73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
301s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
24-02-2024 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
1700	b2e.exe
2960	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2960	cpuminer-sse2.exe
2960	cpuminer-sse2.exe
2960	cpuminer-sse2.exe
2960	cpuminer-sse2.exe
2960	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2028-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1700	2028	batexe.exe	92
PID 2028 wrote to memory of 1700	2028	batexe.exe	92
PID 2028 wrote to memory of 1700	2028	batexe.exe	92
PID 1700 wrote to memory of 2364	1700	b2e.exe	93
PID 1700 wrote to memory of 2364	1700	b2e.exe	93
PID 1700 wrote to memory of 2364	1700	b2e.exe	93
PID 2364 wrote to memory of 2960	2364	cmd.exe	96
PID 2364 wrote to memory of 2960	2364	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\4726.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\4726.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\4726.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5261.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4726.tmp\b2e.exe

Filesize
2.1MB

MD5
58f5d2a016395acc8973a316c63d8aab

SHA1
a88b70f2ac54c356bd6aca911cf33a37ee6587b2

SHA256
daf6f52a5910629f5edf0d7d2b4981e61870d7b863f26e5f9882e8806ce3ce54

SHA512
aae78ab51faeb36d9773991746eb8f7a7f0b41381c31896d61998576289ab9ad7d984f7909bc44d4eb3bf5a88deedfd26fd257b67c0c0b44237c699903e3c4b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4726.tmp\b2e.exe

Filesize
2.6MB

MD5
5ea8a2341f0b2c2c8f0d6c87a59fbe7a

SHA1
6c263380f3028970344cca1ba9d9c5a832d98cc2

SHA256
c28dc7a9de08f996306c97b97bac4c6b84a4fff3d25f5141f15948dc606e7d47

SHA512
5120d607f8af8aa2be088c7364b16d8bab5ee6508a8880a795f577555945485d454b422d4321adb53271fca92624abfcae9820fb6e2f029f79bd6a35b064985e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4726.tmp\b2e.exe

Filesize
2.9MB

MD5
ea792ebd772ba0e254a81655cfdf1d79

SHA1
a15be01c4a827fa16b6bd35b1b5f2031ee755e9a

SHA256
fd661fd36a27fb5db475ff3453523bc9cd03828e829c0edeba08ac0c6cc9825d

SHA512
ea0e569d93ca4a609e97acdddb47172a9136e6963b2b0f65360fedc24865b97f5a55714ba07c88c43e5900745ae72ac236bdc44262ea7a404201004df76b9499

Download Submit
C:\Users\Admin\AppData\Local\Temp\5261.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.2MB

MD5
74484c310bd4b40f916124161b7113f2

SHA1
b14ff27823dff6e1df42b0a7c6f986846b35c8ff

SHA256
713d8f06ed51be37cd739dd3f8772608cfcf6d8bbfd2e98d4d515d3bd964fb02

SHA512
a74663e9c459252e9eb46163627cd0528d23395586cbfe328d3b31fb197faa41d8a0ea414c0ffcddbfeb86c901db34e8495c7d1f728140fb0a59e0ae5ef23d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.3MB

MD5
94449f506d478c0f6d6896a343d679b0

SHA1
17412626dd97cbf591e18d11b32e776336b38eb7

SHA256
a96b8090a298bbc61cdc63525601ee601198c871bed05b0a62c4e0098f101530

SHA512
fe0754f3c45c8040cb235b192446da9d9311c20f99e0cc643fabdab0517fa3cdc13a6ae63bae4732d2da9811b139bac71e09e9cfae85d1cc5763dec486dc790e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
487KB

MD5
a1d21a67866972045cb818dffc444d25

SHA1
80e3268e23518543d24afb04831ae0879355546e

SHA256
bde3b11d2af3a4bfc6ebdca08a8e5ac17bf4111e2577ccbbda54b8edf07563fc

SHA512
d035b1c923d815d6418aec72b195ad15327e270102d5ed3e4be4cc82a913bc4e40a6c9c8a86defb2640f72c910f20149bc702dd18a6125b79066b77821e37bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
a1aa92b798565bd5d729d6c23f9009a5

SHA1
7eefdb4885b1df75e48efcff8fc0d8301bcf326e

SHA256
80deaca473ba316bdfa5888eb03fbeb7ad377b93f203641e175643e0e7142003

SHA512
a29c84aea9ed6b874e2cd2b5997fec3f2154dfa8ae26f71b977665129e6bfb527a9300b3e6145f41f45183bcb5aa90f3e2441a9cbf53f2acbcd1de7562273d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.0MB

MD5
9b1c1d6693918d7c2c950fb1cce8a859

SHA1
69d32c2494397ac2340373f03d47feb741654444

SHA256
74df76bd219af1fe14664ca893d63d1d39c57105bdff36c708d8262f1021c536

SHA512
d8ba6f0df6c684e99d3e793b2dd24a42d68311556dd2ad49e243add7032c0ca311abdd03751fe1a6595697e661465e22db462c2640c203d9a798883f0b1bed12

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.1MB

MD5
6ec902c8d8f79c443891aa32ffe29fac

SHA1
73cef1cebeb2b5320a5a764da326e014bce3f00f

SHA256
65cbc076547d1684f8e905574a9dcf5800aa87d198327bab98a9a8155a74506f

SHA512
6c3ce87b846712ca09a259d353280f2f61551a01ef29a67e4178adaaffabcbcd8d9eef2524b0efa1eae8544578764919379209b186c99a3107499cf01c4f35a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.0MB

MD5
e7ceb8e6f394417427033e14cc3d0575

SHA1
7d2e6219dc29dca7c25a314391e37ea842caf704

SHA256
ad7886ea66a9eacc5c102b5d64e856517cb87e502f690a92d34ccf8512480659

SHA512
3b122edf85822959f2f9428b37eddee536fe3e4279b898ecdeddaf48caa2c91100c97d5979640e776605cd50c8537d48042c7ed1d975e1c58101f1bf3ce578dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.0MB

MD5
14e4491664b83ccf1ac06fcb32ad0993

SHA1
8dcd1deadc4b93b5ef1e8817a4c075fe9d547866

SHA256
1652a633af7713b04965d0f2804f1058b6f33b4414ed83b870f8952b95ddf8df

SHA512
55ed25df682352b7fc756586e8a87a697655f6711a6991af8a547ee00f4f58b80545ba25d0324e29eefa625ea76f67770e9795b8667448fe31d376dfe8908d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1700-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1700-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2028-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2960-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2960-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2960-46-0x0000000062560000-0x00000000625F8000-memory.dmp

Filesize
608KB

Download
memory/2960-47-0x0000000001160000-0x0000000002A15000-memory.dmp

Filesize
24.7MB

Download
memory/2960-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2960-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2960-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2960-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2960-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2960-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2960-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2960-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2960-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2960-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2960-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download