73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
23/02/2024, 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3192	b2e.exe
2000	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2000	cpuminer-sse2.exe
2000	cpuminer-sse2.exe
2000	cpuminer-sse2.exe
2000	cpuminer-sse2.exe
2000	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1080-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 3192	1080	batexe.exe	89
PID 1080 wrote to memory of 3192	1080	batexe.exe	89
PID 1080 wrote to memory of 3192	1080	batexe.exe	89
PID 3192 wrote to memory of 3664	3192	b2e.exe	91
PID 3192 wrote to memory of 3664	3192	b2e.exe	91
PID 3192 wrote to memory of 3664	3192	b2e.exe	91
PID 3664 wrote to memory of 2000	3664	cmd.exe	93
PID 3664 wrote to memory of 2000	3664	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Users\Admin\AppData\Local\Temp\5F66.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5F66.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5F66.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\61D7.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3664
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5F66.tmp\b2e.exe

Filesize
2.3MB

MD5
4995ae39caa54b216668089b1d44f1ed

SHA1
e112e6ec0381bb67a89ccbc21bda992be8d290d8

SHA256
a4a56aa8d5f71e2954cd69889fbbb4e8984a4e48faec4cea27a7a6b7613ab3e3

SHA512
e27d650d6deb1bb74327c6bf3ecb28904af8f596653cb4c48923830ff42c24153a9bc98483e64d54d5db99e24de3e43fd2dcb0718e7c4b8c4acbbc0299b3cb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\5F66.tmp\b2e.exe

Filesize
880KB

MD5
1ffc41f55e4024b47ffd2266e2e5d6aa

SHA1
755d8ade4aebea6a30c1209bd16a2b849c0c0b7c

SHA256
2d39bce3db211c7444af93320d2a1f76d3d88dcbc7816ee4ed64f87558195e8a

SHA512
c6aca1e6c53df60ecae04297bfe33c2cb4dff0e899d36587e768edc902cd0b8ca5d2fb778561bba60cc9beef8bae03dd1cbae47465e90f35360ec3d03ecede78

Download Submit
C:\Users\Admin\AppData\Local\Temp\5F66.tmp\b2e.exe

Filesize
706KB

MD5
7fe385bb774f17a268c497e605003103

SHA1
f2c55ef8cb0aa1bfe2ad6c0739cfc2ec58002426

SHA256
7c5f0ae81f7257ee21b24533af339ee8471354df0a9db1aba4c20798a1cc3026

SHA512
2e13e2c5537bdba15100f3ed9092e499a6d6dfd73c4aaa0331d80ff1e7fc0543cd60c93193a7050a98c84dba054c32000217a5ee6eb0fb438a44bf437880d27e

Download Submit
C:\Users\Admin\AppData\Local\Temp\61D7.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
209KB

MD5
cbd458d7f4665a90b4ffedd4baabd9d8

SHA1
2a775a70435674869766af34250230342452f9c9

SHA256
72b38fef81ee0c835708fef87cbcae333bbd349ec1e874d89bf7c4d371967fba

SHA512
fb868e6b45812ddfb27d3de8f0f29649eb6e3bdda18f9031c2a2a685328a22e70b280b10a490c6809908a443b98f051cfa43e84fecbebcef45d0c4ad64ac42ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
246KB

MD5
fd07598b79b0143375aa4c040bf5ba29

SHA1
9ab647b45ebad1a6d57966a6214209e52de6d7e4

SHA256
26f76dc7090710f00d2e83e00174a829273cf844b1c49d88ea3e9236ca4c26d8

SHA512
01a581ea4a4897accf1589a23946e18c8b998f4e4d54a76ceaecea732ecd6ba23e5d8c8a1e0949544d60cf50435d7e82f3dca183f79b5c1df93f3dec7d7c1520

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
297KB

MD5
195905b40660aceaaf63c90c5f547fae

SHA1
c044ab300a9c3089450fdfa3ec7796d683c4b0c6

SHA256
61a2999e98ef5bf78f13b566a05784190aa79ba542d27342987e0ce872ee11c1

SHA512
c938b4e0f54a676db822cf745208e02c24b484cf0bada9ffdcb5747bd38e9950b108dac9d92c2a67bce5258f6cacfac772bcfb854e824fecd57471ce42e43bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
195KB

MD5
4291787acddefa06cce5b0987bcedf28

SHA1
c382f44bdb82aea451f6b3e24adfe2241a9269df

SHA256
48d9650fa645231212ca2e1f6dbe5a032c574358120f9005ef2c3b50c3f5c5fd

SHA512
3379403a9d21ffe46ffe9ccd224d0120d28994dc064183c1bc65333ccfb0cf05403f05c5c52963af28f02fecbdfaeefc2a2b9c04bb505930144f80dfeaa74142

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
207KB

MD5
55ce022c6e17d96de2adc45fc8eea65a

SHA1
294a741859a0d3b75551e87122566bd8742ac10f

SHA256
52fd6de951ae67e26581bff0f21a54491dd6935d09da30b4a5da61b3f7120417

SHA512
076abe79078a769320f61367ad288bd7636432f79a20fb5889deb3aaa94771f377f3da50cfbd8e5a667f20b898b585dc437ceccb36c780e21666114e292cd794

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
160KB

MD5
43924e67f825f12877796167c80dd6c8

SHA1
1a2c38c5b3511e6a00199b1ef9debc44aff950ac

SHA256
11da8f7651669bf9fb1a00120c039878676de4e6047bfa172497d32d532fa17d

SHA512
07b409ed53554326cfa8c4dfdee15b793adb853b1b112c0ee7cbbbb803f8fcf8aaa88b807e1b59bab24e09e8b28b5d21956ac0642db008df04576a2178af7abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
338KB

MD5
1e3a3490af6b34d603b302abf71c0e24

SHA1
255abdf655966bdaf210909b889e7762d2eb4a14

SHA256
b66af97fa7e656a5d430d2f6e19a2ff4ab909a2000079c06e7499ddf7d98c457

SHA512
69c8747b8ea34a5772847bd6fc4998fa75a8ad5d2e52786f7299ceb969396f3878c8a28137a99e4ba4733b4267e2b02a58d6b9aa8e8163c3bda6ed319759aa21

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
139KB

MD5
887d586363917414fb7e71813e7fed11

SHA1
8976241dd9dedf25300c836e24bdd3552867336c

SHA256
e36e7534205fcae00d58cd232b2a7d99cb51e7923b4cda5f0fba2910b17d4220

SHA512
4228b558839f82a30c22446d695e5dc4fb5b2e69e6cc6b94e1ff241571df997582c2d6b1ba4a8af960c2207556f5222ad3b4f5b102512290592234621e1056a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
178KB

MD5
585a9d350c80be04b0de90535bf201f1

SHA1
1124c08157df9ee1b236c79df0427e41aa988532

SHA256
e75e8975a84244459b5cbba58267643de8d20f76277549b0212e7ed2cdeb1bc1

SHA512
15d35ad31c98c0e2fe1f2edcd8721c733b68111ec1ce3e7e1da6b95293011ffb4f8ae24517447d920c46577c81063e7d7e748f26291be5380d578f11a1e9bc73

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
220KB

MD5
a235b0e52b9640d622b72d14b92bbf1a

SHA1
b8dcf237d6e2543aae10d97bc60ac59b0f7ffccd

SHA256
c5f3c95bd119786272e23a0c496720607e55c87dadf6c98460c57b68f8f3ad46

SHA512
d7dcc4955787daf029f9abc6a5206ffc6977aa20854190143b583914e9452aee75cefa7dc1cd752942e7149e89e5bca843479ac45fb3822b2cf5ba2aef35dbc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
233KB

MD5
17ab9eb6280867241fe659c25483ef95

SHA1
0ec3c96c12f40a70872e07896aad646e9b523962

SHA256
1cb8ac5dcfbde0b3a701481efa34347b2a44239f478a56a19a386a523719bb5c

SHA512
4592f77a2833e059dea74622c7f24f54b1f1bd267d1bb9d0146034a1809e35f50aad4241d88671aef058dc6b5fade6016a96e1fdd1fa368fe347cebcf77c91ed

Download Submit
memory/1080-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2000-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/2000-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2000-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2000-46-0x0000000060AE0000-0x0000000060B78000-memory.dmp

Filesize
608KB

Download
memory/2000-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2000-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2000-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2000-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2000-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2000-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2000-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2000-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2000-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2000-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3192-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3192-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download