73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
24/02/2024, 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3728	b2e.exe
1032	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1032	cpuminer-sse2.exe
1032	cpuminer-sse2.exe
1032	cpuminer-sse2.exe
1032	cpuminer-sse2.exe
1032	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/392-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 3728	392	batexe.exe	91
PID 392 wrote to memory of 3728	392	batexe.exe	91
PID 392 wrote to memory of 3728	392	batexe.exe	91
PID 3728 wrote to memory of 4984	3728	b2e.exe	93
PID 3728 wrote to memory of 4984	3728	b2e.exe	93
PID 3728 wrote to memory of 4984	3728	b2e.exe	93
PID 4984 wrote to memory of 1032	4984	cmd.exe	95
PID 4984 wrote to memory of 1032	4984	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:392
- C:\Users\Admin\AppData\Local\Temp\590D.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\590D.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\590D.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5C39.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4984
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\590D.tmp\b2e.exe

Filesize
4.6MB

MD5
1b90775eb0f3105b0e9b2168768b3b74

SHA1
9d9fea36cb732a8639b4fc7819b2c36afb30e1d3

SHA256
23a1cc2cd81b019a08cef45465a49c774c5164d2fb48f8de97378cbbcd4c0068

SHA512
b0dab92b4b5e236145c6d1d8af57dbd9c5f3c96e394ebfd0a110cfd04c7e6c49a71a702f555a6aadb1acc673238e9c8b85bf6a737214cedd27881a4d4a595037

Download Submit
C:\Users\Admin\AppData\Local\Temp\590D.tmp\b2e.exe

Filesize
2.3MB

MD5
a22170ca6d4ec81e3901ca62058f12e4

SHA1
68546b7079b73e15bf69cec1454366122ceeea40

SHA256
d1f5a5568dfd57748bb44b04ff5d86175a84108078eaae130c9d9cdf432e9ef2

SHA512
6ce3bbf703442e430429bcb8389af51737103a0fdd3cc22343e0be62430aec38dfb319000cfc157df2aa067109f1f21ae3ef26c3f824a6461863b0104ebf4401

Download Submit
C:\Users\Admin\AppData\Local\Temp\590D.tmp\b2e.exe

Filesize
2.0MB

MD5
9455f23a437b043241e6ca90b920d181

SHA1
e75d97e2ce6e45050501dbf2940f4531aa5b9f5f

SHA256
20232739fe39d714affd349f1f088e915f228a70e06b681dc826cfa915c4d1f2

SHA512
902d8be13f11be776f6aa2ae41cd66c5f52de02b77a8bf9c30acfe483cfec771082c66fcd67d924c8b84edcd767ec544682c6f35a3e18bbab17b4e7c4c3b0ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5C39.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
126KB

MD5
a8808065c64d8549f03e8f31450e65d0

SHA1
84a90f729edcd24b5c4d28b2b5fbbabda3a809e3

SHA256
5c732bef822fd07b399cabdc4b9159e86c182f9acf0f32541b409ffb3f4b76ce

SHA512
67ff3df4b5d582151aea93e6de765704a5ca8f016cf21e029b9ca570993583980bafc93d9c7399209b98babccc0e07e7b8781a3cdf00f0ad44d80dc131739d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
544KB

MD5
fda287193facfdf3ea195f8de111c1b1

SHA1
5c048d21c06ef24cdf118c49d290cab80bbd9cdc

SHA256
5140fbdf6937926901db8df15f236972b5dc666eab7d94a782218d693e8ac52b

SHA512
e4791611f599a7d57cf02407d2e198aabf138c7b3862e9db95def61b28c43173ed497cfe99ea0ce51fbf7c29311baa2857bec2c96d43e4fdba7b3080c1762e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
374KB

MD5
4bd3a6bed9013658878ea9c887425cf4

SHA1
1838b0302982f555ac18fcc53f1591c177ed8546

SHA256
8d409481a8c68a781515a527a7116f547893232ee721c2775c729ffd2db2cf5b

SHA512
754d403193a0f2f3d0425232fd8ff45738eb75531b89f57f0839d5155af9846092371d996e1e1070c882f0de9405a7896cb0f0917b126173e4ea325e89a042b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
128KB

MD5
0cfc533c46d2f160fc8d8483706228cf

SHA1
0d13ced09eeed5fc3879f418bda0410a742ab6a1

SHA256
510a6af4547083718b32dc00d4711cfff2aec0e7b936d4199feaaf32a7d5d3a6

SHA512
11e35867688e7814881981298b6f6948fceaf254d154f5429e5a82c43397b1894bd35fe7fb586b26e4272d8371c3b8e96c20c71ab05b9df3e851291444702a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
516KB

MD5
aa3fb566e4bf3a7cf8e73e5ed82285ab

SHA1
bb5b58d2a3f289560494f65cb4bcf877f127b7d8

SHA256
2ed72fb6b4d4df56865268435539c6d538d72fdf96bd2678636351eabc8c7107

SHA512
a4992fe5fe20f6cbacbd61b2e085e6174f4d305673c23ce10f98f2e588ad47d479b077849c744e0edf4c6ce0b005126a2a46aed18177e2f8fcd7226fb35b20c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
200KB

MD5
dfd784c6ab959750943495cf6ad35853

SHA1
66e30c162407d3c0a2037024868be96be2faaa50

SHA256
bd56cd6b6eb0947930ba5e0698636383ad16636dabb00056843e5b7ad47b99ab

SHA512
2f982cab93f3f6e9fb42d776a6c9a8821aa31ba47918bc9a1394ceeb8c51fc99236c4bfe33f7ef715e777ed257ea2b702bb40031b5c36b7cf8cd7ff8f9ef4a06

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
341KB

MD5
a5f2e3bee9adcecc461a6e9ce33f3fd5

SHA1
85de729de25e6fdf03a7d4183b65519892ba2885

SHA256
c38439fdcc925133c2dd4b71f40b0dd362e1865e5c3599c0ab47ff3f791827b4

SHA512
a357b7de83336249fc5fdb2ee78e58c464ef490ceda78e38f2be86a948a1ebc1dda067dc2cd02f8b57033b7500cbf00a880df68f8fae5ea564574e4974506b7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
122KB

MD5
ee2f1d8cc74226a343be0b47e63c2462

SHA1
1b3cf0593fc0627009d56ac9e071f0422e6bdd3e

SHA256
cd2ae5685e776f61dd9d9a512a51f6c9da2127d29589c4ffa1e18ece3fa28d43

SHA512
0dc3f11c32120372d68345f3571b7f854e780b03a75bb18e41d2c2778632935c5c16c055205113c38bf1b251c9047aaae7c3652ce81749576776d74a42269780

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
112KB

MD5
86360d282420df3d96425bd692f50611

SHA1
eceaab8bd9c8c8b9965bab54e931d14c815672b3

SHA256
e983f1df09023881dd5b55bb540f483aa0b83856dbad4a6c43a7dd41d652bf55

SHA512
9aa520f45d9f6a1f74f979faf8f23390b40ce73af2e0e93ce52bea89c44a03fdd905d62db761d73075e8f888f28b9b47fb315925e8a779b0cb4debf6be4e27d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
140KB

MD5
c75fc52bd7b51ef86dea824662fd4421

SHA1
6302aee4dcdfce3daed5c9c8b09b920e6aa3666d

SHA256
1b1c9e212a259aa7364bea5a2f3c26c58982ae41cceaef2c3a9280be2e0caac4

SHA512
35b707c597ea50fdae662352678f95828d917fd64bfc34f6b357b5668cf46cd7c179167b79994114849ea45942f8a0fc1d86d3806c6001f6deffb5916e959f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
379KB

MD5
2e0e943a97bd89961481e88879c5292d

SHA1
248237f4a3a8edcb26fad9cf1b00bb5c0f65bad5

SHA256
4a0e00836cb119eb359027b68b93806181c6b332df4c148c2a87094fecf2bddc

SHA512
1853475e3058cfb5188bff0097628e589d49939ead827a245ef9841da42887716581a1ab8082d446bd42ee29c15c8ddf583bf157d26e21d64243a741d8fbc776

Download Submit
memory/392-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/1032-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1032-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1032-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1032-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1032-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1032-47-0x00000000010B0000-0x0000000002965000-memory.dmp

Filesize
24.7MB

Download
memory/1032-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1032-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1032-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1032-46-0x0000000066260000-0x00000000662F8000-memory.dmp

Filesize
608KB

Download
memory/1032-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1032-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1032-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1032-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1032-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1032-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3728-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3728-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download