73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
300s
max time network
306s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
21-02-2024 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4376	b2e.exe
468	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
468	cpuminer-sse2.exe
468	cpuminer-sse2.exe
468	cpuminer-sse2.exe
468	cpuminer-sse2.exe
468	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/564-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 564 wrote to memory of 4376	564	batexe.exe	88
PID 564 wrote to memory of 4376	564	batexe.exe	88
PID 564 wrote to memory of 4376	564	batexe.exe	88
PID 4376 wrote to memory of 2500	4376	b2e.exe	89
PID 4376 wrote to memory of 2500	4376	b2e.exe	89
PID 4376 wrote to memory of 2500	4376	b2e.exe	89
PID 2500 wrote to memory of 468	2500	cmd.exe	92
PID 2500 wrote to memory of 468	2500	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:564
- C:\Users\Admin\AppData\Local\Temp\433E.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\433E.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\433E.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4EA8.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\433E.tmp\b2e.exe

Filesize
6.7MB

MD5
49518b27715a193415822914b4fdab8a

SHA1
a9d8eae91db7c697962a75780810e713f79f2ec8

SHA256
c460a6d6c40040d92ed9bf6763a805eab0f421a5a1e15ce25ffa5058eee8303a

SHA512
f8158b6807fc2d4b35f5b969de0956ad50456678af0f3f7af6f5132c958c6beb4f650eefe752ccd6b4813c533152f6f9d71ef60f48cfc61a1d6d3738945a8d9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\433E.tmp\b2e.exe

Filesize
1.8MB

MD5
044a18ca7fa1182942928e7ef8a49dde

SHA1
0717e18ab581b83723a1d9fc6fc5f2383155370e

SHA256
85749e984d6df7d325a03a8524d8ebd1af0e9a406f676d7d78372adbfeb8c9e8

SHA512
4fcea801815b0705fcd329a5516ca5ea0cf33ba1d791a52ff1a2db0d15dfe706146a432637e630beed7572dd82a0eef476480342bf916ca3fc82793df4b4de13

Download Submit
C:\Users\Admin\AppData\Local\Temp\433E.tmp\b2e.exe

Filesize
836KB

MD5
b71517f835e984a1022a6fa81c7d831d

SHA1
e917b7a1ea3b264fe10e20940d052a7ff1712933

SHA256
cb2b35d6396539c8d04e3c8428f11b8eafc08cbc522b5d49c58cc80f2cd3a462

SHA512
9c30850cad2a17d4755e9ab32a0ff0a5688dafcdd8419e1cb9e16115d4250bf92b120b0b402831f22ea9e961dc75807c8d48a4bce11a63bd7fdcc67afda4dabd

Download Submit
C:\Users\Admin\AppData\Local\Temp\4EA8.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
508KB

MD5
bca794ddac027f553ad07e7a108ff29d

SHA1
5fae28f2240a64278cf9973f74f9d37255456b12

SHA256
496abe73c8ecee035daa50db670879bb582e099eea4d5c877de15a67e47412cf

SHA512
34cab50427232f4c7dff7d1c047d31215d1423c5a07da81beece7d738d1c9967eacc38f9f15e5c424ae6f49438e4e78b1720c10cbfc2d5763b40ba4bc8e6cd2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
570KB

MD5
a98a2d13ae1a9485039151581b56c0bc

SHA1
18828d19e3597e9dc5753be78ad28c4cc526556b

SHA256
176a9efca01955989dcea12bb8309a2765fbc21279746813c5e6a19bdf549a49

SHA512
59a5602478a9178cde12fa744e0d49616446a4fc24213865a8362ebacabf8d409742828bf24c008fa612e0d21d33b58821fdd2b9f03035e773fc5454e0692e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
532KB

MD5
817a351a1a48cf016046da61daaa4bb3

SHA1
b694ae25f2dacfd8e658154f5a00878b0a948d22

SHA256
e7658165c083d07afe9acd6deae3da135f0b04924d7d1bd442618d90177de86c

SHA512
296028fdcfc707103fd127a800b95aebcfd61b830d0ee8e01ed766e65bc95808749f50635f820f25820bc1cc2ac197a74c85c158560c68039b464bd2fb841d4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
369KB

MD5
53f023dd2126caf85003d2b2a211d8d5

SHA1
8a4c7841944ea1adfaef7de40c3d1b8e994c2b90

SHA256
6bf9b0b632de803cb59e07a05ecaaf6c7b9e72e7d46783788c2435c9d35a6866

SHA512
4407b77cd7c5a56283095c63b2881ce8b6f8ab8ad722f5f34d31b7090acefb4ec9c73b70388d4826c5a748c82ce459e96e516b2b1ac13c9b3d95d0c4ab9c7ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
320KB

MD5
e63bf5df87e2ea807dc353cc5aa9aab1

SHA1
69fc94bbebe878711cb133c3a1affb80c0bdecff

SHA256
2c9d6315f90367b959d3c32badd99bbc03eb808e4a46db72ccf2e81788b41533

SHA512
70f2b2a8a4c8ab23d81266cd23b75c27ced29a1eab8c80d95c57b595b10254b7229cc03b637716edbfad2a83827f2c557847b98d1de80256beec05c9512ee4bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
380KB

MD5
02724f5e64e00515b96cbc74ce927bfe

SHA1
b37ccd92e7f97d1fbae00fe992a3cf473e643f56

SHA256
5f50a5e0b4963090e7f3634bb70c3d422df6b86d6afcda5731cdb0febb68e745

SHA512
ac428860a7daca8087d305a4f6ee359e9b66a8f879ec1049d4cd761e68585d15ca9b21ddfa8baeb271961fb9e4f745b414441f1bab93219ae94a686f227f69ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
480KB

MD5
7013171765b2a775c9547407e2fa581e

SHA1
78981f52b5d072f5c318c63c770f2251b7c1146e

SHA256
325767b39fd41c9cefc2687c9f4b2b76589b7d8da05225bb4f9324bd4956817f

SHA512
03c55fa94a19fde248fa511b7bd957d5864174bb22fa66157211bc253c6f7e5cd71e7818d9f1903bdb1e8d0656305a1babb4c3311315d2c98df76d02708edb4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
384KB

MD5
4cb3a8d3af58faf78da4dd33a03029db

SHA1
5356e4fb04a7047f6fc82a4e071e4803f97a0f3d

SHA256
86df790940bd442466ea58a434a31aaaadd1d23a9e9bf5e6fe625ff49049d620

SHA512
244237f4a13a7666e9f9592451dbb8bb18ca1f828d66f97e2890fa8f6be690d8890848102a8be253542c9f4b154d9f0e1aeeee5a867c866b78b64f9949f48c89

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
281KB

MD5
5e54a580f0bc559467ffb51808018740

SHA1
03e44ad177770dc2c8d589921bb5847be136e64c

SHA256
b9ee3ec90edb87bdf37ffeabc8ee919e5fb8acdf2910e42d34b401339eed5c11

SHA512
6c844ed1a35ca1a17c8a8201bd0a60335aa4e8b4eeaa38ec717de6d7a5ba15fe32d16769c84f09f2f45553436032ff21529edcb59f0dc8f3e78f235202635d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
399KB

MD5
93c617f43da1fae3f446dd76a9a8f2ed

SHA1
c0b33a084ece869648ed35199dea8ce8d9c66fcd

SHA256
02b9c670b14551fc141efa18faa5040423d79274392abf1c8ac66e50a91d176d

SHA512
2c4bb15737408ed5aa5a8f36d3adcea969501151fbe4e5ac14188ff2e3e073fde0edfdf030ccf8d6a5bb3cf41fcd08df71ce58672bee9f72f52da3cee159c893

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
325KB

MD5
2cd11d47e42450e3e66027c0c59d8c97

SHA1
d6df02a2308cac64fe2d72d92a92c13231ba2900

SHA256
978a5b9ba081502e47d25b291f979a32c4f162883cb491a8ea532e0521d1b953

SHA512
f6b5c1b2464f511c84fe0d886b06e136639e82a34e017de89443c33f8242cf856bcf4dc03085fdc5a225d388bf8406cbd79a54d86e5a09becfca114eff0eb81c

Download Submit
memory/468-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/468-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/468-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/468-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/468-46-0x000000006DB00000-0x000000006DB98000-memory.dmp

Filesize
608KB

Download
memory/468-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/468-47-0x0000000001120000-0x00000000029D5000-memory.dmp

Filesize
24.7MB

Download
memory/468-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/468-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/468-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/468-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/468-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/468-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/468-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/564-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4376-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4376-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download