73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
309s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
22/02/2024, 11:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4548	b2e.exe
3624	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3624	cpuminer-sse2.exe
3624	cpuminer-sse2.exe
3624	cpuminer-sse2.exe
3624	cpuminer-sse2.exe
3624	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4232-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4232 wrote to memory of 4548	4232	batexe.exe	92
PID 4232 wrote to memory of 4548	4232	batexe.exe	92
PID 4232 wrote to memory of 4548	4232	batexe.exe	92
PID 4548 wrote to memory of 4016	4548	b2e.exe	93
PID 4548 wrote to memory of 4016	4548	b2e.exe	93
PID 4548 wrote to memory of 4016	4548	b2e.exe	93
PID 4016 wrote to memory of 3624	4016	cmd.exe	96
PID 4016 wrote to memory of 3624	4016	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Users\Admin\AppData\Local\Temp\4FB1.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\4FB1.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\4FB1.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5E96.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4016
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4FB1.tmp\b2e.exe

Filesize
8.1MB

MD5
22ae79ce70401bf535d1e1ff20d77b08

SHA1
88372625ff75c6b45716ad97aad75510c8db7693

SHA256
8913446404716e98f968195af10a831bf1a676ea320e62d723ea71a2857ccf09

SHA512
77e9b6b85243b32a677a41c511e95844e092f20f09306fe2e63206ca2a6764b90ab411814a5db07094ca8b600b79adeaa76602fdf1df974b4bfd12091365c9f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\4FB1.tmp\b2e.exe

Filesize
3.8MB

MD5
cf37ccd6b756868b5e320216d2f6369a

SHA1
0f5c14540c748c8d6553dfa3e542cdc79d37ecfd

SHA256
d4cbcbf3925632db9abef2e9d050556da5c83d65966e43502dcd495ddf7c179e

SHA512
4fd9671c887d5e58ecb9ce318785ca30d5c085031754b60bbf699424fe387df2cdf8941811235b67b19d7bf980071eb10bdfc9c1e990a9467bd8e3f3546165f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\4FB1.tmp\b2e.exe

Filesize
2.2MB

MD5
8ea4a592bdd2bcf869b395c95ee4ee74

SHA1
95c1f3fae7528afbba726fd04f77655bfe16b2c8

SHA256
d480ff6b56217e0a401283537181be1d2568681c4eb0236c56207a3868a65e12

SHA512
0d3112c05f885ff41baa9fdddbdf49c81239a2af278bde19e8b98d93a6f319f43e89e4efed05b71d5863a5cfb44775185d1dbde7c6a42d881d34a177fbd97d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E96.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
448KB

MD5
ca0b33f54480aa9c590d09f72e3feb31

SHA1
d50dc7dd964feb0d7516c3037e7dc7e008420ae5

SHA256
67833a9e63d8b7469a3a3415124a2426893a6174ce2bd88bea520c68319d182d

SHA512
266dcd9c5bfe2b117fda6bf7c4250a908233d8474bd0b09596a0bd0fa2e5bc75446a20b46cb7e516ef75b5661bbe16c714e8dcc5962a0f481cbaecdf6135affd

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
594KB

MD5
1b3de385dcfce183069604a03425adb7

SHA1
a7081bd07276fad8b958f5d22e0e579c110dd82e

SHA256
a4fce44e5576b1c073253ac6067134f78c8328a470f0459f2bb3ac9cfd973ca0

SHA512
e87f3b5943715a7d1a7c58a27d2d90c8612734f05e1d8298ea0987ea9aefd2e1e5f106ad942adf1d82cd5cbb0accc4a1ed777c2412ebd4b1f5e05597bb1ebaf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
438KB

MD5
e19eac789cd62f3d3436baeff726f2a2

SHA1
e47329b2ea6740de4fd251ca396da57c56ce19bc

SHA256
030fa745063de26daa7df850a2f98967df848da5827ece56669c7dbc81a85db6

SHA512
057b6ac2690c9bd765e6a16754e1b467a989b3d61ee19faa6a602dea58c4c19bce889e1e4a60a4d3fe03c1cab45395c80e38e4e87eec7f4f6f0a6176f96402ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
394KB

MD5
194abc90a13be4bdf67d441179da9e08

SHA1
52343c261a75fdb3fc16c1988ec4d0f1ebe896e2

SHA256
b602bbd97b8346373fd19fe1ebb7bd86c5e816d1c2114faba04bce422c718fe1

SHA512
c79c9679ccefb5f0bdaebc44421776495f3b67f5b406f162bde46c6b69f8280f859d0f3be95e6435b14ca63823c2869b029897b999414334a90e1caee6836edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
307KB

MD5
ce4d8439216861935014e94be6b6984e

SHA1
1cf1e05d6e0d15f841a86f0a2dc50cd23dd971c6

SHA256
4ab40447b68ec2e2345c3505d050e4ce5e24a01765e106e3d8613637b25709c3

SHA512
60ccdb7bc60c3e300ce13d9f7de7e54cfe256b33328bb6304cd910bb9ee6d0479d5e1aeee198960c1995a3fb4937dcca72602263ecb328bca7d0a547b1a89b22

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
172KB

MD5
a7f98951b8b13f2f76766765235fa095

SHA1
8fb9042d3bff4043cec85096ad8f8b68e07b79d2

SHA256
248fffa1eb033d7ac16eb605d4dbef95d8ae4da7d89a906155e45a08885fc62e

SHA512
96c3573393dbd8803018c434d2948ce34aa4185296b6737de4bd74d781fd08e9e3626e363f36a823a0885ac34942393463555c6d86a9ad608e1a6d8d163d9b6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
478KB

MD5
c2de36ddb29a6905eb59a9e50b921dd3

SHA1
58a5634749dc5612d0d8fbf4c5f6402056e9cb2b

SHA256
5e5ce2fbfa1be663faa50e1112ecfcc83ea4554fcf2f60956fd55c42f46fec38

SHA512
b3dd5ba4499d07ed684763f248bd67d0990821fa14ddca6f91289984cfd60b37cf6618e33eb4919961b1abe608034f113afa3d9b240bba9d5be37e4e71deed07

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
312KB

MD5
6c35b7bf5baa600e00e61c55230e4ce7

SHA1
d5144ba6dfd1d49d09ece9d683231e9903f436fc

SHA256
498602fcd9b5ac19230ab43e010f5a488cc96e35e51191de93b51cfc1497a958

SHA512
676275caeccfe048f369cc512e57d6472c8818db92904a979a17118d2a97a4611c71de01672180c7476e42a8770501ca55bc9967b79c9a138c55547eb10496c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
243KB

MD5
6728393287791da23ab71c31f3bb414f

SHA1
cf2609ce24721d054f6a122ebf437cf3ad4fe793

SHA256
6474ceab86784c344d744978142fb31504d539edcda3cb2662102fae119ad27a

SHA512
dcfc5c5417f362feb7d0fde56092ea66233dc2c7eef4f84b4a5cae5b7c5671a3f73f77881bfd80afbdb8070346f566fe90b7448e5e6f4c67614ec0951a7c6e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
251KB

MD5
53707383eef7bda23bb7f1cd798550db

SHA1
69030f76e1916e88c1a76fe552ea6c3b8fe01e64

SHA256
8908f93f98af29b7f060adc7d8d497a053ea195336ac6de9db41d43e8147992f

SHA512
5dc213155d5b8a0a97667d7b82ea69ccc75e511b6373803bb47b71b7ff337e8110085ed63a5152723a7bb0129b55093da8466d2ae3a80ecee22a785cc314a908

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
261KB

MD5
05e70e8a91eef843ff4a99b458cbf18e

SHA1
a1c7050c61a91a9867d403630332bab91aab7f1d

SHA256
9c8a4a1ddc68eeef0c7f2bfa9d6efe45c5e14a111ea63e198f5c928e8b3adf28

SHA512
d350cbaa6ba4baa74191c089650ad6e3a6f20592ecda48d1725680bb074bd15159e959a142e627e76a84f937197ee63b68e2491e9d17d8ea86ae7e9710bacd5d

Download Submit
memory/3624-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3624-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3624-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3624-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3624-45-0x000000006DB00000-0x000000006DB98000-memory.dmp

Filesize
608KB

Download
memory/3624-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3624-47-0x00000000010A0000-0x0000000002955000-memory.dmp

Filesize
24.7MB

Download
memory/3624-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3624-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3624-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3624-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3624-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4232-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4548-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4548-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download