73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
303s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
23/02/2024, 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4016	b2e.exe
4220	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4220	cpuminer-sse2.exe
4220	cpuminer-sse2.exe
4220	cpuminer-sse2.exe
4220	cpuminer-sse2.exe
4220	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3300-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3300 wrote to memory of 4016	3300	batexe.exe	94
PID 3300 wrote to memory of 4016	3300	batexe.exe	94
PID 3300 wrote to memory of 4016	3300	batexe.exe	94
PID 4016 wrote to memory of 3912	4016	b2e.exe	95
PID 4016 wrote to memory of 3912	4016	b2e.exe	95
PID 4016 wrote to memory of 3912	4016	b2e.exe	95
PID 3912 wrote to memory of 4220	3912	cmd.exe	98
PID 3912 wrote to memory of 4220	3912	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3300
- C:\Users\Admin\AppData\Local\Temp\4939.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\4939.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\4939.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\55FB.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3912
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4939.tmp\b2e.exe

Filesize
999KB

MD5
c9bb63b4bff617314539cc188bd96b62

SHA1
7306ff859c64874d2f7219fe6e737117707eb3e9

SHA256
ddd60d89cbba58c87e6384243a0313a59917e644263986070a976349b0f73bbf

SHA512
2bfddc2183d2d23656d56adedb9c7eb95396614a7b08f959720b3256edc7398637d2d2d69a48e36c9a00cd448e649e9937b991dbd2f75c2447fe8e22f5910826

Download Submit
C:\Users\Admin\AppData\Local\Temp\4939.tmp\b2e.exe

Filesize
1.4MB

MD5
87f7729645d4b39adc7825e9ff489988

SHA1
a4872acc790039880859737d18a20d14b6228663

SHA256
4006e8cd11a5bbf414132f55fe23673222c9cb8db2184437908d8d56af9a3d74

SHA512
6828e851f382fd5dc222628102f879533ea3e344d555bc7eb9247668d671b240794a3a680ecd83c54f3f45409f0b9249836988b227e0a082673a9d3426960b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\4939.tmp\b2e.exe

Filesize
1.3MB

MD5
a1bb4edd7692ef0baac291027187f9cb

SHA1
95f4400dd279362e6b1c96621f2c4b8ddaabcb4e

SHA256
31c8273a46432a4e43a254fbc8d7627ef5c0c995fda343c6dfdac43d144e9698

SHA512
3a796964ba651e2789d5c2d3dfcbcfbedb21e29300bd7ee042de447149d565ba78a3f9685c9eaa2f1f2771b12b6859e6c100786105832b3e76366a598965cce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\55FB.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
440KB

MD5
53a759970fc5340be53828913c8044a2

SHA1
1608e425e1f0deb4b8b606b2c89bb4ca413e9c0b

SHA256
63b0b49621bf8bf16d8916d2bfcc99fb1a5c42b0858066743122dcf8ed9afb03

SHA512
e07e54774b58a7b13cdeca3c7cf476640c6f5a70cd092191322b138ebbce62f55b1f1aa622b35ef54604bed9fc2ef17706c2639d314fd5a9b9a802f1eddde176

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
486KB

MD5
ebfe4b36ebb5827134001c4587ac761f

SHA1
460fb3e1c1e88bc776960bf96bc3e6dae1fc7577

SHA256
9721704b9fc8f699da5bd335c3700c5f1890f927e04fa4f5e2628e725816e52a

SHA512
4a7d517f419138e5d5d89e9f5b7380b0a1a691e6311f2647ec13844cebf492ea3c4fee70db5a514853bec62551bd5cf7048d24c0013c9b54a785f31289c3e9a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
381KB

MD5
e822b7356470766f0d6ea73143a3f507

SHA1
37bf4d7a068111b533fe3519137300581c806918

SHA256
d0d93abef3c342e08c586afb4d52b78be2104521cac1a2dea6ceaa439e8e3368

SHA512
e1e4b4487f01be4f08ba55245ddd67999f3d8305d74cab3b8323f6d872a3960de650d67584931287c67044e2cd1eacfd2acb66b76aa6084216f7935962657fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
64KB

MD5
e7317a0a343dc63f3fa3bf9ca6e93ff0

SHA1
0d48881feb76cf81fc46614bebfa3c134cada128

SHA256
277a43f17ccc4f0fba87c710212de61a41383bcb94410fa093b50ebd50347a63

SHA512
84ef51472db00cd4e90df3062a3cbc29a994c5cf470e54300d4a2f103ba8fb8279ec87b0561625ea1bccd80a7ad664c63457831b4eb919a7608099430b98a3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
314KB

MD5
6230e95590027b4bf7a9e87bd364b2b7

SHA1
4c20c6871d71737087e80e434ad960b07f805784

SHA256
c3005b349075e3c2460c75e886a392ecf6f4fee01ccbd80786a4d96e8de4b512

SHA512
6cf46ffded8ec0882e2671c6584dee0e414819a108c0fce2efaef7e725c165d088619e5cc766a4bdc2b15065d8d2bca6e6e62ee85f718d9f0e54ba2ac4f6c535

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
264KB

MD5
2927cb365d72387177f8076fd2fbc9b1

SHA1
5d6c0a28445c2370fccc814eecabd90659088f1f

SHA256
3d331f1f97f1275e260df24869a0e49a9be5b59e1825ebe0fa4664233cf532a6

SHA512
5e536bb19206937b78d23f9e39d890bc7922e1b067a388eb7036c8c058c0c4915a2a4154b02d12a2190f7c51483c1b7a4690bfb3241c84882c9fc196a9ddccff

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
392KB

MD5
eee080d9dfe66d8135c3b36f22db902e

SHA1
5f3d367c65e61591c2bd35765725b5065fbfab7f

SHA256
f34be57f982243c9f9aa0a880cd33aadcae39cebff4c2d7d9af282c087fb33ca

SHA512
bb94eff34c3900f33d8d1f6e4b17702f12a92bfe1d35456e5c32eff9c02dcd10d601a1b376fe107ea0ef2e208c7a8c16b04d2c4c7c6f2637bcaf3dc25c4420c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
408KB

MD5
a15402f17f38ff3ac6b6f190eee5a9ab

SHA1
8c48cd665621490dabf7f1c8925c0b4668b1ec3e

SHA256
991f47179c739da9e231ee9a346e8926c4af2bf6cc08c5309564f1244339bd07

SHA512
5d7573fff6e05cd616783998d7db727e758247c69167ad08654ba83b87500f305b272650ec826a0a1c64cb5ea970ecb4f121b11a4cbc6d60933afbdcd0926cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
421KB

MD5
d59db69aa464b89cb87d9cbc8c94a80f

SHA1
113f37a54c659954bf0060cb7affbbd6e733ebe6

SHA256
bfb50b7786eab31d8b7a387a4f0907647389aa0a177476ca1ee54e404ad65275

SHA512
4e2eec085e32ad48ae7b5d519eb1f7acfe00a0367d5a88fedc2fa9f5193d74f487a5756c56543e3a34b298989c6466f10621d62ecaf7dadb155a2fc842a6251e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
277KB

MD5
e54a9d95741e12949fb06fd790343466

SHA1
cfa30653e887527a976447a791bc9ec2d42a3fe6

SHA256
b3dee2b881249c2aef19cfb0141a50d348f1cdba3c9a76e27445815f1d691541

SHA512
ca35f2ba57a115f317e26989947a3ccd75f494e5d8cc58077b37cd7a76a81f8ce8e0abba28c30ff26249adb85b588e35ae9424889b0e8d1d40180d9f1fc45922

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
161KB

MD5
e43aa316399e67a835617b7492471d5d

SHA1
875d698a95bf7fe723bf20ecc952d66ef3386232

SHA256
755b42f6705502c57d25cd4e23a03ac4ddded1e69095835f0e05cfe3460325b8

SHA512
8aef8fff85efddd18eceb608d63ca907fbcf8d2bbdeba92c3ba1001c89c5b56499a1fb1a28213c6b6219dd92ede7f3cb6d40b3466724cdbe5b068a89326d356b

Download Submit
memory/3300-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4016-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4016-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4220-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4220-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4220-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4220-47-0x0000000001100000-0x00000000029B5000-memory.dmp

Filesize
24.7MB

Download
memory/4220-46-0x000000006DB00000-0x000000006DB98000-memory.dmp

Filesize
608KB

Download
memory/4220-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4220-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4220-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4220-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4220-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4220-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4220-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4220-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4220-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download