73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
296s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
22/02/2024, 14:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3972	b2e.exe
1948	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1948	cpuminer-sse2.exe
1948	cpuminer-sse2.exe
1948	cpuminer-sse2.exe
1948	cpuminer-sse2.exe
1948	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2004-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 3972	2004	batexe.exe	90
PID 2004 wrote to memory of 3972	2004	batexe.exe	90
PID 2004 wrote to memory of 3972	2004	batexe.exe	90
PID 3972 wrote to memory of 440	3972	b2e.exe	92
PID 3972 wrote to memory of 440	3972	b2e.exe	92
PID 3972 wrote to memory of 440	3972	b2e.exe	92
PID 440 wrote to memory of 1948	440	cmd.exe	94
PID 440 wrote to memory of 1948	440	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Local\Temp\611B.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\611B.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\611B.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\638C.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:440
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\611B.tmp\b2e.exe

Filesize
7.2MB

MD5
4b26e53551d310c14cbe8ef58b22e235

SHA1
bef361e3daf5a13d5492f1fa1e30eb98ceaee02f

SHA256
0dd276098ae4ea1a9f3bb94fe2361a8e8b695447dc37667833f6831cb55f3d49

SHA512
62d0ffa5d301c082a7c9d4bbd031f51904e1b77737fb0ff6ef563d805b7b2e7e98705bc1cfed86f37238c375655dbd21069f9a28f775e8266e239f971e8fb0db

Download Submit
C:\Users\Admin\AppData\Local\Temp\611B.tmp\b2e.exe

Filesize
2.9MB

MD5
6ca7d220dca9232711e5d7f9c81712f3

SHA1
97af92ab79269c3d0ce115202ee604ada76689dc

SHA256
ea441dcc2d5aeb8651176046440293fbbab7cd868c7b6058d0694b63db45e322

SHA512
6c250603ba93ce054934c5b29452561f348fd2413322ba329c0a3e764e704c5afc73739ba1d237f1f37d4b0a6c9f814a01983ce1129e6d9fd974a58826f51434

Download Submit
C:\Users\Admin\AppData\Local\Temp\611B.tmp\b2e.exe

Filesize
3.2MB

MD5
de76b51ee9264d40fc60419099a7a94a

SHA1
95239e8f4dacef1acc6ccf469a6f62725ad6b079

SHA256
ac7255d6df0958ab7c12a168926a0270054993bef47611d76617aa3c7006e34c

SHA512
c02a32f4f71e0932f8ffc607a27cc09e6a16a5361b39d77a40bbf1449a1958ca555a9862a61df3dff2be448eaaaf111fb4b39b4e06b3c3fe857300219ee2307f

Download Submit
C:\Users\Admin\AppData\Local\Temp\638C.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
831KB

MD5
7ad1b9815d14e50a6394120ed2645fe4

SHA1
1d0e8449e483e13f6b0d4e928c6ca63f34f88ba1

SHA256
40309cbcbce6d331a3e1da45a0f59b8b26567c3064e5b4393fc89535911f17fd

SHA512
8be3089f8628fdccf8d6d214ed11ba31dcf9f663ec97d2c4e2b9e19314ca9925463731eab30c036ba25ddb72f2bfebbfc24962a83e1830b12e07a19a7c6c11bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
586KB

MD5
225dcd58c536660a366b6ad34f46c2bb

SHA1
cc6a05584d17887ce9a6cdfc5516e126617ee5fc

SHA256
86ca33af1f6d1a9418cbcd91ed0b188a29ee19a35a0b8a764f0adc54aefe9c7a

SHA512
ae02482f623a0ebaafbf91320663776561ff3d23c59cfad7aae508b8fdc4d4b6b0d208f981201d2414f2acac3af859f8815802ab3b050f3bf22e1c6f14eda72d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
530KB

MD5
6b78a3efb9e8109abf8438be441dc95e

SHA1
662184c03168c00a9ab583704065f6691195201b

SHA256
4a60390c9a64e244548ed4b508a2531b96bcc4132935a9a22d569fef7c1daf76

SHA512
fc152b4c582d5b529746cbb00e33ec7db974f2f65687512608f03a10643ea848e310c8e865b76257dc21b26d306537f78eda82fc8eb5f8c4566061409df17da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
659KB

MD5
796fd8869936455f798b5074fdc9a8da

SHA1
d1b5d5b6e70e838c9e24221d2039ec97c7dd7f90

SHA256
613622f921eb8a12d8301dbf423b5c1158353c70a3ffbc133c07789da3ff83bf

SHA512
92663befd5b582125ccd61c16636e176c3ba12425da1ca2736ff0500ea9a8d51ade5c38b83b0918e10f87b5135d31fe1fb82c490d00cb39ff82693c40b2c8777

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
470KB

MD5
01cf90c3b0f41904518ed9abc210f775

SHA1
ebdc4cd9f6bed7200da7d63f28e8fdf13d558461

SHA256
ba40eaac3585b92e091a04b014e166f9510e5f94c8b7b815e8f1cfc5d5c5aa7b

SHA512
ed5175138c84b440aa3d733b78e61344251c50e819ff076e8143372f0ec02cb2d6b0c0008bae58cc3e7f97099abbcb1f9d1e0678d97c8d3087d364e5354788fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
470KB

MD5
619bb03bc12e4ad4e05221c3f29a9c9f

SHA1
023fc767122aa137951bd02ee54ce9930b4bc8f7

SHA256
128b93d7adf4b300473670562e39fda3eeffe454db8b0fdccd73fc302d4636bb

SHA512
befe5852bfb78d402e9d4aff7a4b34d13fe92498c1171017163b992e535eb00c6578eb9b54f1f0b5d34503f16842bc408da4180093104fff26fe7106595efe7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
662KB

MD5
d0d3624a9a6e6aa8a68d6c703985cd62

SHA1
8d4ce669af2e92eb932923fcee9205534a8c48e1

SHA256
a449988adb777e3f3e1dadadd612fba06aac2d5026e7ac481c18d3102bbee055

SHA512
1a27637021c5a743529014ca9302af78aa396eca1dce286fa6f9ee8fb32fee439a5474fab183ace6e32231149e80e9a732fb737d431e02d9d6cb5bd319eb34c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
466KB

MD5
3babba2aa227d364bb40844e108f8e59

SHA1
a51cef0d7545d94cdda78c2f63d706b69ef05b5f

SHA256
a2f7e7b6a54b613228dd6ff5afcd6383342b9ed16e475ee5c6425ff793ac6f5b

SHA512
802107e20a761bdda3103b1ad63c5f0dafb5ca040323687f94c0b8e83e6cc320f4109161b6aa476f15edf79fce13f1a2d911e9c1f2af3b834163d2c79e0a2471

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
505KB

MD5
ef068662c98390384effa778b929cd10

SHA1
6e25d67d84df404ac29d6f6c5ef3f0e7d2181a05

SHA256
ce202a45b88bb5beeb77ef08f73937b64050d05abfc68e47b09c0a3e908a1f10

SHA512
c82dfce36cd7a10bfcabc2df5ff52dc8eb48d9ff538d740d4362ec87004e3637b86c3b05e5301f134f803b643959fb4ff267c87b724d88ab21812543207b5c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
516KB

MD5
b3e0202251027b8fd983138bdc22b295

SHA1
4cc7ee687b4a5cb34ff2e007c75b8ce1939cab34

SHA256
e89cb755dc456f8e2675cdd4f95c6dfa6ecaf0b0e94c2d27956341f9e57cbbf0

SHA512
e7314ec3b0f5c2a00ea62bc87033d5e2758879b5151e1673493e86eda88faf3c1b4f75c5565048cdd7d4b4c7ae37d27baf9a3eb128f56d4100b22948b3069440

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
219KB

MD5
fcf118f3a66d8c0b97745399d0632d14

SHA1
73b6df25fd21d11ed0a97a939e2ec27ceb65a02b

SHA256
fdfa4b05a9bc34d013e8d23bd8ed9e4a172b1cd568f0db668c522ec2eae83c27

SHA512
3e5cf4a2738260b94a0303d7e9b3e3e8d18824d24808dc2f6e54021c4dea2c70e505103b6a49e04832a54a52a3225a277e0a9b31cc748048ab468cde687a9a35

Download Submit
memory/1948-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1948-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1948-46-0x0000000065B60000-0x0000000065BF8000-memory.dmp

Filesize
608KB

Download
memory/1948-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1948-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1948-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1948-47-0x0000000001130000-0x00000000029E5000-memory.dmp

Filesize
24.7MB

Download
memory/1948-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1948-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1948-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1948-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1948-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1948-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1948-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1948-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2004-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3972-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3972-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download