73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
297s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
24/02/2024, 05:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
4704	b2e.exe
2032	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2032	cpuminer-sse2.exe
2032	cpuminer-sse2.exe
2032	cpuminer-sse2.exe
2032	cpuminer-sse2.exe
2032	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3896-7-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3896 wrote to memory of 4704	3896	batexe.exe	89
PID 3896 wrote to memory of 4704	3896	batexe.exe	89
PID 3896 wrote to memory of 4704	3896	batexe.exe	89
PID 4704 wrote to memory of 3964	4704	b2e.exe	90
PID 4704 wrote to memory of 3964	4704	b2e.exe	90
PID 4704 wrote to memory of 3964	4704	b2e.exe	90
PID 3964 wrote to memory of 2032	3964	cmd.exe	93
PID 3964 wrote to memory of 2032	3964	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Users\Admin\AppData\Local\Temp\514C.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\514C.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\514C.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5534.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3964
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\514C.tmp\b2e.exe

Filesize
15.2MB

MD5
a9f22f63b0636da307be233859558e1e

SHA1
d28a66295cb0c8e410349c3c5cea039eeea99a28

SHA256
4f49a7eebb6541948849adcdbe9ceff55b0c0539945c13212dc400995ec3fd0c

SHA512
8a8c98a758ef882185e31c219cd41473b5cebbfed6b0fdf02f943757206dac2756c235ff928383b7f1620651e36e5ec22087f8363c3a34d714b225700ff05128

Download Submit
C:\Users\Admin\AppData\Local\Temp\514C.tmp\b2e.exe

Filesize
4.1MB

MD5
93a0bfe86cb8180368dc7bb6990571fc

SHA1
4b10a0b29e0dc7bfecc1c4be7fcfc19ae519acd0

SHA256
2effe7f44892d5fc4f3b791db7ba4c2caaebd49fbf3b42d1d6b0035d782d36e4

SHA512
25df6b32e27702b7f8e19cb225a5a5d6219687db4cfce2577643239974efa88cc331cfc44da190efb525c5f66edaaa010f411b717a6aa6f54be59f7836dcbf7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\514C.tmp\b2e.exe

Filesize
4.4MB

MD5
4c8bfcf98b62bd1e9d4e44e2e17ec969

SHA1
e843f530ac56b9f50f83ff91416de20ceec86b9b

SHA256
aa2fa9d31453c4866b67657e658b3cad712a203ab685a17ae6684442e22838de

SHA512
f59547441e8aae7937f71a5d72c0c5ca24056838a1010be01cd1e12756b829b806f5380754899a83f69657c9ee030abfde1b9fbf42472a577ff1cd3b41e02d30

Download Submit
C:\Users\Admin\AppData\Local\Temp\5534.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
754KB

MD5
063150bd8c9be5a542c62a8f7420fc74

SHA1
c82c87e03e1763f0692493091e26dce3011daef9

SHA256
4a655ff40fce4b271e9b9261326c316b8bef93855007393c5e5c6249d9055abf

SHA512
f6cedd041539151e7c634d817e1459a7963e30a74f00cff0b1e1490749bdc98b1c80065bea7992ef316ca71b82c4dfb21389c788a0418fd8a72e513643ca1169

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
222KB

MD5
67f692cf14a57851a150e794e5250887

SHA1
b6424befd8458b32e6e52039711ca5380efa5450

SHA256
3923539a9257d97ac43c05bc0d59eef77f15481796c9afa2f5872ed64aab2be3

SHA512
b46c260ccc760c722a4416c86f71361107290526358d4930fa35689d0b72019a5d0dca5b6c878890732aa0a58da8f8ccc32d0c7d985e07802971c07642a15505

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
708KB

MD5
2fac1cac22aff61e7388dd84847c53f4

SHA1
6041b896dc428d16dc43dc87ca11cfd556c976d2

SHA256
1251eb74b16f1249e6a3823cffdfc16afea01cb6207efb92631d947649cf0cb2

SHA512
39a0e9d813ce9d25fe740e2873f9ddc859ec9d62126c9ebb706b516fe0c720410b7efe57ad12eb0986ce5e95f7fa8f730916eff7d709c19c6b2a853f83865651

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
798KB

MD5
a0f240d54ebeef91b5cb9f254c6b1ab0

SHA1
024bfa5efd9e71f5aab0a3343cca8adcbc5452a8

SHA256
71c34305ffe91ad82693150a71e79f4743ff2991f0b6c096670d384eb223c5a4

SHA512
0acd8a54eb79b5516ed1fd11741dafc1082996f915e1eb84f5568a522644105846f81e211cb94ff89e8018ba44af276a81d7d0a95b4df78171be76f806649c8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
498KB

MD5
e201dfed89d35b1d0b429820b32b006b

SHA1
d449f741da20b2d261de967f4d97d9ef37c1aa5b

SHA256
db8e1f3a0e694b3195a2f68109e6a8f5509a6e21cf8030bac117074d4818de4c

SHA512
7712064bf5a5de440b6541b8ff50c5447e1d91ae87d87fe83cad7ab498b86807d3b3dd533958ec046dbfca0739cf25b12e6e0e3c85516e4535b0f24d4c9e62a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
412KB

MD5
8e02a497c187bcd4318c3798453d0a74

SHA1
289b923da24d82300e413210872c04954033b034

SHA256
bb91668655150648b0a84e294bb5208d2e7a4b3e03223cae91885ed3455061f2

SHA512
edc083b8fc5e6d8acc3cd2ca7265065185abf84999d078089464f394735315a6e20526b4b9ca4604ec9fa4d647eb5021a9e599c810e04791de56d0ded0b75673

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
388KB

MD5
7d092868a21e563b6f6a4f7af6f52429

SHA1
c64f47d002b4bccb4469038f70a5d284803a3749

SHA256
2258af005992146adc7e9df17580767332c6baf03784c2b9295ed3e43879999e

SHA512
ca7c558a5925fe19e02da496e9f710c45df2169b8584ad7094d62e7f6ed92f005f4dd043e900354dd2bd6f111098b8bb6f4f85eac4acd93e59413c58af6ca7af

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
688KB

MD5
2bcd088092dc69ac2ebb54fcffe336e5

SHA1
e6b568a843b39a7385ee634644c38d595fe58dd8

SHA256
2f0327e933b6836d06c098dd75c3302283a3c4a5f1653f06da277c05681fee18

SHA512
3901f790b15f4d50c23f53e9c0de038a22d1dd820e328ca4b95780ea5efccd681dc4650a4c8b7b38576e82ea3577267773189cac7f3d02e7dfe3982fc4c7e88e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
500KB

MD5
3eef8546e78ed959ed0eb63149f93d2a

SHA1
1f3625036d1f8c6a46f687686c52ca78f708f5db

SHA256
65fb3273702ece715510d58420ad145732b4710aec1fad3d4a26cf5cf8d1ef25

SHA512
a67d6621cb2065a914e095f670c82acbb38277e7503d7e26055ff1de4e0e6ce29c219060a9c7c1e2e7bde7de2a052469092b88947026aa10f928f54138206551

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
388KB

MD5
a5e9b19cafcc98a2e4223cdc6098e988

SHA1
59413bfb5d4c8bbe38b3d040e9e320f4f0d55b70

SHA256
b79b4075542d0860a336f8fd804a37681a445c989f3bf06b7494ef19c262dd2f

SHA512
83a76b4bed1b7305386414b690f2907bc4ec1d6ff957c79dab19219c54153ec4a55902ce735cbeb407c0f9ec2fd57b120158f00f96433fa3316bf38909eb697c

Download Submit
memory/2032-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2032-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2032-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2032-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2032-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2032-46-0x0000000051E10000-0x0000000051EA8000-memory.dmp

Filesize
608KB

Download
memory/2032-47-0x00000000010F0000-0x00000000029A5000-memory.dmp

Filesize
24.7MB

Download
memory/2032-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2032-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2032-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2032-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2032-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2032-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2032-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2032-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3896-7-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4704-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4704-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download