MD5
5a16692ad6ca21f9d35a81bb4870f765

SHA1
dd01891bda63cbafbef002922b64494fe171b03c

SHA256
a4912bb21bfb3ddcefbded2fc16a6d9e5e0aeb27cced6ed158d4953d4930e86a

SHA512
9fbbdd5137a38de6838052eed6fff00ad14552415812ba59a6c3b0e979d934f0b5fc8c125e1ca85f6a0e109e34f260f748bf16a8502219e5fd8319cbca4961c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
569KB

MD5
48d0db3981c07711b68c33793fffb3d7

SHA1
19c0775ef2d158b92244f333c4586211392c655e

SHA256
834ba6ae114f52668577e9045d09beac2dc6daf71355d62d416f21d84c68c16d

SHA512
bff3a3144347113f28316edb8dc771203ab170e99ac5832a0a36a8c149db26db260a4ad948f2e02b8c6d88a4c05c0de88585a4dd56425d312d29070f44e59a22

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
704KB

MD5
ceb1ee23d68e973e400b41e7324c71b6

SHA1
0ad5540864cf9bcbf52870ba72566625ca54e67a

SHA256
66f2f5bd30986e28a4c43ed44264cc56f63bd7a3ecd6aeb5845ac7bcd724aeee

SHA512
51ce4a101517339cb1f5c23fc953dde73f871cec2bde8ea5c9fad9376366d7b8aadaa8668ef2f7bf9d873e8817345e4e337a7a94c42c3ddf6a168377af060e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
546KB

MD5
de93507798461571035c95d317c83e2c

SHA1
4443fadabec69e99d43e37380b6d29717ec5163f

SHA256
34da17917eddc890616f89c3caf57969aa70968fb938aae9f6e8071fb709335c

SHA512
dfd13d445d4a525879edd388dff25545f71b504ca8e34b4cb1c5b3c296324549e7f7f6bab4f063a40e64dba99671eb8f0645ad028f9c346237c6f5e1f9b6b433

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
467KB

MD5
c98c84aa0d2465df1155df657a748a99

SHA1
28965ca42f873cac9e566770e341b010afc9b9b2

SHA256
503671eec749e6376ae89f0d37cbae299db8620bb0a9160c388857f3ffa20a07

SHA512
d300b4c681d2910e412881a3a642254149fce6fb3047c7a42dc50284def7aef20c5d0b68c0a7695137318af9979f27d20e64ba9724cef02016e7ea4d5636998f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
576KB

MD5
2caab2ad7ccd18421c96ea2ef5b9e602

SHA1
a629673c12e88ef88f30cbe8da12d3afb9a7d42c

SHA256
c16fbf658c970a716b976abe7c5d9f1b1a42dacd55a43b16fec0ecc6b84f0552

SHA512
aa9692584947d7fdbe843e877430ade40c5b4c6e15887005a292065d6f8e1303abc8dfc2bf50c01fb032bdfeca5bb2aa9312ba44d7ba4e2d3529d07bfd008969

Download Submit
memory/952-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/952-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1832-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3464-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3464-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3464-46-0x0000000062560000-0x00000000625F8000-memory.dmp

Filesize
608KB

Download
memory/3464-47-0x0000000001150000-0x0000000002A05000-memory.dmp

Filesize
24.7MB

Download
memory/3464-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3464-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3464-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3464-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3464-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3464-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3464-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3464-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3464-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3464-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3464-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3464-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download