73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
308s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
24/02/2024, 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	batexe.exe

Executes dropped EXE 2 IoCs

pid	Process
2184	b2e.exe
452	cpuminer-sse2.exe

Loads dropped DLL 6 IoCs

pid	Process
452	cpuminer-sse2.exe
452	cpuminer-sse2.exe
452	cpuminer-sse2.exe
452	cpuminer-sse2.exe
452	cpuminer-sse2.exe
452	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2924-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2184	2924	batexe.exe	93
PID 2924 wrote to memory of 2184	2924	batexe.exe	93
PID 2924 wrote to memory of 2184	2924	batexe.exe	93
PID 2184 wrote to memory of 1584	2184	b2e.exe	94
PID 2184 wrote to memory of 1584	2184	b2e.exe	94
PID 2184 wrote to memory of 1584	2184	b2e.exe	94
PID 1584 wrote to memory of 452	1584	cmd.exe	97
PID 1584 wrote to memory of 452	1584	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Local\Temp\49F5.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\49F5.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\49F5.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\63A7.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1584
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\49F5.tmp\b2e.exe

Filesize
4.7MB

MD5
1087d717ff6c893014e23826d1c8df70

SHA1
50cbbbc5ba0dd506e0c996b0b3d0ce7fb1e29676

SHA256
60e1b057428cb5d6231d3be1fdda5f55b93248cb59707ddfe1f2e4bc65f27937

SHA512
d3088d2fa10723707cb4db1bcf0c568c12b4bb52c10fc1319289c53db925521f32976328f387521d0b81940612859f8d4218157173f3f140174041cf7050f86c

Download Submit
C:\Users\Admin\AppData\Local\Temp\49F5.tmp\b2e.exe

Filesize
3.2MB

MD5
4d83764ee2c5cd2477f80214aed9adab

SHA1
ba41b10728727fb024f70646aa72e56f31c52439

SHA256
0bc745d73afb160ce1b7c96ae881cc46ef45fc4dca6083c1db03f54a3d179240

SHA512
fb8ef8ab8566e81e570f928ec95934861806263608022dc3f0641310afc0cc338ffedcd3b456ca43d2f374db478c3eb82d88163e95f72d9051ba6cca79c5cffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\49F5.tmp\b2e.exe

Filesize
3.6MB

MD5
58a2aa9705ff521fffa47f2db7ba1c9e

SHA1
34f2ac9c8d98ef2d2b9cf1a0c90e12f2a1f58faa

SHA256
7fd6a500402191a2c5d55c4a44d250da00c0a6ed121cb7a33acd42449297bcb1

SHA512
964c529a09faa19083d6b6568b84d7f89c9505d72aa8239edf28ddd0cd2c288cf92d73d44f8c00097e56413a4779073fec0e89071b39500fe4fe99f43c514b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\63A7.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
252KB

MD5
1761c7ee4cae546eca7a1a8baa4459bf

SHA1
c28dfe7f2c9bf4733d2622a4dc462ae6a9165176

SHA256
e4115493be85176a5a16f7eb0c56a9e459e547b730276d3fed915e837f5335c1

SHA512
e8c635b1ab699fe939a5f8e50e2042df1c5af9c24a25b0a5fc87abdc968b2979e6f88affd4468d8a0bf45b2289c59796ce30f57fc2cf3e97dd8f3762d18fafe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
267KB

MD5
e29e5ad6a21ebd5133618c745ebb32c6

SHA1
bcebb5150ba580d35e39b07e2b8986fa70b2869a

SHA256
2252c0e73db0814328f27c0be500ecd7b2a0aae8ec4ce800ccd7196e185587a8

SHA512
52c46fcb6f087c53274f2a3ad5699f8068db351ec79339030ea23c87ffaa59e1a5ab2b1452f96ad0288d90b4cfe399f9b6f82dd41aa525c4c0d4df0f4f245136

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
149KB

MD5
4b12d94c97bece4fac4aedd02ec12178

SHA1
687e4f9023444c4e898648ed0b7a0ea4df6cf236

SHA256
30044f5f0a24dc74107fb0fa6dcbc81ae9d98e873df4bbaa1020bb4991d1db90

SHA512
61bb860a2ead868ded7faabea6d2c669132b54e3eb8550787c1312d23391bb5d6a57877f8285b8637d18fd786a0c48cd749219cd6e8cb185433ef3f2b76c3107

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
298KB

MD5
7718957defd2a8f5887480c1cde586af

SHA1
94a606d8ed8213f0e9b7f2e9ce5ef3a91c1d3f08

SHA256
8a3b0903b5623a81e4e7ad40e5d4cbba0f2e6b6e8d5b6d88167373947f9bdd7b

SHA512
d751bd776f8e10c112993cf92b84a3cbd629bb3346b325ec4958fde1836d2a37b648432cdfa24bfeacd736bded433c7a8058d6832d19bb96afcd7fc7b9ba0111

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
484KB

MD5
ce515dc54e00a7286a185e2c71e9c906

SHA1
2d350503cf5c4f2b0a9195ca6f6aaa96f16ea5ac

SHA256
5145e90edb60cf48a15c69e619be0475c6e7689250a389033bd44270fc05bd78

SHA512
409fcd48347dad816ec53ae5caa4024dc017e74e82780d5ea86cff90ce7cc84aa581cfdc7a7b1cb94dbd48b07152ca450788b20653e19eb80b34fe97919898c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
268KB

MD5
12d5f1d2400d677258032459321c10c3

SHA1
cd3d072e2a2e11ad60ea60bf1016e1987c1407e8

SHA256
92926e764c878c3c468aaec63c965d63e225c70adceac7bb1b059a17beadcbfb

SHA512
201ebca0c794414cf2214035c3581da534a3d9db007992e37aa39b09498b86d0c2c6033badb3ecc3cde247493ba1bf9c17ff93d62012c82d4636d45c518df6f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
220KB

MD5
d0c9a5546ed5d77698e40643e88ebc61

SHA1
58233936599ce1bcd6a2198cd2fa968a60e54903

SHA256
0fbf5a837051677ae687c1b18338d3b79b29fc29d068dac1806ea7f86eda7471

SHA512
ce87f72e6536e4bb0caa8aa14e21eefa9a7c63fde3d6158c980909e00986b3522a5ee552653821b3f9a0cf296df42c2c131b163b67ef5640321e65f81286a466

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
247KB

MD5
1c5ba2ac65d949572b1e2acab9d7964a

SHA1
1e7ece656a03a4a36ef5a68a36fb7b3f3a03b4ab

SHA256
ee8e4d76287aa871bc7a6004ad6fb62f8b356a97c35fb744c9380c6274ee8b7c

SHA512
c24aa880b5bfeba4da32f8a38e2314f091489da25d1f5022a375fafa566a78f8ce9f739cabf11585bf562be2e8394eafbe0e19e003a3cb06d348610bd4624eeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
308KB

MD5
d81c9ce95b1e0d67fbdad5ba96c282d1

SHA1
a953283ceb216dff88b35f99bc723c5a8d48556a

SHA256
2deec66f6ffb8d29c7d1f3061d49c9d4222ea67f7efa5c425c9e98f0d53f607e

SHA512
e3f467bbdb69046760bc66ac1caa80702e29f5705824dae737c66070792cf70bc495f4cdfd3f202b73fd8a8603b595b96e1ae72eff2095f687bdecb5d776df03

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
315KB

MD5
52a3847826d2e6dd944a51403cb06d02

SHA1
c8d6dd9e8abd94e0e5e9c4f1d8089d8c30a90d5b

SHA256
d41b907f7d2bcf52dfa4886b8213804d6f3ee9c2a288f69c97843edf29625672

SHA512
dd6aea6685825878fee3653239958ec2a9c39f040534a2ccf78fdf30020b5a054ec81cd64ce0a7ebe4810e80528f11515924efd9a2ce8382a8564cc4717ad0b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
201KB

MD5
61d0fdb560801b46186ea0e648134b8a

SHA1
8216fe43e23551f5cb0b4901e6fec6df492aa025

SHA256
03f83e603ccf1200c96620e0d24139e1e72ccc6d48c40db1b07739e4e43182e9

SHA512
0f428dd6a2eb48a7ccd5bcde558cac4c93aae088dca741bc6956773a20da018d69beea550e0029e7fe2e1b63412a49c3e1f42654304356724d436e74c367f340

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
226KB

MD5
3e6bd453a8a2c3954e6e3d01b147a740

SHA1
da08bb3a17e985474bd2f7d40d9af2abc8299472

SHA256
e1c35e31df7ae96ccacc6a771123cc45b04052d8b0ebd30d3febc70c43f339b1

SHA512
d0bd5f781627121997ad00221760bbb589017f48c2f3c13c4e2da74745dd579b0c6f684bf364f0733677e695dd88d365c85f6cc8c1229352c2f8364f0791fa4c

Download Submit
memory/452-48-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/452-52-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/452-106-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/452-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/452-46-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/452-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/452-49-0x000000005EFE0000-0x000000005F078000-memory.dmp

Filesize
608KB

Download
memory/452-42-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/452-50-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/452-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/452-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/452-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/452-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/452-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/452-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/452-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/452-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2184-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2184-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2924-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download