73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
304s
max time network
326s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
24-02-2024 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3560	b2e.exe
5064	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5064	cpuminer-sse2.exe
5064	cpuminer-sse2.exe
5064	cpuminer-sse2.exe
5064	cpuminer-sse2.exe
5064	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3440-1-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3440 wrote to memory of 3560	3440	batexe.exe	94
PID 3440 wrote to memory of 3560	3440	batexe.exe	94
PID 3440 wrote to memory of 3560	3440	batexe.exe	94
PID 3560 wrote to memory of 372	3560	b2e.exe	95
PID 3560 wrote to memory of 372	3560	b2e.exe	95
PID 3560 wrote to memory of 372	3560	b2e.exe	95
PID 372 wrote to memory of 5064	372	cmd.exe	98
PID 372 wrote to memory of 5064	372	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Users\Admin\AppData\Local\Temp\8817.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\8817.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\8817.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E6E0.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:372
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8817.tmp\b2e.exe

Filesize
1.1MB

MD5
0369ed73e06eca91672ad3ba4d303437

SHA1
41e2fa5a09745c788b551e233a6e3493490c9a07

SHA256
bccf1b37b5e32a449ec1180f61c9de4c70ec20c4501d8583a3bc6507d2faaa68

SHA512
20cf1005fd79c65913fcf68c9336a21674e27dbe1de16e082e7417cdc5a6cec935b295530f5a88ef34f913147c3e965797f031aca2b2e94d1b38901d4a82b20e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8817.tmp\b2e.exe

Filesize
2.2MB

MD5
252f873dd45d832f18550e51180f56aa

SHA1
67f4e6e8279abadbd13bb983395996673ae66b1d

SHA256
5fcabe5c93afaf5ff6eb9a0e77a89cce5bfb8767b06ca178af6d21acc587c9c9

SHA512
d79a246ed492182a12c72564ca728db7a6ec5f7a8892f13d50c2043e974df2abb9aa8a3ea407bf12ed27d41a9c6939be86ce9bb1518b6c0e565bfc32b4f52dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\8817.tmp\b2e.exe

Filesize
2.2MB

MD5
5f44de40ee1e3a464c45538cdc3a73f6

SHA1
201f9ece06f4edf3e39ad85bdf38b55ce1fbbe89

SHA256
3924f1cc6e7533a4d33dc448bb4c6fc70d50a6c25a2144b70ccff453a7fba08f

SHA512
49b385fa78cbf7c3e327231dd6ac94746b89833e31b55ab3bf2832613e671d5ccff6e077569bf1a6e39ae49e50f89a0971f61f4f454cba5e7b10e87737849147

Download Submit
C:\Users\Admin\AppData\Local\Temp\E6E0.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
600KB

MD5
3736312911d92e2dac8536e335415549

SHA1
7ce431e3eaf487574cf96f780263dde575546a47

SHA256
366e7ac28b557535627ebcfee9e314f9f3ca6e2363432e3dd04adf1a4ae8da51

SHA512
6f6ef8b8a829d3fd361269e7b2c44b79e7b35c427b355391f2dd9a5615380ed4be054c70bdbd2cb8bd093fd785ea97799ee7f756c61594e10abd4ab6876a6292

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
940KB

MD5
eb19e3695dfa59bbbca1415e113d6140

SHA1
5505587b4717b6b927c0fb0dcb796d1254c62a94

SHA256
253032bc1d57a9c07714b63a244cad884e6bc0ff46240b564c2aa67572ac2674

SHA512
064c17912fd7a47bb0c5dd514b2215976fcc27630f30d19ea5112db5f4048df0b2b43341314ce5fce4e145ebfd42cdc695622955ab6ee96b2b87a12f2ea87925

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
612KB

MD5
4797470e3f21b069d86f66ca8e37b90d

SHA1
0074863cdb465bd3abf45235e448137e9dcf6f69

SHA256
66fbb7bd11292944f798686d34477ed26a8824999292cb37979b285730040050

SHA512
710f08e60c58459b3ad8a0d9c723bd6584720c60aff8010a7a8570a824dbf858050f7ace587744b7e3d1ece8ba91febff62420f46725be77b57531d08245c29c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
781KB

MD5
2f467d81e0bf1b0486d8affac60d962b

SHA1
7f6b2b0d3c875c5014fb4f5b24d405f262a9234c

SHA256
da8e4e349bae91341e743b2cff492e65222f8465e063458eb443f483b56be8d2

SHA512
43a87f7ef0d5b434ea3da90de7bf79abaf568d67ccc226dcb68008d0a68190b844eb568741fda18d2f95f786570cca4db0b28cefe655020151d60778cf7a8d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
698KB

MD5
5b72fc2e2ff4e440bed4c7f392cb28b6

SHA1
60683c4808e2d8162308d44410776446405676ec

SHA256
c2fabaf302fbd2caecb05c6c410b37a93108e0427cf4176a8a09193934f8c2db

SHA512
adfbfc823c5e653683f1f7c0302bf03e5545bc7532e8eeab8b69b0337beb0f5e4d9d7c9368a97fce64ec194c1c60255ca8fb108aa5b934362d4be54398cf73c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.0MB

MD5
50b64c72ced5230aca08fed866e4ec01

SHA1
383d6767436d6a30d7106550030fbcb3f4cd1239

SHA256
5a917b340e1ea9112ba3da19fbf763a971a1a87dfd19d9474d4a11892052bd33

SHA512
b199b94a5d19c47b5488907e7c878d0051a82b454bc73d5e78f9c6f71731960a8dceb8e4f37fbd2dbb93adbd2df540d43178342247956eb8865cdd17d2f1be83

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
669KB

MD5
d98247460766e7edaeca3aac87a7cc26

SHA1
f330e6e0d9e45f2a07e4682b60ea7c32877f90f3

SHA256
69f0db9c3c2ad772a2d6dba976a86108686114ac36e664622b858b279434a09e

SHA512
1f862e4bfef84062f045b73a9bc51d780fcfe3bb3976948c7bd88418e3f406d8d44d06f23cdf5f5e3730ee01b34a2300086707392086c6cb03ec9d1c96fd5e68

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
375KB

MD5
c2ba20bde1ea944ba28d3dc11bb79e8b

SHA1
7762173a189f2dc1ff12390afd0af8ce11cf4a48

SHA256
6c7169871e98e0db1cc9cff0152fdd8b9e90ca7d2dfd0f4c95adb6ac5d8c3bed

SHA512
433008b38fff66fb4aceb488bb31b080e2a1653d41e39ffb22f8ac364477c4e9b4e537de2ac4ba64e9a51450dd4d5f77510726d1964c017b3a41074b5a946beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
358KB

MD5
d6cc3ec5c52b9dbbef418cb17e234bd7

SHA1
abb124db774fc37b5dfc3c8c6fe0fd1c90b840c1

SHA256
f7ffc97a67860e02ec42157e56414ca4162455449fb7141e45932ba1f825c741

SHA512
56ec6185ec7af3a9d4053abd145ec02e898274db60454a585be9ef0963503b8400b29d2349cea371582d43c373e8229419db8d9b184342499bcbe6c48bcd9647

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
435KB

MD5
7e8d54f62de2440e765acead71e350b9

SHA1
688c45380e77ee051cb087187a7e23e09b44ef54

SHA256
b53bf0dff9276e81fa781e7cf7447eccb6d7842d22e50ccbc1474dadab401fe0

SHA512
899b566098a48a4f255364f99826dcb3a65e7d22f810d1bedc9a4cb801dfb203850b1350d075c9c0b74a01c4fdd7ec788e83dd4596b80e6a4a16deba44bcdb9d

Download Submit
memory/3440-1-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3560-10-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3560-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5064-48-0x000000006DB00000-0x000000006DB98000-memory.dmp

Filesize
608KB

Download
memory/5064-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5064-46-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/5064-49-0x0000000000E50000-0x0000000002705000-memory.dmp

Filesize
24.7MB

Download
memory/5064-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5064-60-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5064-70-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5064-75-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5064-85-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5064-100-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5064-105-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5064-110-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5064-115-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download