73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
303s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
24-02-2024 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
1372	b2e.exe
1484	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1484	cpuminer-sse2.exe
1484	cpuminer-sse2.exe
1484	cpuminer-sse2.exe
1484	cpuminer-sse2.exe
1484	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1232-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 1372	1232	batexe.exe	89
PID 1232 wrote to memory of 1372	1232	batexe.exe	89
PID 1232 wrote to memory of 1372	1232	batexe.exe	89
PID 1372 wrote to memory of 2248	1372	b2e.exe	90
PID 1372 wrote to memory of 2248	1372	b2e.exe	90
PID 1372 wrote to memory of 2248	1372	b2e.exe	90
PID 2248 wrote to memory of 1484	2248	cmd.exe	93
PID 2248 wrote to memory of 1484	2248	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Users\Admin\AppData\Local\Temp\7A9E.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\7A9E.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\7A9E.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\82DC.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7A9E.tmp\b2e.exe

Filesize
4.4MB

MD5
144d7eab8d53535009fea2e45e93f0f1

SHA1
e00be88462eaaa7cee289d54951e246fb83573da

SHA256
6a3f12993541381ec9c6cb6106d937e6a6880b7e05bef46ab4ca3eff8e120b02

SHA512
3af351fcf4d35f412b300fa43f45e8fb2bcd455e82da5ee4f5519681f03fbe08a2822f3caa9d806fc93a9568a0162e7a59ae39512da5fc4ab7f555121e49b487

Download Submit
C:\Users\Admin\AppData\Local\Temp\7A9E.tmp\b2e.exe

Filesize
3.1MB

MD5
7f3a7218066e49a4f3f7dbac3674d51b

SHA1
fe01a2629feadc9e50cfdf1d0cf21b5f1474e6ff

SHA256
3a440a96b4efb85b21563db6db66b81534592797030fb3da1f583e215dad40f3

SHA512
5cbbf7c4218fa0dc946039bf475c9f9128d27cae3f18a5e5bbdf8ac99e76f6ea878765369e2dd3e69d917fdbc9c98502303b7c6a2476a8151fe4a8959c864319

Download Submit
C:\Users\Admin\AppData\Local\Temp\7A9E.tmp\b2e.exe

Filesize
4.8MB

MD5
aa501b6c9131f6086e93f1d4907379ef

SHA1
0c87e59a6f1c983ef7037836315565ccbfc40639

SHA256
85c1626cff0144af9c2e9020913306b9edcf47bbb62ba8dd71cc22f3c7d3ee66

SHA512
bb1cf036d3f876387f72893562a7fb3d6c03ff3f390cf8a9708ad3341e9aed6087ef31d4a67d500076f39b72e7a26f3606220f9ba17236cb0ae19e83fe04fc7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\82DC.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
133KB

MD5
bf0b3451b5d8e25fb1aa02eff8788375

SHA1
21a67bb8a129ff99da5e936853d2403f04c15605

SHA256
259bbec5e3a834d55b1d101414ec0cd5c881abc3fd704b88fe7d8433748dba72

SHA512
1c4c728f74c7685ceda8eaf827d00ff46d1711ba51594087a5e31daafa6b9696cf86dc3c4add7f6880f680b0abbd1d491dc4d74341806484243b0cd6026d43e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
79KB

MD5
b6e2fd676f7af1cb35a16ffbef85e78b

SHA1
df30f7b974c6473e2082d8b2af4143c5644fb651

SHA256
5597e58c3635b420a7af756787749052d8cf35d82d749a2cf8ea669b27c64936

SHA512
f0705da32b256ae84dc2b6ad31a7c2187f2af78d601158e834b02987db6eff30ca5daa5fafeeb6fc2c87401abb4e6cf31c88ef7011874f57c12e940bc8273f0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
73KB

MD5
96dce5b70adb3e3754049e7b42a50562

SHA1
3a825cba4730cf783784c1222b21ca2e3f00cda5

SHA256
a41b696e2ed5316135fb62ce46407eca7db5be776de84f2e6b2247ec3ba72eba

SHA512
f82398d551ae66adf2db42e71cb22361e5604c2adf49d9a1161212a17c486ca72fede49eb28e5770cf88eff53935218910433afba8f534dd5eaf95cbb1a1fbe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
51KB

MD5
315172c86f2021e43c180cb9f75c1b11

SHA1
e8fceeb120a27776a76261109940724fb9651d04

SHA256
a7c7ca2910eb1ae1041630189955eacba4cff8dd086cf2be1104c99c68ff4e14

SHA512
f7c08ca1e00330cf4a8111f56957970e0a6215dc7b18656623664c301309a66320d50c6e22d4140d0b3fd1556b85c397d44d68e2a7b6c4cf7e2080881fecea16

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
32KB

MD5
1b47cb3b91051c7dbb6f809dda739045

SHA1
be1d630e4f3ca817740ac846c53f7ff729bfc2fc

SHA256
0e45bce98d665b1b4fb3c4b55ebd86bcc499630c32a6fccbe7d666ef02e2aede

SHA512
3475f1742f3f35c8f751df785bc074f67fddc2f68906923e7b774fb1ead1b418d11a3bf90fdefcc01df42e4413460b8a4a17b42de1719fbbfddd89cb7523e346

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.5MB

MD5
48dfc289ec573907023ce69d40fed251

SHA1
f7346a1998294677f18732f54c8dcda9db1796e4

SHA256
5cbbfceaf1cddbc8b9192443b9d9be61ab0bca625ee1c147f8969a8ed686b676

SHA512
26ffbf32618284aff11ba3ef2d7e0524ec7fdd4b82517724a979efd999751ed740e1cb15926b3cbdcff567958605880e42db00230f8a9473ce55cee6e9f01ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.4MB

MD5
2ad9ce857c14457fba64964bedb4b067

SHA1
dadb28f4528ea2bcbd0f5c80b56ecfefad0686ae

SHA256
cad5489f2c6b94c69d8626a5e95910734df6cdf2ac73bf5f4f484483d411650a

SHA512
1a16907d26e3c1d4c620041a188e78253c78bc0ef45a00e8504e0f2521515309904ba6fbed0873a14ebf0244d2466459cc53f550ef6565b6d7c29e72d5bb7723

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
2KB

MD5
0de3b2314fe9abd15b867f160625c3cc

SHA1
ca76bd68f8f2a8154c0b1efcd76c39460b94b5b5

SHA256
b9c2e7561c76cdd13cbaf9d9686b2df8c6651168ad3f01c781ba7fa9ee51bf86

SHA512
fe98b3189fce4f6192ab322a8af0aecf56ee94de3d597f0d6c746f60b8644ce506bbb7743b1cd09d8da84aaff6764beae650335c5d494451ab298f33a12630f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
1KB

MD5
d7c75b973084fc64536bef84775773ef

SHA1
4ba97a231c651cf0bb9f21c833d0e15d2c1057d3

SHA256
de7e877c905b61a5c6c6d5a60040ee125a9222cc4dabc1398393785bcdb82983

SHA512
e8c5afaa40f10c983ec4470ca3ebfcddd9d5ef4dcc61a4dee165ddfb63d878f9a9e56f74a447feb9337fa332fd94f057ec6de16622b030764aa78137e8a5a808

Download Submit
memory/1232-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/1372-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1372-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1484-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1484-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1484-46-0x000000006A6C0000-0x000000006A758000-memory.dmp

Filesize
608KB

Download
memory/1484-47-0x00000000010D0000-0x0000000002985000-memory.dmp

Filesize
24.7MB

Download
memory/1484-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1484-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1484-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1484-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1484-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1484-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1484-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1484-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download