73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
292s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
21/02/2024, 17:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4272	b2e.exe
3612	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3612	cpuminer-sse2.exe
3612	cpuminer-sse2.exe
3612	cpuminer-sse2.exe
3612	cpuminer-sse2.exe
3612	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2384-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 4272	2384	batexe.exe	87
PID 2384 wrote to memory of 4272	2384	batexe.exe	87
PID 2384 wrote to memory of 4272	2384	batexe.exe	87
PID 4272 wrote to memory of 3388	4272	b2e.exe	89
PID 4272 wrote to memory of 3388	4272	b2e.exe	89
PID 4272 wrote to memory of 3388	4272	b2e.exe	89
PID 3388 wrote to memory of 3612	3388	cmd.exe	91
PID 3388 wrote to memory of 3612	3388	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\5FC3.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5FC3.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5FC3.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6292.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3388
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5FC3.tmp\b2e.exe

Filesize
2.4MB

MD5
05f059969f09319e6b05a453dfd3c353

SHA1
9f9cac4e26964d8616f559d0ca41238172a8e734

SHA256
bba9a30e8b2aaf05533d733c3d7961c3cf0b911272473a1c2da1b003c70dc77f

SHA512
8beb995ab9e147c5ae3869e296668a80c7ac3522322580abfd576359a705384bf7c30cc5be1af80d3b343cd6ed90566316f2533048d010bf1f2eec24b54a8f33

Download Submit
C:\Users\Admin\AppData\Local\Temp\5FC3.tmp\b2e.exe

Filesize
386KB

MD5
a640271cfed6f4d69637c84add4294bb

SHA1
658f6419e33009eb2b5a4f8123cef7861004d13b

SHA256
33efdc01f5486bbca44a0c53d17ef67323017712454822b1f28dfc8c03d47ee7

SHA512
f0edf1cf94d54ae6ac140c7fa9cf9eee94d63cf3b9ce4eb4bd7e5798bbb21c2cb398f5c02498331b904b33b693027d29635cfa29f6cbb788c4e7a362fd4130bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\5FC3.tmp\b2e.exe

Filesize
250KB

MD5
d8767165b718cf2d0b918641adf58c43

SHA1
0b85823a7b42689589df48161d9a5b70cb6e0604

SHA256
64fb0156c042c62ba4620722c16e9d01e6a2335928be0d4d05ad3539f26db9c8

SHA512
3c11e9dc8cdc1e8a883fbeefd863f90ca924d35ccf4eb5cd32b23761ae776dfcfdfe55caa3cecc60eda065ec61c1a7a1baef3b158fb2ce83bb6528afc1b0262a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6292.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
421KB

MD5
9814e6428b73b09bb16eb5745ea066b6

SHA1
edda52eb9564f6b8d9828f0cc0dd9f38018df708

SHA256
8bd043b5ea01be3bd2a1d2de8057f2830aa76e561320746a9d54746dd0829dcc

SHA512
ec856fa389b42117203e913b0c9b32bd4e0b82ddac9a1f274a3c9d58139618284a9949f481e3ab2575731ddde9cac045214a1fefcb2547f9a18ed78e7f423efe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
488KB

MD5
65ef37c3373a499e75b6eb3bf620a8ae

SHA1
1f71c782ae111ac369db7c39778ce67ad649b3e7

SHA256
6eb7fdfb740f354c6d8a653598e02510e4f073450c748f5346953802930a6201

SHA512
7c9ce7a7569417b647cc5e330457fa45eeb81ca347ded6dccc9c0c606738bf0c950b9d6b43d068dbf05a893cfbcea1c5b99702b3ddcc3ce3c5bcd0efff2db689

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
228KB

MD5
57122422cac804534d40e7e019947882

SHA1
249da4fd5f0ac9d37b19ff25384f115310a9e34e

SHA256
c36c8f65c956f50e0a5596a4f52c295388cec92559084a7b724efd30e6a41f2a

SHA512
5e5abf4dba51d4bef137d0d33428a83c4bb377d90278975aa6a61625c5195585ae5d95f511e82cab302903a8c10f8581758afa3b6129e4afa5d0f646a7d59f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
533KB

MD5
fd16072c75297f004a5d2ff90c004d9a

SHA1
aa9a5c6360a2ab5c79627f068cc7a141c03a221c

SHA256
8b4f0c12fb066c29873befcc2e5743c8fe4af0bdfcedbdfec87c64e294da917d

SHA512
c8520e33dc7c8eb1e4e133e16adc5ea8028b697fa87d450010a2de9304f6e9d93c7c13878d3ddebed99aea7e130a5fa2822434f7c11ddd3fd33f749813abf84e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
344KB

MD5
662dfaee3207535c3c59f87fd649d38b

SHA1
a424add3f16d38347c448045af934d001255b7f6

SHA256
760293a79b9b6ac7c3bdb3e7d3d49369695673e5ccdbcc1a96e0767217ff0a52

SHA512
7c96ed79684be7babb00fb3a79c679dc2933867b54ee859407006ccf0278ab9fb37d9dbbab27413ac5b61574f2255aebdbf95dcadba268f9f3517c0cfa2c367d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
435KB

MD5
87f473d701de10583e5c684baf8ffecf

SHA1
b99f53691dae2c29f38199f63217e41a9d317aec

SHA256
6d9915baffdcaf2d2588516f2cbf4402df6d4456023d97cc90d5ebd1309f45d1

SHA512
4cdbbecab33f6f9fd37a7f44cc1a082717d14ae00b53bfcd6685f61f25e6a4a7eed3a6bd5f1a8bcca5019aac8c72dae27f97c8f92ee740a1a5765525afc2ed1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
440KB

MD5
c335b37dcca690bf87801cca36b69295

SHA1
9414b533955a17d71f8173f95ad21aaaca84240e

SHA256
bd9c7819c3717281d5d005a9acdfb8ec31af7ed0370ba986db625e24877c88df

SHA512
36aa2ff72f6571dc984953c1957affd17ccab11546a2cfdb97c0c91a1d997c3d9cbaa1fd636b31cb9e4fbb2ee8e1bcbeab7b3a2e15c23d1dc1a422f9290aef15

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
335KB

MD5
89646ff0e7546163357be0327ac06162

SHA1
f61f548ef6ee4c84697a30f2cb81c68bb9c615be

SHA256
22ca858b54bf5e7c6b941e17963982f3444324fccebbe5035db6db620f4bb53a

SHA512
53c664b5e1f2ca0d4ec700de5e950e0fcea218e9c370709f3b544dbc33b13741b523094aaa4085f15b655b5cbc1e1a00e541874159e34ae6d824dcc53ffb2ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
287KB

MD5
f5a3643cb308ab78178f5f80f95496c6

SHA1
45188421624f03be27d1603a950ad27c7045deb5

SHA256
c2809501400eb64eb38f789322ac7ebcb8c04a991bf1254a38adc6943b3004f0

SHA512
2993172113ab90fd7bd634227ecf267c4be00703f98ac6b4b9d10376c6533974ec09a7243ad67da2cf6524788733b3e7e54b0eb1be036bfe6c1925f40458451b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
222KB

MD5
385e4f189360c41e5b610ed4086521f3

SHA1
a62aae3a92561074f6c476f2f6c5887d1a4a58a0

SHA256
2a687ec1df47bf5f009e53919b8cc482b08977ae243c9b9bbea1292fe3384f64

SHA512
061079e6b20580b56c371e76cf7f1f18533634c18536aab3e2b367d2eae4493651662868823d1fd12b70e9dd34a136a27cc1fd45409e0b4197ac0be7ce4af8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
434KB

MD5
0a56f113059f5ae856ad17a30731b69e

SHA1
d6987e7d361fc3eb1ab61da739d8298d54a73cd7

SHA256
6722091a94f02f5e566cf284f72f641e1a4eba2490640afeac5c4ea774ec1ee9

SHA512
826f5f71320fab080786c74fb528505e519687a6f63c9c767c467684865cdb4b6843519271b296ea66e86ee65658b1a712febb030481cd983c7fcd18948fd4fb

Download Submit
memory/2384-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3612-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3612-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3612-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3612-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3612-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3612-47-0x00000000010B0000-0x0000000002965000-memory.dmp

Filesize
24.7MB

Download
memory/3612-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3612-46-0x0000000060AE0000-0x0000000060B78000-memory.dmp

Filesize
608KB

Download
memory/3612-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3612-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3612-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3612-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4272-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4272-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download