73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
303s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
23-02-2024 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2372	b2e.exe
3464	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3464	cpuminer-sse2.exe
3464	cpuminer-sse2.exe
3464	cpuminer-sse2.exe
3464	cpuminer-sse2.exe
3464	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1780-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 2372	1780	batexe.exe	93
PID 1780 wrote to memory of 2372	1780	batexe.exe	93
PID 1780 wrote to memory of 2372	1780	batexe.exe	93
PID 2372 wrote to memory of 4184	2372	b2e.exe	94
PID 2372 wrote to memory of 4184	2372	b2e.exe	94
PID 2372 wrote to memory of 4184	2372	b2e.exe	94
PID 4184 wrote to memory of 3464	4184	cmd.exe	97
PID 4184 wrote to memory of 3464	4184	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Users\Admin\AppData\Local\Temp\47B2.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\47B2.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\47B2.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\55CC.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4184
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\47B2.tmp\b2e.exe

Filesize
2.6MB

MD5
d7d72ef10ba72c7e7c6f263f7d9ce629

SHA1
21950e852e6f4e1e1d760d751dd808f5ef9b609b

SHA256
6665f37af6051bedd9577a127a7482879f753499d6b1621141eda93a9ffb401b

SHA512
251101262cc1c34e8c052a4ab17918b73b3e94cb8ef52ea48782f8b513a1424fec6a04b1e9b536c614391bce0857995b2f62e2634b9556510ffc61246603a03e

Download Submit
C:\Users\Admin\AppData\Local\Temp\47B2.tmp\b2e.exe

Filesize
3.9MB

MD5
038470bbec2a106417f55437faf2171e

SHA1
7a5fe0220ba2e0b90a00e4df48e06ecef8db9c3c

SHA256
fae180dff298cb72d4def0bb61db6e5440a9af6f21eb630c8a0edb29f30458e4

SHA512
49ae2740dc57efe84465288f78fb63197715dd37c0e0d6d8b53e0189b47951f8b83fcbc23bbcc3c39567625dc1695cf6d3454178c9536d664e35012ce8ce0af4

Download Submit
C:\Users\Admin\AppData\Local\Temp\47B2.tmp\b2e.exe

Filesize
3.0MB

MD5
6e600692db25c5f542811c6c33e266b4

SHA1
aa7286015755ef89b3fe4668ae102558018a564c

SHA256
b738712847fa60e8fc1651a7a441e046fef7d77b206deb82aea82580ec4fb98f

SHA512
76f0fe70593e1c1bcfe43b20dc248f00cae70c4565cccb0abec6d694afebfda78fefb5ea9404191ba18de68b3e2ae9bbf80811a9b1bfb34b4deb4c72b90c6c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\55CC.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1001KB

MD5
ff3cdc7874d07e0404200d1eb171f21b

SHA1
a8e50d52c370c8c781c98c38fbb409a7bf0484e4

SHA256
1722076c5c1ac1e08e736e6f5dffeeeefb799ee7a72cb7f40df11633f9803e6a

SHA512
6023f3717f974aa34340325b37bf3d8b0e045d7888e26edf0797f2745a72d6e8ae34152f4acadc71ea57c01f1a587f0f5ef61ebcbed56295c042cda5feb6c129

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
965KB

MD5
755af4ec38f6d306714424737152daf1

SHA1
fd19504bf074163bdebd086a41c30cd2185d92af

SHA256
dee2dda8ea2a9259c836fc390da3b51d06665bf8cbd25637ffa1576dcef1bb42

SHA512
075d13a8faa00589b638c1cce3f9899d5e2c8e20f56a1c4f0a5c76e62e6d555b92781c31dceacb2f991576751336fbfb4247218e027835da33e8ba15fe85ffae

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
683KB

MD5
e5d079f952f46da8dd5127e5076e808c

SHA1
c16b732f0ffae3588f6afdb095166387cababe84

SHA256
808c8a810c00b3bf7763dd6dd272b5e36ba6fd29e65ffaf7b265d4df636048b8

SHA512
914ec09c1cb306c3b31bc1a771cb8e96f1e67831d0e032418d5977b7f9d5fd742c7aa9085a552a9040902719968fbcb1a4ebf9c59d12636e4cce82f12c424ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
586KB

MD5
09e6b2986332d935cdb6f8fb302278d5

SHA1
2da9c25c161c8f9ab3937692b50fb4e0c835d524

SHA256
70b2bbfedb49bbe4e71f960ca8e1ce78314f95e9d46df0087a998202e8ef83da

SHA512
8a1558b67c36fdbd15751b68b5b93f84f30613700b6979f40b632f4a75be754a702090ae9c052e1bb7dedf6b7051b2b862f6f0c0c0ec2df372ff4ecb6a8109d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
914KB

MD5
e441e507457b12a56fba0471f6528b25

SHA1
7b0b17ec185e13429c25520eee69f3566dd8a09b

SHA256
0d8a335e74583d9c2c770ba9a125f413eafaf330f06bad7cc8acb8ffa3be9c43

SHA512
76d3f10688d171bb682333f8b8e65ca306e6c1591c9eba2ddf1952f3ce0a203a30742afa07c72abc1659009d24504cdfdd52366432ccfbf1124c24422358db4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
656KB

MD5
a08a237a5aaccb1ebadba225ae9230c4

SHA1
1fc0e2755a2dadfddbcaee7839eac0a506ba85d3

SHA256
fe8363c8ab207718d4dc7594bfea674e0d6b4d9608135b2527e159662686d73a

SHA512
69839453e7b192d4582f68055ef09796cb1567edec7f442f339b5a7aa2d5b22171171aa35bfdbc8a63a896249eb23a71e34a7afd34a14724f542945a021679e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
567KB

MD5
80e143b6ede1c080cf8253be545dbad5

SHA1
2e8f9784062037d62c6264f380fe3d0a44427393

SHA256
3129cf0684f7ffded4bec63b67de307961841588b80a8d1eac90cfcdc4940ec3

SHA512
08644725383e5ca0eedfb01d2858abccdf35e72e64091b04a84c26de3bb7c89ca2260bd7d986be24067a0fd5a42c75c5cf2e07bdc8ed9c24f23ffbb5b049fd67

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
487KB

MD5
4f93b7cfbcb5827b60b7bcda208d5216

SHA1
ece8bd02febbdc4ff2444d33c4b40670a577139b

SHA256
91a11aceee3ec22b58d0b3c59e4e53d6b7ded2e88518bc9f695ff3ad39111cb3

SHA512
83e270ab98557f6b95768b015ac6adba0bb880d4af42618bb00d372deaca021e95cb1c87bde6847d2cc4a26be52babb7c3c6d0a57b514e06fe163ce2066607ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
141KB

MD5
bd1a0df9810851024f594ec491697c50

SHA1
954edc9810d3c3835194be0f06cc28cb8736dccb

SHA256
d323b92fc3e78c7c51e28884287655e8e9b978ba86b495a256dd84790db5bfbc

SHA512
e73847a9b4a1f2e74d17840fed4e51b6ca8792e8d77144ee50602bcacfe898b8647a0b21346d091f955359e0ab4e193d2e107fb1fd57161ecdb65cb7a5287b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
178KB

MD5
2307d831effa099ff4082191cab38ce3

SHA1
62543cb3337c6da21b925088977a558fc0b6b994

SHA256
a6419459461798ba4fdffc0ab6c94b2e00e2393cbc32e4a4a0e43fa6e01c3060

SHA512
dafd3cfea238e7a87c5249ec0000093f8146b389c74e595eefd8f2d30c81db1657afe95d875bc19fba1dd665090d5db86d99af21d74ac740f8fb914ac5e805a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
160KB

MD5
c83927f29c70d139e7625e7fddcc8d92

SHA1
6ef43d79b1ed144da7579f5176a381ca642908c7

SHA256
a3259137cd4caa92e72f12c82dbff9705db1b569cf0b6fab1f5e588ac9ba952b

SHA512
9713e8425ee025d86b616fb2042c9d841f8768537f85cb82424013cbafac338dfb4b7646adaf645980b1f7b619e3750064f00919e4c74ece522c71899f492beb

Download Submit
memory/1780-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2372-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2372-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3464-46-0x0000000062560000-0x00000000625F8000-memory.dmp

Filesize
608KB

Download
memory/3464-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3464-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3464-47-0x0000000000EC0000-0x0000000002775000-memory.dmp

Filesize
24.7MB

Download
memory/3464-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3464-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3464-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3464-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3464-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3464-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3464-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3464-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3464-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3464-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download