73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
303s
max time network
308s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
23-02-2024 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3100	b2e.exe
2756	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2756	cpuminer-sse2.exe
2756	cpuminer-sse2.exe
2756	cpuminer-sse2.exe
2756	cpuminer-sse2.exe
2756	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1840-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 3100	1840	batexe.exe	92
PID 1840 wrote to memory of 3100	1840	batexe.exe	92
PID 1840 wrote to memory of 3100	1840	batexe.exe	92
PID 3100 wrote to memory of 524	3100	b2e.exe	93
PID 3100 wrote to memory of 524	3100	b2e.exe	93
PID 3100 wrote to memory of 524	3100	b2e.exe	93
PID 524 wrote to memory of 2756	524	cmd.exe	96
PID 524 wrote to memory of 2756	524	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Users\Admin\AppData\Local\Temp\4B6C.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\4B6C.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\4B6C.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\57FE.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:524
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4B6C.tmp\b2e.exe

Filesize
7.2MB

MD5
1e351c1cfd7e8bee0328d3db148f6dff

SHA1
28948e103425858cd93fb07f08be66e5d2e5c4b1

SHA256
1b742b8db88f81d30811c5d8af97edf1b46ee2e862ad3405742be6a346ce4b70

SHA512
e96a2bf5ae89e77248efed21564734e69d1f21054f53bef2462183395412f66cf0fa283a99219b2697c4f3ae7804557e2d49d2a24278d355510fadf70a8bdcb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4B6C.tmp\b2e.exe

Filesize
1.5MB

MD5
2a089e8bf6578017b5c976d0dacec1b8

SHA1
111f721c4eb9edb2555114a6c8d95d0bac6bf333

SHA256
7c38ff410d155d55353f7c8d0ccda5c2f63a97eadff37a99228b2cff8efddb50

SHA512
5efbe1daa3034284f68f7045fbbd4e26276165f60dca93d455772d5727deaf9ebc059a8b7b0763c6d00243fc8bbff9a197556837e71a1ecfd71e6919b8a7ecfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\4B6C.tmp\b2e.exe

Filesize
1.3MB

MD5
cd2e147246a8f0dc58bad676a15048ca

SHA1
0382157b28b479809d4848771f63f209292dea25

SHA256
eee07142595f07a70af1c63f13f60f8d09efd8a1f565490bf5cf7cbee1bffc1c

SHA512
196cff5a99ab1de4fd542abf69f2416c59127edefad5b875b229f1744fa9591f1ee7b3730cf7822919194ea893624c97236dbbbc5b05c3f270cc8f66c59acaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\57FE.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
258KB

MD5
f5a53ab639a4a2739904771f2e576abd

SHA1
9181ab6479d99d1f1adbba0627e7627070aa411a

SHA256
3d2479ac2d02604182565cd7c411ce640af41c05f9dcfba0aa6ec4df4f49ac95

SHA512
7349bc23c1fe98575680754755985fc5df434349f954a42c93006d05221a53b8b7bfb03e9b2d59498be027111628e1742d848f74cf96d74121756be35747db51

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
259KB

MD5
2c1e992e0739d46e2f07deed8113d6f0

SHA1
12ac0ab00f031462eab6ed7c59915674ff3e998b

SHA256
6cfd6fed9894f94e038ff2be23bbec5bb55d0ed98a43192b01fb6c782fde2c0c

SHA512
05b56a0d9f485c6e8402862957ab81605c42f493985802b5ac1689d3d271c4061f5c12ead0b52cdd213c16d93333e9b625acbdaec41ca15a83ff7002dddf5503

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
225KB

MD5
81efb437ba690049b189fed089c1dbeb

SHA1
b454c648fb2cd51e070ca7eb9119ec1cd2df6faf

SHA256
25f871acc318ecc60cd826ef4bac8ad442629932afbb4c21a1d849d25458dcc4

SHA512
5cea64ae042172efef87d598f4dbb3cd2f2cc7db2495b500b217c0616140a50790ebc6921a2bf6b798ec6657d5e2ddaac263d6ec54cf8bc85e3a67e82cb5beb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
154KB

MD5
ee9442224625d7a05312bd1a47e44bbb

SHA1
3d8fc5a538bbbcfaadb772f00fc0384c69a76556

SHA256
6594ef654b42928b020c60e549cba461e0cb9d16f7a3b85252ba8f3fec5ba677

SHA512
7f2b8264a5799699292ca15c9d04038f05d4e2a34c2a3781e30a112d1dd7b62e6ef5635ed5da72dcb183ba03d52a24709c1d44d5766ae9b5f1455969ff517d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
199KB

MD5
23935c498cee9cf159b351609837bc87

SHA1
cf8f6172ca9b22c921eec4b728ec8ffc50d7fa78

SHA256
a691c0fae503484bc04e3b03cca964b791e2345f42e23c26c5d75858c57eaef5

SHA512
d6cd8d31ffbfbbb94d705ae7c6298d9778147ee4b6398c450bcfc616316fb8199dd22b239c66b8b08312b44b6f93a26c4cf5507e9eb6559b1264e267aed97772

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
125KB

MD5
91e8fd7400f293816feb017f29d8a0c8

SHA1
5aa42ee23b126fbf2171e9b8e6408a3d9c790a53

SHA256
07699c067df21cff97b903578ce1d67a515089e90dd4e690ae2a1fb7ca80c478

SHA512
8fdfd7adf0eb3b19e675f25e5140e546922259aa4a8ac7ed373baaf7b5186e0abe0aa23feb90d3823c1df86dc5c8bc01bbfa26c93bf08622835af89f31e2f4cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
239KB

MD5
5f76794d6cfdc48cc61ab48f3d636da6

SHA1
442301748fa4411495f62fcd3191f26e44f035cf

SHA256
ce12e84c3ed300f5cae87e38a9258747a2e7094d5dc4c9508ca6c247ed32fbcb

SHA512
7b6a97956dbec69656cc14babea1e5ecaa8cd8eca7a8714fc810eab281e4becf955d0f815da9f8d644c6d423e37c1caa7b66e177013563d466d234c534637ece

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
124KB

MD5
146982441727a3c1e1cabe935c89ec8f

SHA1
59e2407d03beb53bba9f6dee45af3675e57103aa

SHA256
39fba8679b0aad660decdd7c5a27d2c2a3c289556108d61d9a8a66081f9527a1

SHA512
76528971c33f3bf6925bf4da5579c1baf574c19d22f915e070663085a115f41215607fed0978a5488a3c3bd8b7f18f60ab98d3489321d669cd910ea8588c655b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
422KB

MD5
c9f757d95ba18df8123498f4eac4fb1b

SHA1
f48ae44e11bff1acfdacaebdc4d982589fea24e8

SHA256
86e36b3c5f5b7d2b3933d59b87ce13961c38b2d504dfd7d6052062e74240be93

SHA512
f1eaa56ddd8f39299f3b415dc2054e93870418b548043c34994115d166270a0a4d605be9f7f2936b344cff61d06aace396bd47552c4fa32f2e2c4c6ff0191ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
473KB

MD5
742fa8d13294ce3f3351db375c2483c8

SHA1
f20ad2e4d24e267ce6852c3f8c8b3b1e3f38c25b

SHA256
2c725873e5fce62de80846b6cc4eb7dddb8db3351963388d20762fe69ce1a3fa

SHA512
399fc50e9448f37852880c2ccf4ec4fe7201973768f6d393762c19aa8e96e1be7ede82ef0bf7e6622ae5a848d00ba27c3785aa7963a9f32ba085ce5edd1b733c

Download Submit
memory/1840-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2756-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2756-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2756-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2756-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2756-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2756-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/2756-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2756-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2756-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2756-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2756-46-0x000000006DB00000-0x000000006DB98000-memory.dmp

Filesize
608KB

Download
memory/2756-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2756-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2756-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2756-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2756-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3100-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3100-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download