73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
22/02/2024, 08:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
1392	b2e.exe
4624	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4624	cpuminer-sse2.exe
4624	cpuminer-sse2.exe
4624	cpuminer-sse2.exe
4624	cpuminer-sse2.exe
4624	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2644-7-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 1392	2644	batexe.exe	89
PID 2644 wrote to memory of 1392	2644	batexe.exe	89
PID 2644 wrote to memory of 1392	2644	batexe.exe	89
PID 1392 wrote to memory of 1288	1392	b2e.exe	90
PID 1392 wrote to memory of 1288	1392	b2e.exe	90
PID 1392 wrote to memory of 1288	1392	b2e.exe	90
PID 1288 wrote to memory of 4624	1288	cmd.exe	93
PID 1288 wrote to memory of 4624	1288	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Users\Admin\AppData\Local\Temp\614A.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\614A.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\614A.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6513.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1288
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\614A.tmp\b2e.exe

Filesize
24.1MB

MD5
66d259bbe2bc5dbbda257a5777161361

SHA1
55349c54e318b128db274d141c2474e3424d60c1

SHA256
c665ad39f5c67fa966b79fa0978d633151a5ae9cbd0f73232b02bdd0f351fe46

SHA512
d8a0f9ad573c71decd666bd1cbfca3a19364447cf0f88d12fb336d8c7d80dbf0af02e013714a027cc6d8cc99ed180c1abe3ce247b6de9cfe3dd019b71534e92b

Download Submit
C:\Users\Admin\AppData\Local\Temp\614A.tmp\b2e.exe

Filesize
3.5MB

MD5
7bc7f1e1c726dd5b2712a3bd6b85f5b8

SHA1
061384a49a9a709f1cb689f37fcd4c5c2b7ceff1

SHA256
6e1b39b639ef60d9ecbb856e0c2b6ccef393a02944ebabd10cc4804851cae2af

SHA512
9b2e0ecf6415ecbe58904d3dbd7db8d40522d19ffd19c269af65dba1dc3ff03adef52cab63efae48fce8ec7f1f046f0131a471cd9418d63d2c06b283297d21d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\614A.tmp\b2e.exe

Filesize
3.2MB

MD5
35d614acc52ac1f063676559357ef3a0

SHA1
38bb0f406b81b4c032d7958594010287638ecd96

SHA256
397dbf36993a3df62c00ff4c243d4fa121db1cedc849f2463fde7f4b6b8005d0

SHA512
0c20d72bef049a19448ff7864f4f57a113dcbaff81dad6c45b4073cddfb9e719f5053242d98d312263a7bec791a002f26c62a24b83fc755a5ee1f47a7f8427fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\6513.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.0MB

MD5
874bbfd2662d377a78ce0d2fce3cd60a

SHA1
a8925bea5bae30e91c9060ec78e4df5fbf7fe712

SHA256
0122252a173bba551dc4d7611f001715ee7cfacb3a416c93fcaf25c5219e8f80

SHA512
2b9591bf5e3f1e812f1a5efae65e4b7948b777e369fdf89ba9c31b39359c2436ce6fce0bc8f88b0ea66d95ab524a02176cbe58d1bba5e934fc34cabc89fc9089

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
576KB

MD5
6e18fc4eda8ed0e6aa6ed56f84803ab3

SHA1
e4a0a4432fcf3184baae1b01a8cb771ed580dbe2

SHA256
f51cf1f35d722b4af4bde30de5008d67d7256d271953eeb2ff63780978f4a53f

SHA512
25f97a3a07fd0aed4a5e6bd58e4cc3ebc2c56c0a314103536e9342ee10aa3c01baa24b459fb58d7154808594203e2b4fddc23f6c424182e2e8bb3a978b4dc256

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
685KB

MD5
2afaabe5798bdf667b040a0fbd2b3d07

SHA1
55d4769f13fb5e742a01ffb2dd84e47bbaa780c5

SHA256
fabca6af6b17bcfd849c953cd4a2d9fcf29ad99a6bfca359ca4c1bca9fa9c7d8

SHA512
06c74bb02dbb2d99e998931b63b0d7f01b9b9076e8875485ad9a9108e0b93ce33dfa30664723835bef9305e6b4349e5f1d3c4b155b484af5b9bffa9de64fa2e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
709KB

MD5
4e35ef9fd592bcf830d40c552fb8d9b1

SHA1
1c4d0cea78205b0e5d72b4177160c2cd312fc8f6

SHA256
14dfdb3b24c485cf9aa395f67cc333461c8422ddae9df4170338673651086035

SHA512
7bbd49124b1c6c8b921fa9124630b3c0c1d2c85039f6d716bfa20bc096b6f166214623656393ffc192a8bb99df92a9022e8c677a6abef08a628ef932dab794a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1017KB

MD5
52faeb7d881b1771013ae9e538acbcbb

SHA1
0186c31191a402417ae115482227c83bf1216e22

SHA256
8069d71564bbda015eb8bdc26702d5059f9cdcc962938c96d29dcdc3b175d986

SHA512
bd3a6d73378e3138634f636373fea57ad3f00ff89ec5e0ebab78e565538d4d2bd0c9cf3d0d277274ad93876270ae92c521be15f1209a8727d920896ecb61857f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
589KB

MD5
f18a679703ce577d1179fc18ee91d304

SHA1
a7548e9820ee871228983062b126aacdac836baa

SHA256
6a58661d195e815f5bbc51ce088d42510a7de16d4cadfbd46bfaf4c4b827ebe8

SHA512
129aea2c257c161b9dfec3cf4ce2544ebab08a42b0d136deb4e2ed95ba5d4e9b87ea40ff7e8837e2dc1df599f80b1e328b9c7826b645f323d684ceb8d363b1a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
873KB

MD5
f7f44bef5f031e6044a7e7174e11bc47

SHA1
91d54aa4afa24b6bf582ce0a19f450b7142a89ce

SHA256
90d5693bc1f26502b4bf86168d87426ba53ae946db7f7185b49d3e33f1293131

SHA512
aa0215f4c545de735eb63570f4e9282b06302aacb0c03f822973a5c4d71f5923d2b0062fd8c50d6eddc5a29380198d0105a4fb47206b9f8bbd35c4bd2b914c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
684KB

MD5
73ac59e9d9661146fb87ae096e7b4c88

SHA1
3096edd7a15f1d6de2023f3a3fa1da76b64c0036

SHA256
2d3293e4bd039507bb60dbbc2dee8c2ff64a6527ae6fa66ee66f3ce2e0ac06e2

SHA512
dcea355b8003dd243daa7090dfd5a6318cc44f11ab3067981196cd7d5bd117d1c51120b0a681878d7b9f0e0e7be8bd3c180e025735fac22cfd29fd5b8d023b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1392-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1392-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2644-7-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4624-47-0x0000000001160000-0x0000000002A15000-memory.dmp

Filesize
24.7MB

Download
memory/4624-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4624-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4624-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4624-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4624-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4624-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4624-46-0x0000000065B60000-0x0000000065BF8000-memory.dmp

Filesize
608KB

Download
memory/4624-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4624-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4624-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4624-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4624-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4624-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download