73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
253s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
21-02-2024 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4276	b2e.exe
3940	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3940	cpuminer-sse2.exe
3940	cpuminer-sse2.exe
3940	cpuminer-sse2.exe
3940	cpuminer-sse2.exe
3940	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2268-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 4276	2268	batexe.exe	85
PID 2268 wrote to memory of 4276	2268	batexe.exe	85
PID 2268 wrote to memory of 4276	2268	batexe.exe	85
PID 4276 wrote to memory of 4344	4276	b2e.exe	86
PID 4276 wrote to memory of 4344	4276	b2e.exe	86
PID 4276 wrote to memory of 4344	4276	b2e.exe	86
PID 4344 wrote to memory of 3940	4344	cmd.exe	89
PID 4344 wrote to memory of 3940	4344	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Users\Admin\AppData\Local\Temp\5E8B.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5E8B.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5E8B.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\60FC.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4344
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5E8B.tmp\b2e.exe

Filesize
1.5MB

MD5
b749ea3f74a938eaa01df8d7bfd3caaf

SHA1
5dde89a92e302842cd9008149eb2d187fc4fe621

SHA256
6fa8eb3f8522199addfbf8419a04ffc7736f5e2a0335ba614b25a5d9303e7b52

SHA512
61a7f1bf285ecb33a4e302a244af4d91856f6653c76d5537aad0bbbd6f324129db817e558fbf2bacafc90d0a40b9b1b7421fdbf200b6db51fbd578fdc4c61647

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E8B.tmp\b2e.exe

Filesize
924KB

MD5
98ce51c302abd8048da4335b87017eb3

SHA1
4a9c4817e576436437b782e35c902f46a54d8e49

SHA256
391364c868ec8b78aade502c466ab7b4889e2ec56316cb1f7c357327b21582c9

SHA512
d355399a86dfb9c137e368ff18b13a06cf36595c24cea29fc3f4f57ff83fb2c855abe62a8e35c80bdda38bcc0765ae2f6320baaae70207b945b711b16972b071

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E8B.tmp\b2e.exe

Filesize
1.1MB

MD5
d480e8bb04f81c7c8aec169b1f848377

SHA1
ec44172229ce94386be0534364abb73737b558b0

SHA256
d2bba9370eeb4eeb77627885af3324c7221a7e12ed35f431cdb14f5b1228ff2e

SHA512
edb7b2571986cafa08e581fa969962e265bef53061963773740b7a7368455fd10af506507b3d38c6c3c7a224389e7a16ac6d4de914686a9fc93fb92f03535403

Download Submit
C:\Users\Admin\AppData\Local\Temp\60FC.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
574KB

MD5
2c8506fefcadefe12c71ba4af98d354c

SHA1
85f62d046831aac2fcf737aa4c133d3bc18e4c04

SHA256
caefebf4c51fa5c3081399eee2df009feae0ea2b03209cbb2740ba0132fbb43c

SHA512
362c59047b39db485112669217b6a85ad11be6e41bfd0d0758beb9a2048cb5aa66205ea3afbf77c16710c18f9d364bb772a1636885794def157e8da11671f845

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
302KB

MD5
a3e218ea0fc9584f1d92f6c086cb7b7c

SHA1
d76b71e22f7e35a6e4b93727ca49c528a8c8a53c

SHA256
7d3296ed8b5d133eb5066430ab864047b8b82c516a318fb2dadc1baed1dd7a21

SHA512
8893b4bc5710d8fc4f32cc8f68b04ec95a9d66fd0668f81aa75d36e398b16226bb3a80bc68da8e457376f88c195148a44d690359e6b3741fe93008319a1c3783

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
280KB

MD5
78116ebf03ff0e40b6986aa02adbc2a0

SHA1
86cc544ee58562ca1635aadd1d626cf6c0151b28

SHA256
31e341dd189186b4b91ab94509b199ab40fde330dd404cc99ba731a95182dc33

SHA512
285f2a9ea8fbddb092ce099f972f7c765558a9b81b8e509868d27f04b4922ad3292cbe908e0baa945fc58d8d35675a4e31325267e197f1d2c2ff63eee9e290cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
260KB

MD5
d32bc052f69c96387063a66d29dabedc

SHA1
48a9ec9d4b57e4797b53a6157a4a6cda487e3e96

SHA256
a48ba5b6b1ebf8ad98b89a4582f61f82deaf5fa017fcee6da58c5fb783acafad

SHA512
f8d68b3957642eae9f70043cba67aef5dd2c44d3e8075c7be740e2af0cfcac5cf05bd2bc039ddf1c633bef22d7f13b26960c1c7e68cc9821454a9684fc38348a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
263KB

MD5
29a7f7b61468fe788db1716c8f3c558b

SHA1
763067e5e8c20ac0bc1f652e1fa21d8ce613cf0c

SHA256
327622517b590e4e3914de3b5939bd6cee718b955ed2df9efe22d7d1f904c7be

SHA512
0e6c89a3bae7b33a0ca8c5eb9d552caf2f5bb3b3237ba219caee4e677405bec8ac6a1b8ff55b9f8bd6921ae21e2f1b88fdd8b4a31772eb3e40f5732f8e219f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
268KB

MD5
dbc6ce655f624ca50ad29f247652b1d6

SHA1
efbab8588e10cd162e3938c5bbc45e590e9905fe

SHA256
97f2ed1a8945beed3a55957424fb1c39764615d460cf0afdec205efd0763c163

SHA512
23588e17dcf9dbcbd403ad33dcdab3dc6aa4686f9aca14ffddccdd53e1f6e867d503429e829a31dcbb308ac56429f3de676d117974acedae47bcc92c42e8a487

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
266KB

MD5
16a198788a022b930130d1ab06132b64

SHA1
91442f260ca53eac3f8d33c5eef7ba29812725f5

SHA256
a84822e77b0fe03ba3e1f50d213de5a30b36fdbf51264650612c669de9f34201

SHA512
a329103c7155f136b64ae9723c31c9f83effb039ba8a20a90394e87e06458a4b88ec51083003fc12c3a0086e120ca81ac638db86ed2873b443f53d87b983d522

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
482KB

MD5
d43a9618de263cb2c74859ac0f6bef1a

SHA1
3b9263078e6aa0bde277c7ca273b26061af2bf4b

SHA256
9845ac5a351f16e8b6790a8be07fe885228794473916176a3e8208c4b3d4c608

SHA512
fd26f2de46e6a5c18f0a1d98b384879dbc143f44e398735b679b0405ffc732af855cef119c5f5dc2794ff8b00c48587c8057f87130fde2d6c45600adfa2e1c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
368KB

MD5
8c4ef0498bc2ea6d477f52d5c96fbeba

SHA1
98dd23b1415d9bb16a97049afa52f26acae2ab02

SHA256
af2b431078e69eeb42d75bee7cb2f68901bf11679cf6cdd8d0ac5ff997dade15

SHA512
d2c302b3e0019c2c2df5095b89682870cf6e7d0f7f4d9d2dacc25cc12b3862a737343e2f0825860a472e8d1c7f1dcde41484b100ab14e1667b24dbb2d030e14c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
316KB

MD5
f5fabc5f6a654b510c9dc13d598f57f7

SHA1
9af84d2b8f6486135695e264d7493fb991343033

SHA256
8d2752e50c63f7589478685b437433eadc90a447f3b0a3d91c0341072c722c06

SHA512
1aa1e85a428b60ff9ac194854a1f6a92c37cfb92932cbf3b0e221bc6a6f44575470ce6149c6930867f914058321bfd4b711db9729649b1d6776a9a36cf2fe983

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
307KB

MD5
da1da2dc22890b271315d56ed5d4d63b

SHA1
4a79eb39b7b37f6a9afd1a23ea86873b2b4674c0

SHA256
80c0adfaf48afda1dd863eab2a200206ea5cf5401348c6e31751e688add4b5c5

SHA512
dcd120480f0d7e1ac239e661b81df4af207851ec031cb6e6a7bacdf500045fccc19de846eb7bac63be7f94070531dcbc8543f0b93918ae3567f9771e16d7c446

Download Submit
memory/2268-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3940-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3940-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3940-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3940-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3940-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3940-47-0x00000000010E0000-0x0000000002995000-memory.dmp

Filesize
24.7MB

Download
memory/3940-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3940-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3940-46-0x000000006BAC0000-0x000000006BB58000-memory.dmp

Filesize
608KB

Download
memory/3940-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3940-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3940-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3940-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3940-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3940-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4276-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4276-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download