73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
310s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
24-02-2024 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4436	b2e.exe
3384	cpuminer-sse2.exe

Loads dropped DLL 6 IoCs

pid	Process
3384	cpuminer-sse2.exe
3384	cpuminer-sse2.exe
3384	cpuminer-sse2.exe
3384	cpuminer-sse2.exe
3384	cpuminer-sse2.exe
3384	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4296-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 4436	4296	batexe.exe	83
PID 4296 wrote to memory of 4436	4296	batexe.exe	83
PID 4296 wrote to memory of 4436	4296	batexe.exe	83
PID 4436 wrote to memory of 4268	4436	b2e.exe	84
PID 4436 wrote to memory of 4268	4436	b2e.exe	84
PID 4436 wrote to memory of 4268	4436	b2e.exe	84
PID 4268 wrote to memory of 3384	4268	cmd.exe	87
PID 4268 wrote to memory of 3384	4268	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Users\Admin\AppData\Local\Temp\7B55.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\7B55.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\7B55.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8C7C.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4268
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7B55.tmp\b2e.exe

Filesize
712KB

MD5
96595c94e826dd0436f5088e85f4da40

SHA1
c151f531c28dce40e9e6f113cfa610444f0259d4

SHA256
709879898479e4d4b02c5bd09e343f295b9ccee1bb4a30f302f932a0a8e34224

SHA512
78607a88373665fe0fb66231baf0dbd188515a569d613fa0dd5bd336150103b0996f5b80acb2e13d5d77ec1505a08df9ca702232286f307171e852bfd6d9a074

Download Submit
C:\Users\Admin\AppData\Local\Temp\7B55.tmp\b2e.exe

Filesize
227KB

MD5
6a7840102298d822f7403acdcbcb3374

SHA1
10cb662c3674c0678c3b3a089d9586e9c23229bc

SHA256
55e07bcfca258f788d0347fe1794f49ab39eea559b270f9faa97fe41d0758548

SHA512
91319d4d3b6e512adb9437c13364112fe369a82d497abadb66060ac240786d559d834d47c16b48a83d8eee088ace9c76269a61640ffa84c80509b311e4476b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7B55.tmp\b2e.exe

Filesize
549KB

MD5
d9266b2362d1d7c17ecc9a67e5e2edb2

SHA1
103edbcdc40e82f56cb1b864733a70ce8db51a82

SHA256
965453e14a38827a7f7634f7e8ceeee50370f168a4f24d4adb138bcba831fc66

SHA512
65b9c67f39acf1d9aa1ec96aeac2d97f8398e402258fb24e5362539a3d962517552f08dd2edcaba6fd0ac0c293a8f6d5e33003de885c8dd71a89c041e23e3567

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C7C.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
372KB

MD5
a1ed2b95436668708108a60d513e19a0

SHA1
704c71960f9a95cf78c123bc890e4b11d6fced3e

SHA256
365a3de5e57ff7ef27a5d4133245157beec1f47bcbb34898281fe848c1f0fefd

SHA512
30684833c7e84d0213e740543ec98466af232e3ce9c9ee046b7c047a8e2d5c14fe1b90bf81e2ee2e8196c76f913bed0b1ca267bfc99f99b944012e83b67a7bff

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
430KB

MD5
48075378af4753c1356f425bdfc3b402

SHA1
4375b28b1e8ceaa610807bbc4c8f12eb113df1d3

SHA256
3e795ae9c1ee62675101f1f2e98358b7c5d4a1c6f3638af18ec0e201a6039afd

SHA512
8aac6be5bb79872b24c2649540ff4986a417cbc904990a004b65a155d5911a6a91745ebb32d4638b897ca99a7751bbf868e34e853f4a1b4946529e1c635f03d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
1KB

MD5
d27bb4786bd7510db4a0a909181e1253

SHA1
ee39176b6998f20d072ed95b88e0e9e5c0476abe

SHA256
f82b8ec71b49c257046f0f7f09b026eb9a4a8879d2125cb3a5fe8722de2c8740

SHA512
9dc4bf61c7b5fb76a33ccb2fed698b9509dca2584b7b265724535f93c1a9c06eb5547e7575b0c4ec05c804c0fb104dd4ccc4bc59a932dd05840d971b45258fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
20KB

MD5
1e6ca4bc7ba75a79fc7f25985c1e0057

SHA1
54026faae12b04978808adf219293baeb573682c

SHA256
53b724f20ce89c46caf20c267e30fd4d544c4c0490ef0fb2ee3e262a5ea574e8

SHA512
843e8dd3e05567dd04c1659d3241831899990836a9ad71e3c5a708d9aeaf4a4f8f4415e8c5a9908a226779eebe6b96cd0dd4982e73078fa1bdc20a816f8a6875

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
23KB

MD5
451e737198c4844f82dd210f59e77b57

SHA1
eafbf584c1734488a025850c20e8c228d3ae1a38

SHA256
995e41f693635e1e2ebd90cf76b12eea2d225158072223335b2fcd3eb506220e

SHA512
dcd2c4772b19df1ea4141890ea8a4008802476dbc3e267855ae665db876427c0ac23cfb14d3fa1d9494fb752b918ce2616c9c8c688801a6a745758d956674f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
57KB

MD5
9847e73bcb93a91acd165a0f6892b3f6

SHA1
1015d74d21104498e7155841b9e7cd8f66a983c5

SHA256
e324d252f54abb2a57eb723ff7e77015f545af2544a54b9bcacfe2a20ec4abe4

SHA512
f2047bd1599c42d543bd698bd0e6f1df718648169ec08c9a47403b69c5d88a2cdeb388138fafdfa38a4ecbd6f0f54e209357967a3987221351bd44860169f88d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
59KB

MD5
94ae95d74dbd839e67ba701cf2f89006

SHA1
ca1bef3708d928ef7156a3c105c6c8b55ca2091c

SHA256
d79133057997c5c3f2ad0677b008e5d10597dfa1514f94501e29d2d48e1004c0

SHA512
189effbdc1a8948b26dd97adeb7c3065e34a0f023ad7ab42346135b6b31847bc61dee028febab37d47321da8976a7cf6fd8ad3e22d37e75b30798cc6e0611622

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
13KB

MD5
82ce3af0ad1da35986ca824589c86456

SHA1
ea80afe01f84723e71d8483fc1e74628e5a32237

SHA256
4fa8d0c3f48f2a2126a96f189bd52170dbdf0d20a7d8036f07a064cc171f36b3

SHA512
12eb8ef85c6ab8c3c48aadfd6f27b68943f42c89b14e21d91d4073bc8859807358ea9b6d0653b58e912a667c9158a0c6301e46056fbbac9544406d4b1085f154

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
295KB

MD5
612d632ad724d709ca4c4eea886ed230

SHA1
9735e5033a440d4ecf8f086a752e8ea3622ce66a

SHA256
5f34e3e78fec13e399dd6b1b63dd3c6d62164228fab69131b970385f797e31d8

SHA512
0aa21cbc04f4d26356741e1b7629499c5444f69993f9ef550cf88fff42804a144c99e09fcfe50b60a7b9c19555cd177cd6d656699012d0f4730d2bb7be50176c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
320KB

MD5
b95329eb159e91fd7b7453c0a270d266

SHA1
f5dc6947d43100654477d3c1e3228f1bb36f042c

SHA256
23bb52633fb8c7fa2b11c1631c6e4d4928a02b99ab17b22052c5d98dff0bc946

SHA512
cda88bcb0892c24afce538f24b3ef146eaba4ac0fd14dee6b018b4375a607c0178def287b7eaf65104e725192d8670b840840d0423162312c63d001eee7e7c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
402KB

MD5
07dd6daaa0c6ca6359589d4ec458cd3f

SHA1
5dda7c638db779b62414a4d60524b5741717dc25

SHA256
6addb57c18ceeb839cdc63fd8c3cc661f066cd88ce4cbf0ac6715304ef31c1bc

SHA512
ea3ca90e1d6d0ad98f2d0d21ea70c46f181df0e64b96cf7dc432a2d37a6f26806d023f057b15e9154d0a37e1ad479a011d0d1322efe557c2adfa43ce3e8da0f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
47KB

MD5
6a1e40fb234955259fc49c6b2e2707b3

SHA1
41e6286eb83a42ba5f8e9a1c6c83ec24184109e3

SHA256
43aecf9d6ca40d0f93b0641c37b8bfe93c9c6f1776cb867497378f9a7e3a665d

SHA512
23d8a774e3778cb7756610c708f6f60191bb457900f9ba2c703e1aaf3cf19aa6e94a56fd6963fb18104dcf9e00982027281eca8b0de1ef47bcf92075acf4ca59

Download Submit
memory/3384-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3384-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3384-106-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3384-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3384-49-0x00000000744D0000-0x0000000074568000-memory.dmp

Filesize
608KB

Download
memory/3384-48-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/3384-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3384-46-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/3384-50-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3384-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3384-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3384-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3384-42-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/3384-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3384-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4296-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4436-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4436-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download