73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
301s
max time network
311s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
24-02-2024 00:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	batexe.exe

Executes dropped EXE 2 IoCs

pid	Process
4716	b2e.exe
3372	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3372	cpuminer-sse2.exe
3372	cpuminer-sse2.exe
3372	cpuminer-sse2.exe
3372	cpuminer-sse2.exe
3372	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4296-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 4716	4296	batexe.exe	83
PID 4296 wrote to memory of 4716	4296	batexe.exe	83
PID 4296 wrote to memory of 4716	4296	batexe.exe	83
PID 4716 wrote to memory of 3316	4716	b2e.exe	84
PID 4716 wrote to memory of 3316	4716	b2e.exe	84
PID 4716 wrote to memory of 3316	4716	b2e.exe	84
PID 3316 wrote to memory of 3372	3316	cmd.exe	87
PID 3316 wrote to memory of 3372	3316	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Users\Admin\AppData\Local\Temp\72AA.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\72AA.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\72AA.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\81ED.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3316
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\72AA.tmp\b2e.exe

Filesize
6.3MB

MD5
e5831f2b52a3785e895a9138d46cb71f

SHA1
aedb6b77bdf925581cee3f40632c59f700134c25

SHA256
7f7136a77ce3e7ca3b2c8a83c065f9bafd22d9672cc9f65c76adad4ae683336c

SHA512
8220bfe00f3946fcbe2b54174e431c38a1afe82b51b253f1bd8d9ffeb0b4706f177b2db81ff6e7771a77bed9fc29bfe7a512c10344ae453d31aca3202b2598ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\72AA.tmp\b2e.exe

Filesize
1.8MB

MD5
c72fb378931482d5259e830d7780cbc5

SHA1
a989bcbaaeda20f4730241d5f53357f0a0dcee3a

SHA256
c418630b132d7ff599181a2bec3b18585f3b472594213326391a064e07e10bf6

SHA512
9a7c8c8844876ab9f39146ecb67d2ff81068002dcb6987a43a5ba7a43bc51a33d2567341533ec48757d64cf0453acee3f637bb0f3526c8e47b5ccea7c7c1aab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\72AA.tmp\b2e.exe

Filesize
1.4MB

MD5
49a451a3ddda9ec175e9461a46eaffa4

SHA1
874ed21a5024e1a34622d4dee428c6d7e19ff248

SHA256
31f179348d3597a53c7cbb0a4a03a9e405c480f17f7321c8c78d12eef37665da

SHA512
435db99672091253b5ee06b334bc1c0472b585d0c82739908b89af4d25e71f60edf996e688fa65b20961f935e988d4c303a6e8139a0ebd7e53e1d045596bb68b

Download Submit
C:\Users\Admin\AppData\Local\Temp\81ED.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
895KB

MD5
f4707b252f174c232f0ac6742301c1fa

SHA1
a24aba225d92d097fac8b460fc1799dbfa1b7cff

SHA256
8439b74e9ca7b3e0eb9e862cd1de3da2b966ed089ee3b0edb754aa8b533a5d50

SHA512
498eb9f6bcf867ce8f00528fbbc4b38657756c441108d886b59ddc813d009ee8517295ff3fdc79eb0417c1b77c2fa327651fe59103e2ce12cad0156c651d46a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
434KB

MD5
efe7511f67dfc4f9f1c95c26de611bfe

SHA1
3b04ed9dc987364af07e147372bf3b8a9295fbe6

SHA256
a9d4a3963c3488a0e32156b1a47c5e79e6a5f620ae4d603fafbe7d8a34b0490f

SHA512
5e1ab4f5afef9936d472d2e05d2f7957007561e6bbd3e44fdec3d1ff402c10b1c148e4cd2de4fb586a5e40a9f6427068d7b890e4e827f37ff4df02df558673f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
174KB

MD5
0601b2bb8a195f705d87d325db8bf84e

SHA1
01cc2cd3f961ef969fccdfb0dc635342c10a3305

SHA256
f03c436c42fb463ed23227eac33009afbe6bbca29be32b11004f0fd1bd253a5c

SHA512
1c21950faa96267372f54012c6f1941a5bf529db1de462442bd9bc51e798fa7ea8db9070df4bfef2cb21edc4308d7cc100eb342208c976a83e153acd8dfa9e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
155KB

MD5
29996e2fcc0e967c84f874282d74caeb

SHA1
3f8a964d86f6b67bbcc13c5f621e782545e82866

SHA256
fdeb8d616fc6507e1bcb9a70afc4ef566d8c910dcce556a1d92a74f3bd4accb0

SHA512
6e41e0397f263d3394adff846e23e836e910cfc1a5e686c249c8f2d74f357dd3452b72e79c9a64ee481fa55d3c9ceb6bca021ae8656c8e5c0ad334ad119dfa1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
753KB

MD5
2283e1d43a3948924bc8268ad27362e8

SHA1
5c0087cc78207d86ab1ea478bd222c5b1cbe101b

SHA256
7f86906a595ba9fc7a3f835673ac4fa0400ac6a1760151f84824e1e7178f8cc4

SHA512
95ac35afe62373eda9dff3725c49849508d15a8c77d3e8e7ca51ea3a77aa9b162ae21c0bbe5acfc2bb2df53adfaa86ec3816fec1de0897cf3a38985ab20d5b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
64KB

MD5
7fcedb6e973c5df3b6652a2afafa6a13

SHA1
116728803559ab58a8127544df80b75a0dd1c6d2

SHA256
fd7191afdecd35b78a0c0ca0457cbbf42ffda1e52263cd785abca5f047b18825

SHA512
05c86bf84079a2cc13dc7a1a917a0839ccd2b18e0440c4bd419c99f65c4161ac69a9447f56bdf6051b2fbbc49b7556fc3717432d0e293dfae2921c0701fe64fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
168KB

MD5
03168574b18e831d888034c9f3af1af2

SHA1
dd948d0cb9230ebfb9b22ac280d4052af5fb0614

SHA256
4563c8186bac8e39a7f13bad44bafa1eb3e080042ec5f029d9bc8df12bea659e

SHA512
58ac8be5c232468d6721a5f7a328f8fc507b76730f87dab8ca7cd288961c84324a6efddb4b53c57d93146abaa6d5c3f945ac65935fdf4eefc0444b3ae25e6526

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
127KB

MD5
850257e6fec625562e820b3aea09e6e4

SHA1
603cd7bd320415069d2140319c1bc8d65fd67936

SHA256
98a87122d4f3398fbd2be9c5fffe5bd584b918ac263cb4e7e10bb4f6d7dddb3d

SHA512
6ad133a7b7434f94193b5db7903af57422bbd6881569c9b11f50c0b45c5c8ab20c4e2e8d15f7778bb2a05b61472f78f34e50916df99453b1e6924331507428dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
88KB

MD5
b4a7d5055936d068d96a08f2ca31ac34

SHA1
fd58f85d2aef6f5dd36a51f7903a536fda8d5d27

SHA256
c02918a3b4185a12ffe4a3ac52f2bda5887012d89a55f309d03758b01113283c

SHA512
2e416c9b7da45849b6d0f32d11a5e48cbc708fb03fb16395b56dffcea793a99c669ee3739b54fb9fdf44276ae9b28e3e147ffc93673cbe819336057bb7b30083

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
228KB

MD5
318c8e1a53e0ce947b614633c5cc5384

SHA1
465cd01d89f47f19d12b70e41a5bf521036bb237

SHA256
c77d48b4c40f6a3f4936b5de8d303625d973c0d6ba82cf252fdea4aafa46ab93

SHA512
5bc66d86672d15aae03eb5120e07dff37a3487043f0ffe21c990243b9b14e5f1e9f36e3d858ea35ce8643a4829c76d3ec0b0cf5ab9814eea9522b49fe86fa568

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
180KB

MD5
697ed9e859a1034e3b2231e76db506ac

SHA1
92b7a5dc0a8c422d668e33f34548765785654491

SHA256
f3700ce2a8dd41458c52db31bbbfdb67619cf054cf62f0fecfc3581fe287139e

SHA512
4ee94a9d6a0a4e329d203bfa1e732d2af972409b040aecfa713555df81402ed3f10512aa9dc6e01d8ba27beeda0d74c198308216860a9fcd1c414107cfb1ad7b

Download Submit
memory/3372-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3372-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3372-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3372-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3372-46-0x00000000744D0000-0x0000000074568000-memory.dmp

Filesize
608KB

Download
memory/3372-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3372-47-0x0000000001070000-0x0000000002925000-memory.dmp

Filesize
24.7MB

Download
memory/3372-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3372-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3372-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3372-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3372-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3372-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4296-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4716-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4716-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download