73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
297s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
24/02/2024, 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4384	b2e.exe
2248	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2248	cpuminer-sse2.exe
2248	cpuminer-sse2.exe
2248	cpuminer-sse2.exe
2248	cpuminer-sse2.exe
2248	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4000-1-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 4384	4000	batexe.exe	92
PID 4000 wrote to memory of 4384	4000	batexe.exe	92
PID 4000 wrote to memory of 4384	4000	batexe.exe	92
PID 4384 wrote to memory of 2312	4384	b2e.exe	93
PID 4384 wrote to memory of 2312	4384	b2e.exe	93
PID 4384 wrote to memory of 2312	4384	b2e.exe	93
PID 2312 wrote to memory of 2248	2312	cmd.exe	96
PID 2312 wrote to memory of 2248	2312	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Users\Admin\AppData\Local\Temp\4AB0.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\4AB0.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\4AB0.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6E94.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4AB0.tmp\b2e.exe

Filesize
342KB

MD5
2be6d54b761babcda835b23e288a5317

SHA1
512dcdb14a74ba55cd3db6a4c2da22a9fc072637

SHA256
e4383ad160f585cb50ecfb25d6dc2c063fe3f85ab76d76d70485a4540de981c0

SHA512
9644b8f65aca150e10cc6f5522bfab57c43e0049f03b29428017534e3151f0a17b31d4c43891bfa5738743c2a36f1bfb30f6453de6fc8cf79e9770fd090a232f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4AB0.tmp\b2e.exe

Filesize
475KB

MD5
e7e287eca548484a386f159ab71d8373

SHA1
34fc4e6106d1c8b23e9bdef214539926a05dcbef

SHA256
8c02cf431860300ff36b4119487e52760862269018dda0d7c36b3162d5d24d17

SHA512
d6ca8cc7b321a08217bfd756da79b737a01320c6464273dbfda75bd8afe0ae7a9cb516c8f74f54d05a6d3986601e5cfe6c9ee7c3210893ffe0e16434632459f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\4AB0.tmp\b2e.exe

Filesize
536KB

MD5
539dae7f466b5a93f500ec9af9677894

SHA1
d24953b66ded9d960ced6e163f5d9f4810264099

SHA256
0273b308c2682061752290a59e446350c0196617c77a535e975f17c6e36a2142

SHA512
ecbf379730aee8058d439fa5d3c2abac3d2dca5172ce4a6f88614bbec2c5abdad3230ccfead612c8a00adb05d5d6ce5ff540b1daa101f61bb877cc8f77924ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\6E94.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
295KB

MD5
6e534f55967197c5b44db641427733f6

SHA1
d2bc6353805c187dead7ad7676e3d36dac510ba5

SHA256
fa4b7483786f38a05c9f212778bd61603b9d7754fc0b0a226fd88fb16d64c105

SHA512
6153c9682a9a967ee4cc71e8b4ebb27a56b9f56fcd971a6436df9df31d02d59361c97a0c7cf96b05a90dff8bf8966bed62fcd95e50a94713b9a6729e3d81a25d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
289KB

MD5
41cac49cc40861bc8e21d9cf93c69324

SHA1
cc6ea77be686dcfe013a64d6e98e1388e749b805

SHA256
aaa0064543e40c03c139df68236e5944c8a16a2d3f681704157dc95270a05bc5

SHA512
1b4a6803a0b4f3f1b5fcc8527e5a3f28ddd2df93faafd5e750907966b299b4d4f8a6a4494720c0720df62f3301c20e0c3b56dfc88aa0321ec0f6999dcfec9285

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
338KB

MD5
13f832549cb5e1f2ea6d6346846a2148

SHA1
7cb793923d6be663da6ee2489f70d742b4692562

SHA256
ff77f34c0385d6c09a7b895e7b938266933f22b31b76b99d7051a9775ec2b60c

SHA512
6ad8bfe208e153cc729896ed7fbd5114b1dc7f02a187a3a675aff7cebe35ffe771249e6ba93c28948f2930ed6bd57a8465bd62852f0aa7c72bb253e976c3ed1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
247KB

MD5
69778fc3331b511f821ccdde58f1c3de

SHA1
2ec071fd2a14794262de5cfe34d6b8e87d74027d

SHA256
486738396687dfe173e63420a513b4a0bbd1dc299978260962d550487f9e2009

SHA512
7f0125ef892438e9dc7596fc7ad5a75c0699d66b2818da045d507cdd468e41d1741b2e3282d34d9cc678294fc67c6b04bd046a7ac83f319e70219abf21adecec

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
201KB

MD5
b5cae8aed2457c5901852d56ad9e2b0f

SHA1
473cab8ae30eb7df770b55b5902ff0b6635d1343

SHA256
b26d60ec8c196a323a342569e762f7f6cec21742e69ac3515a4065e81b9e12ea

SHA512
2a12a0a1db34ce5d85ef384f59821599f620d93e21930be23491a0c44dd4e8a77141b34736800e214c7ec2efc58ff7e5cc9e7818e22ecc02bb7da924d7042e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
205KB

MD5
94ec42fae2a86b9d1fc61c1949b4c9e6

SHA1
14e1e95dd0f3aa42c1d2f5151b525e9d2e4b1048

SHA256
ea3880f3526b77553002ea1fa440a1c8448ae7f3ac28c027eff621e853ccd69e

SHA512
feef65b5ad480b1843b577691f739784bc8aca7675a56576fc268744df30ad46d81598f761a1afe7a35fd051072892573602201e4fc601b14042dc79c94d0117

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
275KB

MD5
b5957c4b8fb38f4ae2e4331e9efb4d73

SHA1
62e53d58dfa6a2ab27a62bf06932fe5c78eda732

SHA256
17d5dd3aa77927724ea2198999947e9aa2d5170cdb658ae24b8d509bb60d5c22

SHA512
1428bbae566eb99c6fff9d39884b6cecf3f5c9017ee6d68c4826dc9fe24b574d23d8b49c2d6df545bdb97a53e4fba1d41751cac8a4ba11e0d9b45b6982674078

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
255KB

MD5
e042db5c42478b62f08c508cab0eb91f

SHA1
27a5ef41242afeeb716ad63b3c9edf4a7653d7c7

SHA256
a55441ec5b276b8bd328aa266f3516a7c2c41df9d5736851471ed58a1f5f0b95

SHA512
f1a870df00971903263f7e42fb7e10906c991e5df5515385f4b407bc491a515db5223bc1106f2e96d2e6de0fb2197f883297d9fb0f36ea89a3496250c689fd2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
203KB

MD5
46a50548ae6b7c7707db9a6ea9979979

SHA1
cd60c1722e05a95dcdda13f577e30971d5a54241

SHA256
ac0558d6df585afc6ef1bc05dab89bc239f9f543cf645ed89206fed413f97b05

SHA512
211d2776760e8783d8bb4d672734ff5640d193e81eaa8c5e3d80c993ed1cb61069d76fd9aeed8631bbb8b30fde67479c68a40f03c6cd6155fa86d60e0ce60c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
326KB

MD5
99171b16dfa63d43a218606dfba66e10

SHA1
94cd83d9d941b4c187e1ea772ec64a8d53b7b419

SHA256
4add13b0e51e7805f5359d774c858a08af9e8d2404dc5fabfadca92733a028b7

SHA512
0dd989f3e63f50c528c343e74e8605b7e45e20370ba3dbf1343ca062112e7d05e32af4961e4395e9a653830d7a899624af2213d82a3669d098fb3a98c5c3dd62

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
350KB

MD5
5034bd6135c892af9d6710e5aee0ac89

SHA1
29aa0de4102cbcad7fee190a1629ac13120c228e

SHA256
25bb28978a95f5dba15f2c0f6f857fcc5f6517d8f6aef60400fcd392ebb1964e

SHA512
2244b0496c5a5f0bdb1f010f3971af6674403cf800b87abb5cb14968554b7b608ff7351814470472f6f596c272f62fec1a87334c3c076c9ece15870f6ff284dd

Download Submit
memory/2248-49-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2248-55-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2248-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2248-47-0x0000000062560000-0x00000000625F8000-memory.dmp

Filesize
608KB

Download
memory/2248-46-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2248-44-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2248-48-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/2248-100-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2248-95-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2248-90-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2248-60-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2248-70-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2248-75-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2248-80-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2248-85-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4000-1-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4384-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4384-54-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download