73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
303s
max time network
309s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
24/02/2024, 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3504	b2e.exe
2996	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2996	cpuminer-sse2.exe
2996	cpuminer-sse2.exe
2996	cpuminer-sse2.exe
2996	cpuminer-sse2.exe
2996	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3228-1-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 3504	3228	batexe.exe	98
PID 3228 wrote to memory of 3504	3228	batexe.exe	98
PID 3228 wrote to memory of 3504	3228	batexe.exe	98
PID 3504 wrote to memory of 5000	3504	b2e.exe	99
PID 3504 wrote to memory of 5000	3504	b2e.exe	99
PID 3504 wrote to memory of 5000	3504	b2e.exe	99
PID 5000 wrote to memory of 2996	5000	cmd.exe	102
PID 5000 wrote to memory of 2996	5000	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Users\Admin\AppData\Local\Temp\749E.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\749E.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\749E.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9248.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\749E.tmp\b2e.exe

Filesize
2.1MB

MD5
0803cc1cd257450b2a42a7361b0575e7

SHA1
f3e9467b22507e83f16ef0ec2733758ce4468d8b

SHA256
51c6923c6f1b5a3c1e4e45f5495cb6183d55930ca3cedc60b0080ed6a5fffa31

SHA512
93d2c0f7a9d73acc4f067675b5fa698b906231d75be595d3ad08cfea282393f180ee54e72f7ce8a5e4b6cc4bda21863d7c3028f6e3a602a8588203445cfb4be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\749E.tmp\b2e.exe

Filesize
20KB

MD5
02d66aaf22ec9eba06937b572db767d6

SHA1
0afadb905c17ac4ef83a24532fde8ed173a6c460

SHA256
0c4ecfe957d6fd489d5dd1efb1b20c41000bba1ab2139a8415d44018c638d175

SHA512
4da45cc3bfc0681ef04ff1d2bcd30954453f1fcf1d11027bf9580d45e31424496e76553d2926223a28dc16829d56b99894f838299f2721226cbf5d90df853a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\749E.tmp\b2e.exe

Filesize
108KB

MD5
fcd73788da59d40bd67e88bb55666094

SHA1
6fb93c9d5366b02f2cee2349b21ca058fb7906c9

SHA256
958bc153116fb4d10b46f25aab443ad8cf47dba3d56d7fc11592e12e769fd3c0

SHA512
e263700c9d9d3e9ae883d47bfd8f7074e4a9a5610be661e90922157483dc25bc01ab5afd56dd30f178f70acf8473749f67e44a0b7fb486a97e4fddafc6a9dea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\9248.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
317KB

MD5
edddac87f8fa5dd0ad05b5503fa968ad

SHA1
634e67fd44f0e056a1169cd39a9da37e9dbe6c14

SHA256
8d77952aa7530f003b05774d921a6085431e1b3ffd1f463d7bb6944f6134cd1d

SHA512
fc175898272ef65db62591ed5ece6b6479ec54c7d8a50129f0ee2f6b60dd8f3017a7fe7a177fdaec62e73f79670c72f806317f6f55d00bc02bbc35f1f4697424

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
460KB

MD5
26f626b89b4bed2c46e1b971f61455eb

SHA1
15c4f80f4cf34e9a199a68b6d6f2461300139d5e

SHA256
23f71c7dc0f8047c8c18b4eb7c9d25a3cef2fd5b1ac79d459475b400e86166ae

SHA512
c1cb9104495bdfa9a4d18883bbbd2a070ea42adfd9f571a24f9a28705a7b24c14b07c2ada1470f4e90078ad3855d6c84e21a6eef07607e2919c51f49e680ce5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
320KB

MD5
789f344e34f28f393eab9278b98e7938

SHA1
66af122d54817207094c5d9dddb3ffd8667711cc

SHA256
2cb1fe4248ed6bdb93914f6bd00efe2c63f7daf2e4e32f1ce55b77f3f2b4a9ca

SHA512
6d1a99d89c5827e4eda44ac3d3749031c4a9f5837a0e045438ec36e13444509a74217aba7f74d4b5ce68f49e6fb41c08a49561012a7181032d3f7723bbb483ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
371KB

MD5
72b49adf246dc5ec5191e655e270dc11

SHA1
f8dc10bc3f7f2720fdced03661fde96187f729bd

SHA256
af625793526c2b0390c18a914303ce5fc0a041e437cff32f190570a8ae034caa

SHA512
f96a8d75c7ba42b69080de5ccbbd08169fff2dba28d0b15bacfef55d5125dc3b84efd0842b6af9a1daea01650de878047bdc520801c427a6bca333436af6afbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
260KB

MD5
c849acbaed386b92188dcd5ba86a0f0a

SHA1
15c94297b6393fb9f6c3bb944c5f24244a29dfd6

SHA256
efe6b35f793bd8f734d2e38f8054ed85df13edb27c3f6aed6fbef0e2aba7123e

SHA512
57e54cb9ce5c4979f61854559a3f1ea792e072d24d54282b54481f4ca0b96eb05bf98d8fc29e5d1633cf4a98e79fde35ddb02c04a60a555d83f0d68f3c68ca06

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
284KB

MD5
8060134077e17c1050284baa6daddf9a

SHA1
5492beec31282974caacf71c1727505127d9f72d

SHA256
afca58d1bbf7f465ae0f53b4cd2809dc5f5189fad09fa232c7d3dedf3a5c0b30

SHA512
51865972e5b3a0642d6b03943bbf060eee7f983bda9cc5972e650ac00f3973e1f9627999013a8ba85f9a68d31fa60dbdb36d552673dafe8255dfe6fc82664f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
332KB

MD5
8e2fd814373a81b381d4d3ebdb162619

SHA1
e54f53c1c158af061f000c8ab83dd7aaaa26f56e

SHA256
aa0afbde0e2c8147b80a08f4a8b90a2eaf8731b8a31509e4c624d74b0ad78c3a

SHA512
186ddbdd70ea8eaa8997c77cbd1f7fb064caf0826ad868804f1c9065ec30a55050478aac27a017fc673b241c99971c144862af1e672761d465e038b7c5a14e2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
278KB

MD5
1ec4b56fd8a8efd9189e2b6aa3e895ed

SHA1
96d9c93d9b88ea3c605c1e2b1c6c039e0bdd11b2

SHA256
1c76186f125ece4b46b465d16adc23a5ca089d58bcb1fae13240d6daa89c74d0

SHA512
784ee4012ed2997b49aab675b0214d51d3b899fde2b69be97859d8e528f6a77aa59df5ce9646c1e1b54d120d66afabd164e86b399f1e49dc66ba748175d37469

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
275KB

MD5
371a7c878d77542853122a8facdbf52d

SHA1
96ff40d69aea597b888feed8769b2edeb26d0134

SHA256
45e6f44ed8a05261a6debc18f2c173d9ed4161664d0afe6b8a13b8fcede08300

SHA512
4e5913d05e0e1ea9219e5eab0c14b28d7c7750b89ccc76b84facd1ca88bb8c3a5f049db6f8f4c5a71636d9303d7475be448ba33bf29aecd1e1a2a6914ac214c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
452KB

MD5
8a42e74223f5deb8510bc8cb62868181

SHA1
91ed6b64ea99211f653eac21b4350bb9a67093c3

SHA256
9d17b4cad4549b59a33a092f682d4bdd2245abae013e60f83ad57aeb1b83f90f

SHA512
4f809b4edb35e1f615db0ba0aca4429738190aae2e17a9cd925bee5ea546432314be7f7fee1d47587a6eeaceb5cb1eda896a27f3859190c6a0014131a6d63b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
190KB

MD5
665a88749f0f5403cb756067c8649254

SHA1
bb0aeeaa13ab6543fae0d5aa765bdbd647843491

SHA256
6c74b8491686c12b60e97014a49df67615db1bb58612e571d3f1b355a8dbec75

SHA512
9cb8933ac0337fa7bc4161388e3faa1f0a44f071a3f4ea85c4aece185bf1d3cc5260dbccd0f4f9c7c5a3372594100a3d75310db2c35948d084fb28fc714e29c7

Download Submit
memory/2996-80-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2996-49-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2996-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2996-47-0x000000006DB00000-0x000000006DB98000-memory.dmp

Filesize
608KB

Download
memory/2996-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2996-44-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2996-48-0x00000000010D0000-0x0000000002985000-memory.dmp

Filesize
24.7MB

Download
memory/2996-105-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2996-100-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2996-65-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2996-75-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2996-95-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2996-90-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3228-1-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3504-54-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3504-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download