73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
307s
platform
windows10-2004_x64
resource
win10v2004-20240221-ja
resource tags

arch:x64arch:x86image:win10v2004-20240221-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
24/02/2024, 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3364	b2e.exe
3544	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3544	cpuminer-sse2.exe
3544	cpuminer-sse2.exe
3544	cpuminer-sse2.exe
3544	cpuminer-sse2.exe
3544	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/852-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 3364	852	batexe.exe	90
PID 852 wrote to memory of 3364	852	batexe.exe	90
PID 852 wrote to memory of 3364	852	batexe.exe	90
PID 3364 wrote to memory of 5092	3364	b2e.exe	91
PID 3364 wrote to memory of 5092	3364	b2e.exe	91
PID 3364 wrote to memory of 5092	3364	b2e.exe	91
PID 5092 wrote to memory of 3544	5092	cmd.exe	94
PID 5092 wrote to memory of 3544	5092	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:852
- C:\Users\Admin\AppData\Local\Temp\60FC.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\60FC.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\60FC.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6477.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5092
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\60FC.tmp\b2e.exe

Filesize
6.9MB

MD5
af408b23fb68a72b39c093c225604cd9

SHA1
6fbd39519b45820c829144703f724698d3bc14e3

SHA256
bea5cc0179a71e71b0ae296d28d8fcaf0ffcc2147cc1e5851b160745af5cb8ec

SHA512
26d74bfcc22041a312d81e65f55b9fe2d51475a4b052f4211362d38894bb625918453118cbb75618e5593b104daf7b05fe8cc8144e5da3028c6523371ca5b472

Download Submit
C:\Users\Admin\AppData\Local\Temp\60FC.tmp\b2e.exe

Filesize
1.9MB

MD5
b5ae88e85e1084225ce0118ce701db12

SHA1
d4b5002d16549f82c16ef027005c52a58ec9d8c9

SHA256
0a02515a7262451015ed48e82191dfffcb03d31b76f1c8fca7ba337acfef9fe8

SHA512
5dafba51677f3348a2f19eeaa82142c9aeacba7b4e4d3a6c28bfaba21622842b30086a3036979f16da7a241419ca4c47752cd58a0e42f7c68aada32f59c48e45

Download Submit
C:\Users\Admin\AppData\Local\Temp\60FC.tmp\b2e.exe

Filesize
2.4MB

MD5
000f75482a8f3c361e1ef9b58a16ee5f

SHA1
4e67fd460b9fa59dc5c1147833ad2f40f94d0279

SHA256
5143fc3449d84ea5cf510321dc92e2e28e68385863a6b07da646a406b53a875e

SHA512
fe72c633e123cea33c480746a4534fe6228f2c1f6184edbc75c144a201fb556ba0d68415c2abaa9c844a39bb900300f24476e38a4e13825829da54d629eaf152

Download Submit
C:\Users\Admin\AppData\Local\Temp\6477.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.0MB

MD5
59d71c348dfb36bf7dbcf49520368ff1

SHA1
db9a230e2648515217c09937cc17d911a743f951

SHA256
702183adddb83af8786b5c1e83f21b4e15650d983a305c1a825b53fe090bc7a0

SHA512
166553ec1f38bf8e34b8172bc9616fb77148ed09fea87db841f92b7cbc64989539950d9ffeb995d0428748181418241866312b9e9b03cd170e2e7ab147ad0ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.0MB

MD5
d1e029c4c71bf6d3247bcf1031c429bf

SHA1
58911c52b8e1ea1f8a4dd4881c0edd010761f93e

SHA256
7c9e2bb0ead83bbe9a3022034e76ec7801a368312bd6ef9133780ca778e5ab62

SHA512
e624c9d54f9c9cbc18c54a01a7f4c58fc850988828ec30c0fa36565cbe8d8aba1a81be05f27f02ae31fabec4ec0f28e21c17886abf1c98e117630b766528093a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
537KB

MD5
66d87263a9fc9df2afa4fd213f7fdd45

SHA1
9934e5773453edd484280b1a17320cd40af2b7a8

SHA256
48abfeae9374182f2ab20e55f24619d1d3d7a717179f4fe094c3227c6674d261

SHA512
439d41ef7fb4ea23e2aaa94af1ff27d8ef988097eb48cddfe7e0da14c31ba55c9de369bdac80e08c6401008bffa42e9b07ea1f6d86c0dcfd49d57877e522c167

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
469KB

MD5
19454148b18de4df64a9711c56de3f5c

SHA1
1618f6b648b1151863d07eac08aa598cab6e2e43

SHA256
5c5a88b7a3acb95ea9d0bb18f98fef73cb76871e5cd81f6abaf1861d94ae5856

SHA512
360b9761f3b6eddc2b4b3c926b17d067c79689e0c44acbdc4cc220a89624d4eda6216a1583ca9f4b1185cabf67cab97149dc74f70996135d183b40959ad30181

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
458KB

MD5
16d0396da30556f7106a7a4242b65501

SHA1
dd79abf42c661bb2415ad574bca188634c767ff6

SHA256
22d4f768a386b7f0d3537b420c84b909831596065bc123172784d2c3011d3ae4

SHA512
36fee08660d5ab23c0ea6996194ca70b3297402c996598911405c28ae4878dc773f8e81cf9bda3a08ea84c660a19ca641e6f1c8ecb6e843110087af9710ddc28

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
722KB

MD5
4602c387aa7ffd09a9ec6a722761f279

SHA1
9a59657ae7fbf3b7e935ea2338ccab7cc180ff7b

SHA256
6f0943377b3c76079407361ee272f3f930890ad6a31e0e293bf49fb2402dc58c

SHA512
7cc1ec7339a9e69b3dac984cbfc083683d8257d964fd7ad52570f67717195e7c258e4936060b24ff7e5d4d74f6c894cd2ab51f25955022bb91ec7d3a645082a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
629KB

MD5
1704b7d0cc42c67e2cc07d2bdc088bb9

SHA1
f4c91309352630ad8cca6067d1d77c752c5655f4

SHA256
2ad758c03d8d23081d51e9828ddcbda98486222516205fad46fd6395e6d72166

SHA512
feaded373c0f2cecf9d5e55b4fc701fda92f6a7c776108d9bd2a95dd5814f1d5288cbcff11dde7fb814a234f92b22265036f2afe5fe43e8f1bc855562ed39b3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
730KB

MD5
d917e341fda0c88eb11c54352d90d204

SHA1
923ea53580396c7a62dbed0338d2a88f2632912e

SHA256
bfc8eb13394295ee98e92021d84cb6de7fa6e5809d92310ece39994833704c66

SHA512
6f4f0299b26bba2e90d4c70c7e98406d5e26d5c853b05c1ed2caeb7037dcbd3feb4b91b497616336203126d294cc51ca58bc0a67b6524368447106014736b2c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
630KB

MD5
1048098620ef92a36bb4ea56c85940e3

SHA1
409ff219a8f56be8c65f8da77e5c3caccf01938e

SHA256
d71bdc20486e2f9fffda02fe71212edef21e11486447df6a4f2ed61fef287d3d

SHA512
4272a816b32c4fd910b3c704f90bd0499d620acdcf14dac799783c079e6ad214e14985f6b63ca76936f0db41c84e868678e6eaa890f1d9ca42079d7e5ba11450

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
593KB

MD5
84e93642def511c0f1761029b5d43d9d

SHA1
ac40efb9bd8fd27a8cb4c338f20b379306a82c5a

SHA256
d68c7ab6e06a4f6d0341a6c12c6bb161658705222e8cf6c91484d2e81fd344ba

SHA512
d64815767a59abcd271d5490d87f5679ab575109fa6a0b3a59e59338ca7cf81d1c00d5b58e6cb7ebfcf90d4f16e54a882ac3da36c9f0888f90f063497de842f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
445KB

MD5
dddd0b97eade1d4a5f3e9bfc74c1a541

SHA1
08d7587b3f75dd4bed174bf242bd27c58e6ae972

SHA256
c778d81ce4303332b6566a111b30fbb936d744adc94ae1215ccd27e3c2aa4eab

SHA512
270b532d3cb96a1a6c3779b169f0baeaa9c04cfbe1df929ccd1043a1326fb6095a288fe7582de5814e4f0f8117dd3b71812d59bfacb5808a842f971992544bdf

Download Submit
memory/852-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3364-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3364-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3544-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3544-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3544-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3544-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/3544-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3544-46-0x000000005EB80000-0x000000005EC18000-memory.dmp

Filesize
608KB

Download
memory/3544-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3544-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3544-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3544-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3544-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3544-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3544-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3544-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download