73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
23-02-2024 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4252	b2e.exe
2240	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2240	cpuminer-sse2.exe
2240	cpuminer-sse2.exe
2240	cpuminer-sse2.exe
2240	cpuminer-sse2.exe
2240	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4208-5-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4208 wrote to memory of 4252	4208	batexe.exe	92
PID 4208 wrote to memory of 4252	4208	batexe.exe	92
PID 4208 wrote to memory of 4252	4208	batexe.exe	92
PID 4252 wrote to memory of 2448	4252	b2e.exe	93
PID 4252 wrote to memory of 2448	4252	b2e.exe	93
PID 4252 wrote to memory of 2448	4252	b2e.exe	93
PID 2448 wrote to memory of 2240	2448	cmd.exe	96
PID 2448 wrote to memory of 2240	2448	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Users\Admin\AppData\Local\Temp\4820.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\4820.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\4820.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\63B6.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4820.tmp\b2e.exe

Filesize
880KB

MD5
56c36682efba1c933ba7ebf1cdba1faf

SHA1
c8ef8f702624f356e0c2c366b9e2f2b6220ab784

SHA256
be0a07d3a028bc39713ca0f3d37d21190576a4589091c2e07702039a89cf9a0a

SHA512
c20278733459e9ad55838fc26ac9937e1914e63bab09bc2466abdee39ca1b106ab32e06f1485b9302e4a6a7dc5521fda35a79240fe8ce82060f2ae24f5e4bc44

Download Submit
C:\Users\Admin\AppData\Local\Temp\4820.tmp\b2e.exe

Filesize
520KB

MD5
8139ad2de51507cb34eba21738ac7eb4

SHA1
bcb1ca30e2edb790f4d9032b83696bd7e2c8ea1a

SHA256
b59dc068cd85582287f3c5155a60a2af7f6dc8f5eb5a38a1034f41baf8fa94da

SHA512
85686c6f5ef7fa479d78d4f9f2e38b72c8070937a73bd0e052e31013133cc98aa71428622b123d09621eb8953be91c173418baafa1a8febea776b961f2f27a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4820.tmp\b2e.exe

Filesize
587KB

MD5
6a74797ee51d66164460ef1bdf34f6c1

SHA1
ad8baba713b922d7399cd9f52a5454a9c9e5afc0

SHA256
97570636b7cc77e0c9ec531399149a155774e3231976ada7c84a4a90fc69d02d

SHA512
d616b504d3dfa0d4c3df6f43d42e68eb1bd37bbef57d82eb1ede89dd9b2daac2845c18b1c75c140ece9c81fd55094d3314412de230609793c88a4874eee0d3b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\63B6.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
512KB

MD5
a879c5fd4613dca566d5b1a782690dd5

SHA1
41c6063b0f0dee953e99713a5326856b55e08366

SHA256
3ee76359d6802a8fe11c5b144e18ffd3833bc7b49d66f190621d41e41ea0fc20

SHA512
e20f8f40822ca215c75767b8d4102583cfb3812c74dbc064a8619f214c164ab94da6bee0ae42c794a0af1847ff30c295b34d3015f87bfe597dba80339871ea96

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
648KB

MD5
28524ce55384ef25ed477a58c09939e2

SHA1
02763207dde3ecc271a2d4ecd7dc19c725689163

SHA256
d9ba5f3472abe4c97d65bc56183c11f6625aac6710a60e927ad6a705f895ef1a

SHA512
b92456cee5127066baa7a06700deeabb5b19bdaa3b5898aa80165f5b8300be512112b441bac824b742feaeee6c4ced8ce0e7633a5f1e0fcbe70645b80f8c228b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
415KB

MD5
ea14fd2637baaf5a7309ee869255b281

SHA1
62c806595bc376a79f43b669cb76a33629426b43

SHA256
d9d1cb49edc5c6156cd49674fddad14a0a0e85915b6b8f306bbb74bd0435706e

SHA512
1d60d3c36eed61219fa8fb6577a1f81563d01f54c6eff0c5645bb1296a97c3719dbac7586e17caa89dc2941e99aa35ea4d28185e9ab90bcfa56303227d79fdd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
449KB

MD5
33b6d89c7637cdb79e5430a5fa4e7aad

SHA1
c96cd96396d8ded1843af7c7754ba23c99062dd3

SHA256
ab2f0b80835be1c1d83baeedf24f6eb66479e2d3ed6232fba413157b45650966

SHA512
7cbbe04c4b4fb948fb689d79dae827c468a2f46b5e7f94e5660dad3f3eb14b1e1efd9cda7054dded8984eda1bcff73132380a21cd5b07c6ddb5e366015dc83b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
449KB

MD5
ccb73ce620b35e5f506bff38d51e32e9

SHA1
b63b00ab6c1a85485229c647e4e2d7aa5ffd1b99

SHA256
60e20846b0eaf4a1495be30918115cf2c27b49b3ad6e5d28b669fec7311991cc

SHA512
98c3854c03c3af5e8236c5cec964a5f2cb07526fd93d435f1c7d7d7c20e08fe6c3f7a3edd04f8f6b0aa693993434edd40b52c3b466f5d84c193588e63dbe9740

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
644KB

MD5
9f91f834c87053aa863fe401c59baa11

SHA1
fc251e762766a431e82cb1b31bbb73162afdc7ed

SHA256
ac83b367c7a06694995100c680e2b6c1c71b0b43121f71dc8280742d7869e3af

SHA512
19f7039979357e192e2d45bbd2acf811a5aff383c1db0d85ff2b24ff16ca27ed51b560c9c97208be5edb7072c5ba05f27fbe041031730a90bedfba4a4305f404

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
650KB

MD5
f9d02d11d1f200eee73b928a460ca057

SHA1
e8182886f0dd07f1cb7f2d843c004e2c33dab3c9

SHA256
c9112bcb7943fcfedfaa4bcfca50a3e7c96bd4ff9d2f4f84bf61de28b34ee906

SHA512
0c2988bbfc5f259d749426a70f568ad5f88ed08e58ce6fddfe42b26037ca4aab8321684ad410d013fb4fe950d7ebf08a5071721a81fe210ab16d4974e558bf21

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
307KB

MD5
6d8b84caed493af9eb11b74f0d80ea49

SHA1
b8a3f739f9d72eb9f4ec1499473093cb527adfea

SHA256
aa5d56093e9ec9a40f053eb56c839b9df21eba5ed0ba1ac7c13fe1bc5451ef6f

SHA512
6e43cdb4beadf2cf22ee6cc8dd5f530436e60c8d54812de52c0a92e9d1982cd8c2a9afcf434f9f4c1c1cd56fb8ee6e5f131d5074fd3ac90958ca601b3dd298d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
260KB

MD5
fb1428c21fd29538d25354350b867206

SHA1
411d4788273e9105f9083ce8ec78a168103f0ace

SHA256
8baa55fe661079aeca625c2810e081b2306ed9979d99992d5cc9d19c521f7deb

SHA512
d885e30c0353c5a5cab64ee12cde7fbd08e87265febd204a0b1f9dd3b249f5c3942a63cb89f5f3cc8e2888f6144a60917c7715252933b512bb008b52b4930f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
442KB

MD5
dec3f0245cf5886e43cbd573d27c0159

SHA1
32301b5ec808b76431ea31b702a4156bbbbbc5cb

SHA256
f670b19f9ce2f9e1c4d3b0146cff6ebccff69083e2c81bd2cd136c5e7ed4b9c5

SHA512
c46b111e1da45b10b8bcec405d72170ae6f40eb2b2d71015638890dff87b8ff525896b2946c78cbd95280e17e8d62b1b129e3b9b33b819e9657ac26800897835

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
510KB

MD5
6bc48e4a461775bc818373233e15a11a

SHA1
c3391b13f093c7a571c725bbf79aaa1c4d7c5641

SHA256
79bc9026fdcbfa073870899f7ecc19ecd3112114e0cd92db58e4b2c22f31f3f3

SHA512
ebbd658599fa73d2cb0ab88c10395696536c6ee315389b79668b38048e35425d2b721812714ed14b6fded132f37e6dc3541aab52dc59929b0f5afbde1c2c269a

Download Submit
memory/2240-47-0x0000000062560000-0x00000000625F8000-memory.dmp

Filesize
608KB

Download
memory/2240-44-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2240-85-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2240-46-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2240-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2240-48-0x0000000001130000-0x00000000029E5000-memory.dmp

Filesize
24.7MB

Download
memory/2240-100-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2240-55-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2240-70-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2240-75-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2240-80-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4208-5-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4252-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4252-54-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download