73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
303s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
24/02/2024, 01:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2460	b2e.exe
2160	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2160	cpuminer-sse2.exe
2160	cpuminer-sse2.exe
2160	cpuminer-sse2.exe
2160	cpuminer-sse2.exe
2160	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4880-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 2460	4880	batexe.exe	89
PID 4880 wrote to memory of 2460	4880	batexe.exe	89
PID 4880 wrote to memory of 2460	4880	batexe.exe	89
PID 2460 wrote to memory of 1124	2460	b2e.exe	90
PID 2460 wrote to memory of 1124	2460	b2e.exe	90
PID 2460 wrote to memory of 1124	2460	b2e.exe	90
PID 1124 wrote to memory of 2160	1124	cmd.exe	93
PID 1124 wrote to memory of 2160	1124	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Users\Admin\AppData\Local\Temp\8F8E.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\8F8E.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\8F8E.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\948F.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1124
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8F8E.tmp\b2e.exe

Filesize
9.2MB

MD5
5a029ef1d393a64965b43fcad29300b3

SHA1
31a4e5ce66bc2cdcdba59bce0cd7bc2994c96d3f

SHA256
f559d07bbff00fdd4077597fe2cb6a2de8e80d67a0c8959b3187dfe9314d7cf1

SHA512
7ac7460aa72ea163de82c947dd3f0d0e8c902fa4e4b7374e6c8febd0690f325796218d444c2c453d8c89df57a99133eedbd0086f1628338bbdb59133f41a90ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F8E.tmp\b2e.exe

Filesize
3.2MB

MD5
b8ba7423b9feda7db859cb32a7099fe5

SHA1
b727787b56c573b560f83d4cd2dd2dc0fd871e65

SHA256
d8a90c631f2ef8ce9c0517e326c04ea8daf7bfb3444f301a53b8a34dc27a292b

SHA512
7e95fa4564fde46d3232adf2856f0d7cf4238053e70dc863a5719eaed7aa2ab1f540cb9c58e9a38eb1a77f40641d8ca989257b044c1a6d0e4dd85c0409a1fa90

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F8E.tmp\b2e.exe

Filesize
2.3MB

MD5
ec419c3d9d1691831bf1b49376ae6099

SHA1
b807de61916ac635a6783cafb4aa76c9c674500f

SHA256
59e5c03fbecf72b7a89e6952d3a88402e84c0aa66d0d3f74eb09eb4fa03f4aa5

SHA512
53944e29275c1a25db24d1efdbb5de137a672921ff93310f2046aa1034270fcd86f9034b0b99f458970eb5331203e51800e545b8de7910ca5ed10eb663e69715

Download Submit
C:\Users\Admin\AppData\Local\Temp\948F.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
198KB

MD5
996044a1116a87807c455ce34b81cae1

SHA1
d7a718b53ce940a38c19c1aaebcbe971aec82f92

SHA256
911510ac1a321f983358d5441716ece41b73e7cac32aae530b29f56b9ac6b8d3

SHA512
f56d641c4c4a3b89108313cd47dd332b977f1e5bf1ada3573f3662710d6bd11c2b314f913e5b0ab03f9ad6dab67d8115e3093ed5b356e661e9062421ec23563a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
109KB

MD5
6672b80260e2169a8f2fef951812c1c0

SHA1
fca1ff09670e8eb82d8e38b749bed7325700353b

SHA256
edf02c5ccceccbf1f75144415d05ad67461067a54efe1f50a684d927f6d5c133

SHA512
daa03069c49b484890bb801b5ae1f41b78d4b126559bc2a673e768b9744f762385a6b87c6e4d314cfe53d0b99154a1dfaad328ae5e3cea4bde6c1f972002e3b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
206KB

MD5
998c2d538c546bdcfe3948ce99c661d5

SHA1
9e610682d7ffc692f259c7ce2abec9e10b6af808

SHA256
e6df0b2c0f8e8fea1148379e63ba32c9422ceeaebbbfff3836a3fd9219aa5833

SHA512
1246f54a7cebf8e410fea37fe483f7e357c2cbdae31a0c48dc494105dba0ed6472fd94a07936cb00871410c4cfc14d3b89da3baa19614c96d872931f127901d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
128KB

MD5
0cfc533c46d2f160fc8d8483706228cf

SHA1
0d13ced09eeed5fc3879f418bda0410a742ab6a1

SHA256
510a6af4547083718b32dc00d4711cfff2aec0e7b936d4199feaaf32a7d5d3a6

SHA512
11e35867688e7814881981298b6f6948fceaf254d154f5429e5a82c43397b1894bd35fe7fb586b26e4272d8371c3b8e96c20c71ab05b9df3e851291444702a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
168KB

MD5
54cb510462b07aebf57cdf318fcb4f81

SHA1
97f5b0a436d46bee2cb74220feea35c86538a147

SHA256
262f910afc6870502e4c80481f654c46caefce7dac38bbb3f777d3dc762eb5b5

SHA512
83f329ac24584b5a8d18e5116d9bbc82d4954ecf58e198848fe17392cc05b08a5a127a84dd9e0b7542e330034d6bf2b456f1978fdb8b311d5d60e7f17768320d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
68KB

MD5
d20609373df3c68add363d03dfbe6bb4

SHA1
9c7420377f33cc5531ed6b9bb7fcfe165cbe71da

SHA256
a4e6bc92affabcc3716ebf3b347d3598d62551712f339cc7770e0362e52c5b3a

SHA512
76743efb561afa90c70e638bdd78de4157f2d4a9a03c8365769ec9a91ab9d60ae9bc8ece2731980aa9c7029aa8ab1ebccd7413b7569c34044136564b8c9742b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
128KB

MD5
9746d1ac79c8b499d8b2224394581fa7

SHA1
36b1985eabfd8131ad9f2b7f69c903a3fce67629

SHA256
77941fbe96e0c797e6cf5419ee32bd3fcee69629cba37750146656a660c37182

SHA512
61a6174e2aced5b85cd614ad2f9d3da24c6b91e1fc04e10ff818222c4323cd043a59708bd35af0de84b004bf492fbc157d72907cd1e7ddf7082fc2a3563ef183

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
65KB

MD5
12c078c2a2021a0a31f7381838020a07

SHA1
b13f77a45d5f37711fd2e6ffa225b5b6fb574b3c

SHA256
4b44959c8222c83a7f7bfd65481834d4c77fde0c392a92f47a080a11f054cad2

SHA512
5ddb0dec5d5e0288f336d8301f85e9481118eb8ce5ce624c53edc76e555559c07adc0a211567e874b1c1ea6d065a9de3b17d81439bea78037fb8fce0d7dc7ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
44KB

MD5
eea083fcd92f78e4c81d4ea0515f445c

SHA1
fdd4ce7a9b4b81238152ef5b7239adf6d3cfaa97

SHA256
2d051fa1a72b2b8bd37288ffc7a38d2d762637760e48ce6486222ad53fafb677

SHA512
1252d21ba0a68cf5e38b12ef4553f94887cd29bbb167e9da44957d850f69c8007599b4da89cf624772fc5121666a503dd36c5974f75798a194c20f9de07ce6d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
86KB

MD5
10814ce3d3da3c5ee61b47338d580402

SHA1
743d495efd6861b1916044cb966c2a865b0829ea

SHA256
0e4abb78c28cf504c45dbea29fd639d69dad87f4f0d9cc6991557dce2da3ee3e

SHA512
0de42be20959fb22957a5a9a56ceb6e19749d2c8dd4e65f4bdb41d2f9e760d6adc5643771a3853582e2f1e9c58718b346641eb0291892ded50b9ead97a2dc116

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
366KB

MD5
df5ad0c92af15ba872acebfaab18d5c3

SHA1
4de316a64097503efab9af45d6b3418557561ff0

SHA256
1ac12b2e90f373e96f63cb0c017d70dee92a2ab22207fb34410d02a9e659ddb5

SHA512
bab050960430914dab4f908dbfba8948680a67a212f2a8665cfef538a3b77a485913428d9fe434067d8a00b752ecd45d95603fd1d44f0ac7d686cf2e9d96b795

Download Submit
memory/2160-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2160-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2160-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2160-46-0x00000000609A0000-0x0000000060A38000-memory.dmp

Filesize
608KB

Download
memory/2160-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2160-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2160-47-0x0000000001070000-0x0000000002925000-memory.dmp

Filesize
24.7MB

Download
memory/2160-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2160-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2160-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2160-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2160-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2160-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2460-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2460-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4880-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download