73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
298s
max time network
302s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
24/02/2024, 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3624	b2e.exe
1804	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1804	cpuminer-sse2.exe
1804	cpuminer-sse2.exe
1804	cpuminer-sse2.exe
1804	cpuminer-sse2.exe
1804	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3168-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3168 wrote to memory of 3624	3168	batexe.exe	90
PID 3168 wrote to memory of 3624	3168	batexe.exe	90
PID 3168 wrote to memory of 3624	3168	batexe.exe	90
PID 3624 wrote to memory of 1604	3624	b2e.exe	91
PID 3624 wrote to memory of 1604	3624	b2e.exe	91
PID 3624 wrote to memory of 1604	3624	b2e.exe	91
PID 1604 wrote to memory of 1804	1604	cmd.exe	94
PID 1604 wrote to memory of 1804	1604	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3168
- C:\Users\Admin\AppData\Local\Temp\7D3E.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\7D3E.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\7D3E.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8434.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1604
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7D3E.tmp\b2e.exe

Filesize
7.0MB

MD5
c5887ae73f59c059da3fde8e6d13f808

SHA1
2777ac785cdadb6f351b1e39d3f74425b584088a

SHA256
b2237a6f8357a9fe5067246d963881fdf85b8f889adae455600de5acb2d64239

SHA512
febd27b91d2f524658744cb53bd33c2807095108f7211e4d2486edc902eaba7538da6d8b0856bef507ebc374838d8ad2cb5a3565e8fd4f2f66d2870b8d87ae37

Download Submit
C:\Users\Admin\AppData\Local\Temp\7D3E.tmp\b2e.exe

Filesize
1.7MB

MD5
7b9e19cbeef48d1436f80636d98f1e29

SHA1
211ab3ec2dbf56621bfa6e7b4af51f6d59ed7e22

SHA256
ab3065d4cd6d2916257227617fba70a92bdb7b65f474d9a3b5a7910c6791775d

SHA512
cd561dbc1747d3f5e1a799a1d6f13d71150e273835ecfd1f84b00e742b04a23b41daf83db404ef527c1531f665bd6e74a4fc62bc84759208b958a4803063bdae

Download Submit
C:\Users\Admin\AppData\Local\Temp\7D3E.tmp\b2e.exe

Filesize
840KB

MD5
9bcfd71105b4cbcf93fb5d868021b0d4

SHA1
cd76b33bb5ef5ecf9571413930aec579c117bf18

SHA256
6984ced81457c47265c1e02d16bfbc3367f3e5366bad798f750720af52b93520

SHA512
a0cd74dbf586fe1c680f1d4d35fee3ce403d5dc9d4a99b12e87e32123a2545b650ddf8a75dd3a74caa0b57bdaf547ec773545c179d49355d8d2a84c90d7b1917

Download Submit
C:\Users\Admin\AppData\Local\Temp\8434.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.1MB

MD5
cb9db7278bd4287dbc560bb5b0454d6e

SHA1
a2dadc75ca8a18355ab1c6a231abc2becfddce51

SHA256
035177462aad63f8b2e27ea8e342d7b1d82c58d7bd16957980c0e95deb7f1bfe

SHA512
3a899f0994028f709190ac3916d8bf2d86012ab8e285d09a15a437799c1d7b7416d54bcdf8b850f2287352a00500bf6569a487b789420718012092cdc818461e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
922KB

MD5
0806b5ebdc714553bf994774192065dc

SHA1
3c884f51e562a2401ba5eff52bb978b41855b873

SHA256
52f3c1ff6fb069e4049b1f587d878e69230b847f6fee978b6b6922cbd44aab4d

SHA512
6acf64d272841491cbb3cb5b6e408d791194add205efde4a997a721d21fe72f9482ad95004b219146d459a36ee4969914f241e96a63883095e4a51deaa9ac7b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
741KB

MD5
e8d4a656b0b9d614fd2f1363d4871bfe

SHA1
543ab5df0a780e6ee4f15d6f449b6618b9e241f2

SHA256
9a6308f8698ada68666facc15a0af520955624bc69902a24a700f72ed6f12d93

SHA512
42a1bd51f56981a8a0df24fc34242bc7dffc149294eb3a715e49e45d6fcb273a4056042ca32566709415fd34feae6ab10b732d953a10f1ce69a7ace4bb4fa706

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
718KB

MD5
d83b02488a3ec0d9fee67b9f6749d196

SHA1
bcbe147182249d1928e64aabfafcaadea6975b85

SHA256
e39d7b78742f7f1d3d076ec477ea2736c8786b2f3fca0616e2d93ee15cca8be6

SHA512
8b8fbce10986f778327da922e911ab5632356cccbb377e63c7efa5ad22148b7297108e835a43db80b05361c34ee06ac05a4d1ec9cbcef9c8215a86ad74f3deb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
966KB

MD5
e996d5366120e0886195d943bc8cf21b

SHA1
1ad4358b3c741442bd6223286ffcc7377cbed925

SHA256
c19f54efbab7e524808b776c73ee768e06cae34936fba5c36cc6da588c2c289b

SHA512
e9f05c271817d4ed718185ef85a6d6262b5a627051a9c9f884fc55d5d9805d3bd581085f3de7415afe53c1630d5f0d9c58f4f59e848c3c13d92874d21c597252

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
902KB

MD5
31341763f688343eed6c6eeb5ad52a70

SHA1
206cf05241700834f4b140493e01298b1a7140cd

SHA256
060fe273618c0ae9dc40eb4f20f681e547df1b2c318365300bd5e0717255604f

SHA512
6e7d0ab6c3d7b83f9c0d1260c92b5b1c6224ba67ecf011f606c27662c9f7a92156d0f24d5d6716ff91b0cce783a7f46787d5ab9846ee31351d136aa1c5e41b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
585KB

MD5
9e5fc53be55919fcccff6b702305dc62

SHA1
c1bea2f89813c9001a5351f0dd1ea4303b7fe3af

SHA256
d0eeb66aab4c2bcfc667b6d3c95fab8b3e2306f2f49342ade68e5898b023f662

SHA512
b8c09703083396776786ee4b08adf2526899faf92de8c9e627bef330602ff711798c72c3568c75cac2dd713273ead06a7ca29cfb2fdaf42561cd5b77991c0896

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
685KB

MD5
eb745afa4eec8a4bd6bba9c0d6a6b20c

SHA1
6afb8887ae44c9792a2294adc122609d56b65ae6

SHA256
f00c89482032aa0f3d702ca7a9ea9bfe4d4d136c947e5527f90fd02d53661c83

SHA512
4eedd90aac835e16278fcf2b1f2fa3e84767f93804221915a3321bf24b8c9054504efec414c957ca9fa898e5b36265c4bc175b474434e5d14d43fca1b0d6fc39

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
576KB

MD5
2c18bad08bcec531be200c5920891a3c

SHA1
156636d047896e8c40f1addfadfab373841cd2fb

SHA256
bc100564d8fb35fb13700888eb8feacca01887b7fe89aa3f9d81175a411ac629

SHA512
d09c798c1137290544b239aaa45dd1c3ed7f742855ce891e2205b3ec1559755350fc64ce5857dfffeb198ecffd2745dbdaad7e5b6b8459e17c554b55fee01d0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
571KB

MD5
62887dfbd93aa9027e9ec6ae4b32fd26

SHA1
d915d10e2f575e9a489e7222486afecee357befc

SHA256
83233b901a94051c7b76f1fc50f91415f2c4412dabdbc34dd453fad14aaa92df

SHA512
f48a7b2d89891a480962e74c7dc9faecb985fdd1d095610a995312f4366a7fc7eee142741ec10012422c39d710ca071167ed68e78fb83f8d911a8c37503c11f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
399KB

MD5
57d910373cbf298a629c9403e4a8bdbd

SHA1
11c10e29aa52da28d55405652e67f37df5083d72

SHA256
90c1379dd9dfdfbe3a9085b8cf34a7af45dfd6fce05abd1d2532e27d37752e01

SHA512
646c48308245d6cc8593b3c2a2d3ec4522b6fd087787c5846a826be9d4d986bdaca316078fe6ba40370b8420d86d5b7161659ebb42dd42db0f0e0ca34b8bc91a

Download Submit
memory/1804-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1804-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1804-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1804-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1804-45-0x000000005EF40000-0x000000005EFD8000-memory.dmp

Filesize
608KB

Download
memory/1804-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1804-47-0x0000000001160000-0x0000000002A15000-memory.dmp

Filesize
24.7MB

Download
memory/1804-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1804-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1804-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1804-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1804-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1804-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3168-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3624-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3624-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download