73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
302s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
23/02/2024, 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
1032	b2e.exe
3240	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3240	cpuminer-sse2.exe
3240	cpuminer-sse2.exe
3240	cpuminer-sse2.exe
3240	cpuminer-sse2.exe
3240	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4164-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 1032	4164	batexe.exe	83
PID 4164 wrote to memory of 1032	4164	batexe.exe	83
PID 4164 wrote to memory of 1032	4164	batexe.exe	83
PID 1032 wrote to memory of 3260	1032	b2e.exe	84
PID 1032 wrote to memory of 3260	1032	b2e.exe	84
PID 1032 wrote to memory of 3260	1032	b2e.exe	84
PID 3260 wrote to memory of 3240	3260	cmd.exe	87
PID 3260 wrote to memory of 3240	3260	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Users\Admin\AppData\Local\Temp\74DD.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\74DD.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\74DD.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8538.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3260
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\74DD.tmp\b2e.exe

Filesize
3.5MB

MD5
aa0cdb9d32fc926c1180e927106e1ed4

SHA1
779eaf816705a1a54e3e36f375d5aedd0807c1ba

SHA256
20514d11412c1d6750813c8004ee5e0284f0c334f8f78b905ac76ded1e356689

SHA512
fc7a5dd0b2432bcad947143b20d36a5a09a8048b9791369d1de137f93df9eb9fc9ee9d63feb0cf5d0746c93db5433043cdd1804140f82c2ea06b52ec82a1c686

Download Submit
C:\Users\Admin\AppData\Local\Temp\74DD.tmp\b2e.exe

Filesize
2.2MB

MD5
46db74090e9cb423da62e1d321601634

SHA1
328732fd8487ac4cfb8c13abf52f125aa422e3ef

SHA256
d0ce7ba29f63b0b2897eb25143e0cf14b4d6ad965919ade9a027ae47386437de

SHA512
d060d272d4396bf03b64d920d68b3b47d5d05ef99f628b99667a987ac2c56322c519c7884efe35c4b33e83b0b64d77ba7367204b63ec260249d7acf780ce6f0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\74DD.tmp\b2e.exe

Filesize
1.8MB

MD5
bba4665a343e8f8d6f94897d15a30b21

SHA1
32880085f0ae5ed3bcfe8b21811d7c72fc0a69d5

SHA256
31ca57675a32692759cd2fd429dc1f32653087c29e77f799229c800971cc6e9d

SHA512
8b1977cf28f27ac07f6d921152dbe79f16294d3b74102fc753602fcb263242cf2a130d385dbef3508fd696569f251546ee9e1348fc464da9718b397d111195ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\8538.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
734KB

MD5
26d7639a3ebe0dd5a2484b80ee0af039

SHA1
09768d7395033cd7f0f75e59d812d903c9db48f7

SHA256
9b5069b225a671c5e907928bb1b8dc1fadc7db27b9e53ba7d019aaa2e221bd14

SHA512
adfe9ee5cfa0dbf0a84712f65354b2abb95cf788444189c80cf260865918544db072e445a1755592629ea7ec97138563c501a523cf2e83ad461424b68ec7c5b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
713KB

MD5
427a7759f9ff3c96d53348328a99b96c

SHA1
a358a7c971d55f5ad8e4fd35dd93d4f6f8988481

SHA256
f617cbf1bfb40d8120f6490a191f21bbfb92bf0d138479b98d9b317e181fcd08

SHA512
86723b1964e60b70dc029a9a41c47bc702ddba06a24cba46bbe64d7f2f2640cfd0b5da4ad1519d031db02fcf72dba9295c5e571bfde56f33fb012ad33afe0f2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
600KB

MD5
edcf45018a441ffbccca6e053222a841

SHA1
8ab8369c8ce3a2f644ef43b088c5c3b662134d2d

SHA256
6e4138cc9e8cecd15e8dbd382af80f54838d1b112402f91b826151d798928c21

SHA512
0c549d2f84f49c3c16a961d17d0d661c7acbfc8398cbe5c50a386009c28b587bf14293be5556de03b46e971809bcfad626057f461a86f264f811ada22e8ee4a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
706KB

MD5
378787bbfb3f5660d2bdc6133480992b

SHA1
cbbb750385f1eeda07ac8271750d8250261501a9

SHA256
4b51ec405474e1747e0ea3480bee76d06786092d2a161fb3a60ea31e50751ac2

SHA512
8333d5d3fd7aaef244eeb71d6de24658bc6374ced4af17652982fda1cdc3605efe7f7e4dc11cae8e861992ecf43d9f07507921bf00bd788393ce8f111c93d1c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
455KB

MD5
1a827fce882aaf9bd152ef220eef1677

SHA1
5fc4769e71b1b3980e8b1d50901191c45b048774

SHA256
f17ca5c79fdb3fd11a6510e729c35517fb9a60a4300edc170af15ef1a8b5554f

SHA512
1d7bd20efe885c46641a1cd46d7c0872cb4686ad4df7bb1598c644182333809b90ced87fab558c6e5cb0b54fe22dae19c0879f84dfcd20a12db7422390ce0c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
259KB

MD5
0aae76e64fbfe868da6e678c46239a4f

SHA1
656951ffaad1fe762a45ba71f6c3ea4198ae0096

SHA256
a27a903776414c2d77b749dbb31b4eee164250d02e905a5c7e6e63f7fed1e389

SHA512
dcb8696f31ed513339af34b65bb4a52838af5863c6eaa6bf9daf9dd846f6828fda6509168553f8dc98b31d55625d2e21d3fea9b0d21200c237c92b7aeb989644

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
595KB

MD5
e8aef94465835cb32e2dade25dff6c8f

SHA1
ae7ad780f42219eeba0c44a9d472df77a7a7f916

SHA256
bf41af8d83a3668ad68fd42ae53728e7dbb2f730b32b1731a2bec572aca29569

SHA512
1dc65c8ede7acf8c1b0b2560e22ab279e55b3dcd1087a06243cca7e44a8295b1f765c66367ada1db365798d83f83396c8f353ce0a1c4ae85f590285248ef8707

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
132KB

MD5
b6edad84d3272d7eb988a1b79f2e7490

SHA1
688dfade9be89d884add0d24a3a716922879072b

SHA256
6cdbfcfb3e45a21c1f5f60578c906bb59da99291330d60f00ea3484336d12d01

SHA512
45d3be92e236e6e82f6a2e988338165f631d07dd44c5253314286313345c7d7a4a9bd52cd16706bf5900d248fc6094a9ca5c7ca09e14773878249c119649b09d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
205KB

MD5
07a10f010401775f82f7c07f9881b0ed

SHA1
70eac1cab41fa83ef1636ebe1aaba81ff2f24ac4

SHA256
0b5f883ce1f968650cfb0aa7f368a16f38b18bbef2bd26f02f56922eb204e188

SHA512
ea1c9cb7edc38383ffe866f027eb47446ccbd64f128777e21b0c2de06e0bc8c7a82d23cf2ea995ea4403df3064c6c0ef0b499202b983568c12150ef40c782559

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
382KB

MD5
0a84f152d7439f779f31ece2ad7693fe

SHA1
eb130d64490e8c33a17d7a3bc0cec298b9bfcde3

SHA256
ad9facfc4385fb4a5cd538024eea7c0294d6b34cd15632d3495739b73d316602

SHA512
1af85af629d7207d7b65cfd15633840a64a8037da9b2d8dc962930ea12b930bbb37ec74ce6f817742ec6d9a2e3f696a617a1a6efd774eef88209c2a31fe1c34e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
359KB

MD5
736d21d38e6b18984ecf4c8b589bffa3

SHA1
75f2d969b8846f45723b2e7d4adc06700777d78b

SHA256
7eeac3ff2c73e776a5edc9e1ed2577df9cac7be948c63e13c992034f29559651

SHA512
7f0b8a2774d54811be5c77211cc043edc7831a7742a1b42951b60a5158fe1c8dce5e568bf5a666b8533ef15361cc29221b1e6a7c224b972616bc50262d87defe

Download Submit
memory/1032-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1032-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3240-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3240-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3240-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3240-46-0x00000000744D0000-0x0000000074568000-memory.dmp

Filesize
608KB

Download
memory/3240-47-0x0000000001070000-0x0000000002925000-memory.dmp

Filesize
24.7MB

Download
memory/3240-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3240-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3240-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3240-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3240-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3240-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3240-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3240-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3240-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3240-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4164-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download