73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
296s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
23/02/2024, 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2164	b2e.exe
752	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
752	cpuminer-sse2.exe
752	cpuminer-sse2.exe
752	cpuminer-sse2.exe
752	cpuminer-sse2.exe
752	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4608-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 2164	4608	batexe.exe	91
PID 4608 wrote to memory of 2164	4608	batexe.exe	91
PID 4608 wrote to memory of 2164	4608	batexe.exe	91
PID 2164 wrote to memory of 1948	2164	b2e.exe	92
PID 2164 wrote to memory of 1948	2164	b2e.exe	92
PID 2164 wrote to memory of 1948	2164	b2e.exe	92
PID 1948 wrote to memory of 752	1948	cmd.exe	95
PID 1948 wrote to memory of 752	1948	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Users\Admin\AppData\Local\Temp\6428.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6428.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6428.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6716.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6428.tmp\b2e.exe

Filesize
10.3MB

MD5
fd90520542768447ec91b7ac162d9afe

SHA1
08bd1952d7215de0461158f6b1aa1aa81133f750

SHA256
ba39d1e15b6f5f299868cefbf835f2343322c35741ce7513389d2cb8cd741f9a

SHA512
2c3f124afaaf84c987500733df57d7c15c1545ea294aedb141435834c65855d788649419cb3ef688950a8e7cc3bb3e592a087011794c3b17408ad06697199278

Download Submit
C:\Users\Admin\AppData\Local\Temp\6428.tmp\b2e.exe

Filesize
2.1MB

MD5
2199631f9afa937a69b7231cc7b4412f

SHA1
8d13961e8b08a2acc0ae5e3e04fb1bc53bc8651e

SHA256
1696768e34450e05f92729f2bd4258cc19e13ad93a2bcad49e321cecb577d189

SHA512
f85f742a783a676a1de42ed2c6e50c0114355a320876e3e3e07e261a7e8ef581a8b4b91ab72f9db968b98d69e6145998d2a375e9dce92b10d9318411a71f0d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\6428.tmp\b2e.exe

Filesize
2.6MB

MD5
31e9ed85fc18ff803c4b06f582c46fd5

SHA1
5e17e3fccc587a5079800700b64357fdc9893341

SHA256
f306bd50d7e5aeff7484499f870c86d38b15ae919a5ec7ce662be8413d1ed03b

SHA512
ab6bd141eab4577b12e09d7a5f5c4e4eb8cdbe8f8db4ec6ffa904d46cdf11e9bd847bba12ee69509558c699d94b23cdcf26b0e02f0eea0d2561eac8455cbff5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6716.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
587KB

MD5
9d67d8e318f40048067ca0688298bfd3

SHA1
31330f30519ae7e7a29a0e677d611708383753e6

SHA256
c77f51d88e11145227008d03402047691ac06cf5fe5597cba77a14434d6a94ee

SHA512
a2a5a081b80862e0194ed7f7f834b3fc3c7cda40144946538e41885c4faa9c5484990e4c98e43dbd4fe61c719490fa7098dc1e430ffa54dead2f4b5aca1bceab

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
519KB

MD5
90128b3fae36576a4e71a7ce48da7e93

SHA1
83f6ae9b5873975ba84f5fe98a98910e04b817ec

SHA256
3072f6a3fc6d67027d1a9812322ca4f74babc2aec7a6b6d2ee9b842095cec083

SHA512
5a0fe806652fd83f91c510518303dd0c73204d56380873b8d482efac77331574394d72cf345cd4a4f11178e20d9153bd951af07014c007a56b79298779e141f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
432KB

MD5
a4f29bef70da61060a49f70fa99732bb

SHA1
861bb60f2a9e1d481f24c6ac9541d171955ba319

SHA256
d48b81dba4fb09356855b551311214fd92218077b848bdac0494267f54eb45a8

SHA512
504e7ca935a67b0ce660ac208aad398661729c371cc3e91ea9622140b4c6e7b97e0e6c402956092fcba9f73e08aebb41ba2ffb420c21c4694ec58ceef8d60710

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
608KB

MD5
98c55bc3c389cf74c801257b3fa48088

SHA1
5a68fba936852d84af12c60c7dbcc2e0a3de9098

SHA256
5e9b7a33020ca6cda7ef33b133a877f72b72aecf55594752da6bff748c394713

SHA512
4f5259fe9b82c2894cb6e8d184d9f16bb1eac7f44222f881e00b683c276f21a5ceb5f6fe604d06aaa78aa4b841380acf8ad9f8efe012dd8e67d69f3145c4762d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
539KB

MD5
f9a110884a4594d0072c0419c32bc808

SHA1
844ecf1a6d7ee234e926edcf83870b805859e642

SHA256
d900a7c40f1ea610631763a34b232d1577bc27bd4c621712444807ad4661cf08

SHA512
775a770b17832b99868d447cdd00ed65f49d9b2ffa79e753a9becd41c4a7b4ce8a61de03c735f8b303ea3bd411a7e0df9749bfbbcfc076a82ae6f315dd16545f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
505KB

MD5
19dd018da875d9d21507cf7112dd6010

SHA1
9b43f0360b56a44405ceb76b0c33ae5954cbdfb8

SHA256
26f62759ac231b2ea4634ed19db6ef77d526fcb62f239ba728a5657ce002c18c

SHA512
253473d9b4aab90c402cfd9826412e3162288d70951eabd9197dbee02beb66057edc4686be86e998630bf0f3dbf61646ec292a321a9f7bcc9942f4c9f395068a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
475KB

MD5
518b12e29507a4a4f0425c8803d62fe1

SHA1
640187898a8e6c4da0958079d0201d092a66a567

SHA256
c07d353d64c085bb2faac15a72b865a25da764048ab7bb0203bb63c06dcfcb71

SHA512
74e40e2525f044e7f73d5798ddf38d1d2fb5b397442de231036205a1d17bd275bf4987b8b36d02714b8da69b3784c68a6a6a0167a2f0de2b08104cfcf6546bd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
607KB

MD5
7262935ffea9488134103e1b3018e162

SHA1
3f8ea1d54b01375424fba59fd48993b58afe868b

SHA256
1cbfb1ac6f6bcfdd920ecd3f2bb33585bb4f800743d1b4a899f907f7d7002335

SHA512
d93d5346433f267e94bf79b6ade13b9ab2a84064a50aaddf8f9f9214a8defbb9c1f9d556ea8f2a61f935dd3320e34a9d13487c1bd166f129322b1ea0d6129594

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
89KB

MD5
bcb8af94b42dbfcfea587e430ede2931

SHA1
072753030fd0c38156bb9ff2cdda1d52248fe65d

SHA256
f9ab9c293e09431e520b7ae18d04b3916e9d44aff9ae6262fe1e27a004bf5f9e

SHA512
392ccc04a679cfe3ebbc55041555c8ef0e57532ff6f02a2c8eb172e6215f43403cf9480b04b3f44f5a1c24c228c69bdd7399b8a25c1a5d2ce75cef39d02759d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
172KB

MD5
9082ff267bb10f86d6914d0a7357d692

SHA1
7165152e4d8809bd824ffd770fd875b227373a1f

SHA256
430f16735bb7674214aee5a30dc51140cbdeb477a93c18efa48d1ed9700a57cc

SHA512
722ef45797b33f69c6ea9dad5408850a3fd3ce65b4123c9b73e5e5e65dd03803ed2f3eefda56efe7c132b0984c2d15a130981541e21788d072415e5a4c589af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
74KB

MD5
b374fa9196ac06ea20f962681a7cb1bb

SHA1
b9c284f4842952be1105ff19e708c8e04e7cc26f

SHA256
dfb97e2561846b48812042ad1a877bd69b3c76c0c7891692b4f062f83af388af

SHA512
92ef5375083a49b74c9d55badb1bc744cf984806511bd661f9d90faa8416b2a8b318f47d9f0f280692364e5f7556f570fba929f8ed2bc8e53672ac08d5d3b721

Download Submit
memory/752-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/752-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/752-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/752-46-0x0000000065B60000-0x0000000065BF8000-memory.dmp

Filesize
608KB

Download
memory/752-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/752-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/752-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/752-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/752-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/752-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/752-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/752-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/752-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/752-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/752-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2164-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2164-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4608-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download