73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
300s
max time network
307s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
22/02/2024, 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3196	b2e.exe
2204	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2204	cpuminer-sse2.exe
2204	cpuminer-sse2.exe
2204	cpuminer-sse2.exe
2204	cpuminer-sse2.exe
2204	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3172-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3172 wrote to memory of 3196	3172	batexe.exe	89
PID 3172 wrote to memory of 3196	3172	batexe.exe	89
PID 3172 wrote to memory of 3196	3172	batexe.exe	89
PID 3196 wrote to memory of 4884	3196	b2e.exe	90
PID 3196 wrote to memory of 4884	3196	b2e.exe	90
PID 3196 wrote to memory of 4884	3196	b2e.exe	90
PID 4884 wrote to memory of 2204	4884	cmd.exe	93
PID 4884 wrote to memory of 2204	4884	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Users\Admin\AppData\Local\Temp\44E4.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\44E4.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\44E4.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\503E.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4884
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\44E4.tmp\b2e.exe

Filesize
4.4MB

MD5
6817714e04354a199e62ac01b6e06f03

SHA1
66550d231ce6fd69a1c26ba144c42a848b1bc4f3

SHA256
42ff8a648e686c200a1e06670dcde1f6a9cfc68502b22e926eb8c28cddd49e48

SHA512
22047de875bb689deeede284a092c6fc23de6d1733413c5ca0ac25503b41c86c2374d5af5a9778620fe9b49d75ad39549355f273095bab65981213f49f1e2e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\44E4.tmp\b2e.exe

Filesize
1.0MB

MD5
f455360653bcccec8ff858b368872b2b

SHA1
ae2e58f84abdb334c5e09e7eb29c471411970cbc

SHA256
9f94fcd2f57e2aa8aea4c659ddbb559986a7e3f904455b727375ff126f9363c2

SHA512
780e5e6336a3c7163dfebe4559c1c1002065c435554590af5de2ba35c6989caef77759011726344c3357e0521422817978227d1d2c8199aabd87ffd9331d0618

Download Submit
C:\Users\Admin\AppData\Local\Temp\44E4.tmp\b2e.exe

Filesize
960KB

MD5
d15ecf39e70d4d6e278b0da9ff36ba87

SHA1
2139694bf96cc3b6fbfadb8a9c8745b8901bff6a

SHA256
04b2e6191d36dccb7b93c7d207ff16c0702cdec9b64b98206f9ffc7dc7633d54

SHA512
326cdd9b35aa3dbd39d2fd4a22dd78f732d481f05ef6dca085cd086d8ca91502f3be961b44e5c4bbf2ebf947ffc4f1b4d4703593951fce22acaa418a77741434

Download Submit
C:\Users\Admin\AppData\Local\Temp\503E.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
202KB

MD5
2c6f423cca54de7bc684a6ce324d764a

SHA1
bae51c08b718d7d2d74a86e500016e65c6ceae83

SHA256
e625977efa251a106aedda12561014cef4dbe54433b66828b267b2ef7466fb69

SHA512
84ad3410beb7dc89b585eb3a20a0ebe3a635d926e26c5a444df8db56f1295073b34925f3a90f03850b4aac51f99fe7775f9e7dc87ee324fbc1f1f1f5d4befc8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
235KB

MD5
c7f1d53dbdfde5d8db95e1024352fd69

SHA1
2f0737e67174927b4968758bbbb00aebbe5d24d2

SHA256
9c5fd6d7b8a9639bb12cf30290878a4c70dcd417cb0399fe4dc709fef216272f

SHA512
9071c05c7af8e015239540b859e2b0f179a9e7c8d49acf6c708863d81e8ab709c72589bfae8a0505044958747f96bb6982faddbe39c92ec6c0cca7c2aab16e6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
253KB

MD5
834e16f05e2943f010726467a8661475

SHA1
7dd71b0c470c042aa660c8987e6b2b247c6c7bbe

SHA256
338547699cabeb6138cc3f61d793065ff7fdd5ef42cb05d669bc997eb6e9cfe2

SHA512
f742f93d614948199a56bd56c6c17b677402267006a22bdceddeb98540cd0c45a154a10e7a4898dc3853a95f5ab37dff8f1e35850458acd73bc2e86be527979d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
174KB

MD5
3a4facb6ff2b711765b82f899c3f9391

SHA1
83a0278e54d3c009329b82adca45c65b1f11505d

SHA256
5f41003585ac07468e79ca36c01519bdd53c3fa61d5a67cf55f50a2507bc98f9

SHA512
f1f2e0170997941970a4aa9490a13e7097ccd644f94065799bfce9d2b6d95212f6f399773932d59f3182e17ff33b75b853fa047b1a0fa01e0d29d1250dcab8ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
261KB

MD5
73f3f15f2e7248849ab84b6a33e09f71

SHA1
c6d88876bcccf9fe30747014029a0f11b2944457

SHA256
cd403c08b6ee227db60deb861a5d6037488bb32b23d9878d74dc5072d7ac2b10

SHA512
e7d53b12eb8652892f0eebb7f74f1d0733fe842d3cff053d5330677f8b67b9c8e92f49f78173a66fa288ef413acb175c0a5c78981f633f5b1b4801863c844407

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
140KB

MD5
d99835a3e656856255a1ebc5b1465fad

SHA1
b687d265acc0be38848584b7abbb301818c9efee

SHA256
b8a40ecc2b02e476f835c69dff71061f648e93cb6981227be28737d76038481f

SHA512
789396308eac5d89367fd7fbb48aa4ff872b6b2a6d3acc2802c6d6bb185bb52cf31a7d8675795ae6929fcac6fe530b51bba581d6a8f54b34d71f2b99e51f82df

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
240KB

MD5
f959013252ccb83e8601c132842d1739

SHA1
d780cefa82b87e84562cdf9b0683a605872429ce

SHA256
b105af81007752ca3aed4a9fb0644f7f2462f0727bf1b96b7a55ecca641303d8

SHA512
bde3af2201d316ba3525f2e677ff82b951f3c53ce4f7fc446045677e8569c7e9f3296b792e2fb8a8bf45b736492a81643f153cc663779411a5b930b35ad02ad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
188KB

MD5
68335cabc14ccb76fc3face126bef88c

SHA1
dc2884a0b6063f47224ac14b0be15f9753b60678

SHA256
699df17f463018ab96888910873157579c6a6227127b6d98f38306e4dd57f19b

SHA512
dc6310c8c1f4746157a0eace3f7a7648a5c870fb5479c06a150f8266078273737553227da49301e3ed10c10a20ea009af26b48b07c9962e20a91434c559f95cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
84KB

MD5
9246174fcfe0ea9eeb9470e23c928d9a

SHA1
8a42694ae8db7cbf4caaa830ad5f8af95707c5e1

SHA256
e78709b29eae2214a2b3fd359a34b0e5d78a61e99aa34e0023217b1b9ce544e6

SHA512
d98e05cb6bffd0079efca8b4664f00d3149d387181bc32def637f0d02dd2da57596a969d2432cc6873a73f1c1d6f6ec2a091ad05773c05ec6322f6ab383cc6e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
219KB

MD5
f34ba234ab1ceefc8f3b3f2e81595639

SHA1
830824cd4f7d92a7ed55545502d40cac840ef166

SHA256
8a1caf694fd90e238301c2ff1de712f4c42c909e66a20ea22a62b7b72f8812a6

SHA512
a3455e4b5cca5718e994624438af208b9672f0889ccb48bea6197f6658c323b2d41832aa98b1bc3cdc3e4d2b6a0bf2876a28619f8527e66a7550d9f5da47716d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
182KB

MD5
fed0816a16bc6e3ea435b9b5801d7f88

SHA1
5c7023139c49644b8a8e329356ee99fdd466b0ec

SHA256
ce6aaf3421f23a3e417834b7c4ff6975235383cb3e7e2d84b547eb6f7dabf47d

SHA512
22991c4d99b4184a36055bce9e0011540236c95a8a6a3965ce5005fad12af32a0d033f4b581586df7f5096d6750f56b21a2c5c72893ce618399e0e06ae56d348

Download Submit
memory/2204-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2204-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2204-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2204-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2204-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2204-46-0x000000006DB00000-0x000000006DB98000-memory.dmp

Filesize
608KB

Download
memory/2204-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/2204-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2204-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2204-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2204-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2204-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2204-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2204-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2204-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3172-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3196-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3196-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download