73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
23-02-2024 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
1464	b2e.exe
4056	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4056	cpuminer-sse2.exe
4056	cpuminer-sse2.exe
4056	cpuminer-sse2.exe
4056	cpuminer-sse2.exe
4056	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1136-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1136 wrote to memory of 1464	1136	batexe.exe	89
PID 1136 wrote to memory of 1464	1136	batexe.exe	89
PID 1136 wrote to memory of 1464	1136	batexe.exe	89
PID 1464 wrote to memory of 1576	1464	b2e.exe	90
PID 1464 wrote to memory of 1576	1464	b2e.exe	90
PID 1464 wrote to memory of 1576	1464	b2e.exe	90
PID 1576 wrote to memory of 4056	1576	cmd.exe	93
PID 1576 wrote to memory of 4056	1576	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Users\Admin\AppData\Local\Temp\50DF.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\50DF.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\50DF.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\542B.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\50DF.tmp\b2e.exe

Filesize
13.2MB

MD5
67c162c6c3cb59b0046b5c234bea76da

SHA1
27d5084b95f2abc1df7ea4db22a3ac9b810ec216

SHA256
dd4b02b66540b2e71c699b73540a2fc4dc8b973773bc3d7aab980addbecf4cc7

SHA512
772e8b832366e8bb294367984b058fd22ea154f982726385562cbe7a38f952f8afa0f5f12d52f0dd70394621d53826d76cfc072cac2aa48e6a30d8d4e1430629

Download Submit
C:\Users\Admin\AppData\Local\Temp\50DF.tmp\b2e.exe

Filesize
4.0MB

MD5
61ea0fee94bdec381a28d5a7ef62720f

SHA1
b8688264cb7220151f425b363414d614574561e3

SHA256
166ebfafebd8c644d638123ece63e85a0fc34e6648779cab587d395061939cd9

SHA512
08b2a7ef27097f4e81259e4953c460457769898b78e99045ad33061505c1b53a1b8251a2d2d19ef1b1f3eaad8daa44ae29664f84f812d0aba08c79360b7eb17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\50DF.tmp\b2e.exe

Filesize
5.3MB

MD5
9f0148ac94ae38506bec2db5fdc1ae62

SHA1
e2e47865279b161bd247840f75daffc32feffc57

SHA256
8ff54516586aede2e184ede55282ec2b51e950c8c48f981d12cc740d3ef71e97

SHA512
5cf1e9893652f40cf67b31053941265a31dfebc416a45a451a52452f9948a42645fc05ec9f9738f7533c472e5031f924254f647e2977af65b0654f3db7735828

Download Submit
C:\Users\Admin\AppData\Local\Temp\542B.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
384KB

MD5
eb8ea4d2595402528f73410e2c8651ed

SHA1
23abb385032a9317d00c826eb21e0fe6fc802c50

SHA256
fc3c5c1787c58c465ea47ab132afc59d209b1f7d319ae80a7913ed5c39157017

SHA512
7f4485a662859bdec898bb4f9675c8a834ab570ae7f4df2b6e95a9f5ab45f8fba612d04f0edfe22dc4bdcd3011af0536ed200731262056cd7bec332ce4b18573

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
401KB

MD5
100878c19764b83b9f36c387e242ab7c

SHA1
cd311f67a6d83fb18819f5ab709347e1c440a527

SHA256
f995bb04db88ca25aae267bd676e217f660281d998aebe0bb7d38e9b8b4dcb80

SHA512
955820e08193b253ff218d88d02b645ee348093f5e1045d1a3cb065a7cc45872c933261112959540c88118996794c0c91801a50785b45e1c81449181436d3fc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
154KB

MD5
046d787df446a6c1e695b73a6d0f16b4

SHA1
83f4f1170eb132870bd3fd5c2877fa0cbf170108

SHA256
0ca737eece61f22cbc51a4ee13955caf8718b5dde9ddb7b5dd557857736abedb

SHA512
475ec98e1c6884684e9e8ee67ff61d4b0b8ce354e0b83066b977bc39ca5d5aafcad7fbb8b8215a2ea2fbea98900a34706d9328d13e69d805403d68943f64fdc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
455KB

MD5
bad75f9e2b4350576b4d485c48c648be

SHA1
d45fbcd6654e8d936afa5f34dd0a2872d0087e41

SHA256
d877976d04436a4095d19588cfe4826bab723b212d67fa153124c3e4336eda28

SHA512
37f44f89dbe4b70272a8d45814c99a39e3d8df23d03652e2fbba70b8b8420715629998ad875461d0be54d2b269908bddd624bd3f320b65f1ee6c24f3d4467583

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
418KB

MD5
126e6e3396ec08d4c96e7ba4bf76e3a6

SHA1
5923d914862716e866d2edfd3ed628e6c5c86005

SHA256
883de759720ff07b1c85c028febcbc17a84fb0d4a5183a4489978decfed0a53c

SHA512
e8a7ee5652e69fb7b7282ca77e876bd72533db7c23436ba1fa12dab7d6040a48b8ce780c06dc23230084cb5e2bc8d63c7eb8800410be5541de839118f854d478

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
159KB

MD5
efd5ed69da079b1b631490f3677a43f9

SHA1
229f68d5caf7a91d5f1559b25f1a0ca3cacdc494

SHA256
ffff15a5b332e3c5d78baabce892ae9bfd7872fa098658c506732d0dc8cc097b

SHA512
e5e7dd07b70013fe0dffe16403b56a1e4bd7cb9af59a0060aa088a1c974307a73d33a474f23dedb03f563b70771365f4a472f48280ddeb782c0f435991bf6a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
261KB

MD5
9f58ac59da93dde39689bbd49c087a94

SHA1
734ee16c7d68902a877ed94b0dd7e07695e18184

SHA256
7f4f0c4c324748d1ee22166dee7eb6fcc3dd826ad283516bf972d8c7add6625a

SHA512
59dcdd20a6764f07ba554873b723ab8845ca2e563bbe04ebea93b039d60fb0e89510a50742970a534aafc1700e3e3caecc18202eda3c968323884617341f0846

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
192KB

MD5
62069650d62f76a4cdf0e81172d99993

SHA1
3b20ec5b4a4320ee15b0f7b9715a9ab90f68346e

SHA256
779a5590c667d9a704b79e159259c0646737394fd66a9c0b12d13f9445ca091c

SHA512
ae1954a84fb7543465e77a4cd5cc1bdeee0cf848592958633e6c51702b42131daae64c302d5c9537c59a9b3ba9498e5bf913d1f6f757ccdb8c4183b33224852b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
5.8MB

MD5
79f30eb5167f995681800c2518aa8e37

SHA1
5e121a4568798083193ca5e80a62f4ead41d7518

SHA256
04d1a3417abfce718f42008cc05cf95beacec714ef4d411a4f2b53e34f903897

SHA512
b63b549073b2a420829c26908b87539fc29c86a4bdc2cafd1f8cf8e0af95ae97a26d86d38d1e73aaa0dbbd2440dbbfc4c5865cef7682d00abdee868a24d928d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
192KB

MD5
625f906456510afaf916dd0384d76eee

SHA1
66c56574aff02fb199caa60ab71ca9f1c9e7fc92

SHA256
27baaef233592b03722c7d64c26d2270c0300ffb8e7f08a8e0d65212af4b848d

SHA512
041399c5ddc614d8b1a359238df8fb09258c95a0013e5139dbf4093b892395f5f78fa31fbecfee92966c5e78a5c5894005c98e559b8b5735ecf9c1995df51b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
122KB

MD5
edff24d97a05d1da9f07aa4292a94859

SHA1
2c5370cb3ef90960bcc7f32f368f76c3a8636fd7

SHA256
43a3ed7762844f0e18c89903133c1ea1c79ae670dcd18d2b0dc32d7f3e55cbc6

SHA512
f2b46516d64d5f4da33061c66dd63a2df35f52eaf7ccfdbb84f5105a09d3eb872176e1992bfb43de25598b67714fd87901f9fd7aafbbf8b24537f456e9475c1b

Download Submit
memory/1136-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/1464-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1464-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4056-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4056-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4056-46-0x0000000051E10000-0x0000000051EA8000-memory.dmp

Filesize
608KB

Download
memory/4056-47-0x00000000010D0000-0x0000000002985000-memory.dmp

Filesize
24.7MB

Download
memory/4056-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4056-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4056-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4056-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4056-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4056-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4056-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4056-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4056-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4056-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4056-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download