73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
23/02/2024, 22:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4440	b2e.exe
2804	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2804	cpuminer-sse2.exe
2804	cpuminer-sse2.exe
2804	cpuminer-sse2.exe
2804	cpuminer-sse2.exe
2804	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1372-7-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 4440	1372	batexe.exe	64
PID 1372 wrote to memory of 4440	1372	batexe.exe	64
PID 1372 wrote to memory of 4440	1372	batexe.exe	64
PID 4440 wrote to memory of 5852	4440	b2e.exe	77
PID 4440 wrote to memory of 5852	4440	b2e.exe	77
PID 4440 wrote to memory of 5852	4440	b2e.exe	77
PID 5852 wrote to memory of 2804	5852	cmd.exe	76
PID 5852 wrote to memory of 2804	5852	cmd.exe	76

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Users\Admin\AppData\Local\Temp\55E0.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\55E0.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\55E0.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5851.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5852

C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\55E0.tmp\b2e.exe

Filesize
330KB

MD5
ecd78b055f1f61dd184b2165a34b207f

SHA1
92fbf6395d9dedd681791860c9f33be67e1b0653

SHA256
caad7d1409a525aba8cd719f2e18d7b31340a592b7e973846855aa3a212885b7

SHA512
68dc140dae3151a55ea20ab76e33caaeb12faf392173673164ff98eba818867ec69d2084e37a199a49d57436174460eefdc9499b3ae3a540d1378e80754654ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\55E0.tmp\b2e.exe

Filesize
117KB

MD5
41e3f6456f88e1affe4d5b8b010fc388

SHA1
8af01cae704556d833ff8898ae68ea7571e011d5

SHA256
d7cba8fa289daa91c52a8a2efee080453c7fc670fa03fd387138130c26fbc1d3

SHA512
d4aaaeb8d2310bef530ee2eafb53e796ccdf8959a4a6739f29a4abbd015d84614ef632324c5a53c4ca1fea7f2a1944f650899fbd5583b82a8eb4dd9e1097f6a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\55E0.tmp\b2e.exe

Filesize
101KB

MD5
578be358b50eb407aff6f1657f91cb0f

SHA1
747c54f9488104777dc839cb1215f0920ddc0945

SHA256
f20b8bbb0e59745f85d1469be08d3754f8d5360e98e1e22daaed0a9ec711b6e6

SHA512
a8e412f992ae1c897e85e434afaa6806d60b8e5d6d854bd48cd1050ab242ea51e54dd1a9aa715213e7f856e493675d6ff885f02defe91cde2e2a138dc093fc67

Download Submit
C:\Users\Admin\AppData\Local\Temp\5851.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
277KB

MD5
8c6e13a29285e591ff2bdb9c66719caf

SHA1
e93030186a0446e47a0790423a2e3e899d221d3e

SHA256
69f7b172d38a88130e58905855477262c9f3b42db3deddf683321abba23bbd82

SHA512
fbc0bb22c37b1eea81e73912ffef12cb726aabdeed1244f1a9007111baf06eb58087b2ee9f0dbbd1d555e3c344632cd334f96f153f91da51e888f5218ae8c1b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
586KB

MD5
c9e4bab00bbd185f3684b6dc60df4f98

SHA1
03b5e8593e03bae3579c3c753ca9409ddd8f5037

SHA256
30e5cd6bee56f0360c00692600a30669af8b1ef5c409922707cdbfe2bebf3d08

SHA512
600433f5c65e07296403aa9f0d0ea0f0cedec9be20fe9d3401b875ba0cf2792152bcfc6d3a9aee0225543934c809a70a86e82f12e4b701b20febecab066ed3ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
353KB

MD5
4fd98ffc540d1450296282762896d1e7

SHA1
13ad525f1003ebe8b60e022cedd20c1005a0b0ac

SHA256
97c5b4f66414eb071a6e69d200f56486d92d2a09c27aac693600003033187aed

SHA512
27c8ee877cf3eaa0c50d787d71f988890fe7e9e7496b90dc4efd50787115abe1004a362dcf681fa1d51f2a27cdb756f0b9b97627c17a1c39fa8262b4cf22c6d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
520KB

MD5
57b5584cac3f46db6e2f162c86899e81

SHA1
2668aa95ed9aafe351ed3c61a0a3e09d3c1554d7

SHA256
2bb780c472e4b0a0f85be217ef54924eca3944ae50a788b4f50f31a3dc105daa

SHA512
a0d1c44923efd0e6858d36c8302776b16f43eec8cd234d3fbc5694bb8bf4fe8f4d1772785a650a1f131f926bdad1475313fbf9ff9bc8e4e3de85e78f8ebf37b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
425KB

MD5
95d57064928f9be3d44e2d108167e52a

SHA1
81b61e1533ed5a0cb3912aa49b93c491d8a714fc

SHA256
682961a4db0f76a9e263f243ed9c249a22b9c691a49451290902d1979b7906b2

SHA512
3c349eb68ae9e6d570b7e02f19f65a1decb8e439dd21b9c9d029318c97e7d44ba4c7f32ecba4b109de5aadaaa0d73d5ab10fc3d44694be7b0ddf51f61aa72999

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
316KB

MD5
4d3b0a048f7c110d2191e95cc4f485b2

SHA1
d24d838c47d14ba236a972026686c8a9eeec2cdf

SHA256
d9077214f6b5d03dc4c25b8f8378e6a7a6327b1f0ce6d22013b821d4679cdbc9

SHA512
a72195bff3e5c57af27e5c42475ff24038be6555ff47021134c35cfe5c7e4a14427a34a06476bc97212507e3f5072ab099d6bcdeb3880fda148b980dfbdd420a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
436KB

MD5
9ea19d2ecdc6dd43b3396496583eadd1

SHA1
97abed111b30ef25a444f40a3bdfbcb6e0701ea4

SHA256
b1491548be198a0d46a65150d409f21b2005bb97e3dc5c5c3a488ba6d056d4d8

SHA512
b53ddc64d9e59476412a78facf374379ec9c3eda5f3add1d8e010ddbf38878cef2417a2b4451cb76a7d5d3f6aaf407c0afd6eaeb0ad1ab4b821fd8c1bffe14c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
81KB

MD5
3aa4797eead8e79b53f8ccdd87d2ed58

SHA1
140434ecac373b352284cf371e9ab90caf308b95

SHA256
263e4fefe7363d35e0af5367fde2c13651d8516cd0129b61cefb16fb354ce206

SHA512
ab07b99ba103b381620ef76b4d22ce81a835228c0e822aa3e7f23e9afd3caff4ec8bd5353d2851cd23861143c6d34e6e782a3276bb5e78654bbe5f07976c7fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
411KB

MD5
b083c27969cad45af8490aacacb671b2

SHA1
1ad3986435f46762e7e78bf500125d4a0f07aa01

SHA256
2cb54211adfde802c7f81671e8714ebb590d376bedba409ce5ed5ff31e10409b

SHA512
de3e07668382fb5d12e4f4b2b87b02dd23c42fb4e55d9de81d80f5ca791d2a516a927ddb01de49792ac2be9deb1ff4eaedaa87037293581d16d8e413a2166dd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
300KB

MD5
fc0a8f1481fa5439b83a759708b4e4c7

SHA1
01420cfabb087695f68c682f1e36fa3af6b7715a

SHA256
15b301080ed0386d28a117587ae66a2fc75614444b089118a222f68a039d1ad9

SHA512
5ce968b32c6a277582cb93fc5c8b0ff64b43e7e2609aefa411844551f39b3507473db499018065ea539581d80a362e50e8c73c507ae8d892594ed7392da22029

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
452KB

MD5
9f12487b7629ff501edc50d1cc3f4528

SHA1
c99bb5c2fba2ec3cd9566ed46abb209f9aaa0813

SHA256
0ae21b30da369b9746c0badba47d68a508104c8267ccdb929b7dedac528df727

SHA512
beec58095f1d97033891e0218a010beb2bbb2983985354c56f2f0b18d012ee23453c18fc4472b84ab25efa0afe2e1e53ff1b2668ea641950e162708df000cc9d

Download Submit
memory/1372-7-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2804-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2804-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2804-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2804-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2804-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/2804-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2804-46-0x0000000072700000-0x0000000072798000-memory.dmp

Filesize
608KB

Download
memory/2804-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2804-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2804-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2804-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2804-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2804-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2804-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4440-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4440-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download