73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
294s
platform
windows10-2004_x64
resource
win10v2004-20231222-ja
resource tags

arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
13-02-2024 21:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
1932	b2e.exe
464	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
464	cpuminer-sse2.exe
464	cpuminer-sse2.exe
464	cpuminer-sse2.exe
464	cpuminer-sse2.exe
464	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1048-7-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 1932	1048	batexe.exe	84
PID 1048 wrote to memory of 1932	1048	batexe.exe	84
PID 1048 wrote to memory of 1932	1048	batexe.exe	84
PID 1932 wrote to memory of 4232	1932	b2e.exe	85
PID 1932 wrote to memory of 4232	1932	b2e.exe	85
PID 1932 wrote to memory of 4232	1932	b2e.exe	85
PID 4232 wrote to memory of 464	4232	cmd.exe	88
PID 4232 wrote to memory of 464	4232	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\5EAA.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5EAA.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5EAA.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\62A2.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4232
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5EAA.tmp\b2e.exe

Filesize
27.9MB

MD5
1d1ae1014b632d8dc37c60ffd0d15d3d

SHA1
68f10083ec00ef67a26f5942d393293a2b421d07

SHA256
6d7155f5e3a2e782dd1c15a1c0064ab37d53b856b2fee23cb8bb6206304de6d3

SHA512
f8bdb49cfea21ff734d5069e0f9b0ef3481fc91f22927f34753cc07cbecce18e51b3fa9692a343828fe824b59defd5dcac32be45e06cfbd07bb1656ced615290

Download Submit
C:\Users\Admin\AppData\Local\Temp\5EAA.tmp\b2e.exe

Filesize
12.4MB

MD5
3c6edc5ac42c9c216c04ab81084ca5a3

SHA1
f721ab4f0680bf4bb133b8d7bf054e5c9587cac8

SHA256
4d66120a98986bf2c7da4b37f7d4060d79e85a18da535b24a83fb7017708a4cc

SHA512
d691b0f7c42be3f5bc27128545ccf6838bf7adf14ca273adc6c557b3ddc4972b847e45ae460ab44e8108211e61d9ef8caf96064893fb74f195bda574d9af14a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\5EAA.tmp\b2e.exe

Filesize
14.0MB

MD5
6acefdb12e2bcdafb3b9b58994a32aba

SHA1
69b981ad43bdc8557a6d71def251b1b2aa30dad0

SHA256
64f803f9fa1bf98eca99977907a3b3b5ceaf1c04b4b47019ee75f420baabf780

SHA512
b52ad14e22d7d0b93f35831195dc40f715cb87f62b785011516fd82d4006f77ee6ff6b692618a9efdb668c1c8c7e6d5809a7a3a91d12f39cbe728b921671229d

Download Submit
C:\Users\Admin\AppData\Local\Temp\62A2.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
394KB

MD5
37ef6c8360ed1183ea2e72373458ee8c

SHA1
76092990ea3a57d8a352d65d876836c997f13f64

SHA256
de597360e568439b76996e645a31e108e4bb8158f64d505cef86398fedd0c559

SHA512
d79c90bc8107bd2b55a885e287795ed4e3b0b4549a4f4795ba74cbea22165e31cf338181012f74b392e5bf26e9870d8e5bf6f2c84bfff7916ca511c05a1dfd06

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
296KB

MD5
b0db0b0e058805ea26f69eb9a6148b09

SHA1
f2296cb21d87fb3019a1998afe6d39ebc7b9b644

SHA256
bcd3ca5d47d53a0628a78cabd847cb42139c96d4c6ea52716aa6f61a5ed405f8

SHA512
4e03c9d07399965d23260d76aeebfda9c4c2fe3660d85110221faaabf6c5fe39c7b6a897dd33cc94ecc7d82daf461db7080481050f89f8913c0eed556feace87

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
203KB

MD5
440f6043547e6c2f69bad77797d4e589

SHA1
081c049f8bf0b2a402fc71afb6420043d93b97b4

SHA256
d90e91f22d8838beaa349185a1cd2fb6c23584b19bf156f4790148d9b4f55f41

SHA512
504da720a3be8d835889cec84a284bf055ae5feb1669f97daefb3380a0d44ff6da3766f8e0b912792489a0547fe5100f4780a1e2da59a464b3d6db5ca4ab172b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
226KB

MD5
3db1bfb51888181d35333a25d37a8e4f

SHA1
7171c95ce162ed9cefb9d1afe4947d9049d5dae4

SHA256
b1ebe636741d970146c9967d66d4910aa06b7a5b21922941d1b875514be1b1ac

SHA512
e14357e199a3d0dd81874d3e8d39aa21b28b061803e5bcfc602b6eb8ce1dd787107a7dbc51b5e9603b9bf91e7a6fef5b4d1819a3e8d2ab910211abf7e6a55d7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
396KB

MD5
8b298745048e5e2988d566b4fa474ab0

SHA1
f6145ca5d005450352c8fba4d5b7f3f471fef1a4

SHA256
72f3423755f06ea445405ad33f80b1a08f992d900b15af421b59068ec9bcfe59

SHA512
d4268ed9ec359a1137de8dbc4520341c782a65ca0927a4c8d20cd84b8ffd4b26a52c34ff61c7693399cdbc15ce0a8836e0b411ac8dbfd9829594e148b1875032

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
456KB

MD5
00ca0b587a5e94279be4aa8c9a271925

SHA1
3ab7f50b740d04628a4fc146063b207716b51375

SHA256
dbc56376f5d3987cac642d847058b1323b9b01d501924473e0082f81762c0aff

SHA512
325cd825c3cd4f49f0167437cd8179da6fd2c22440c247f4ca237da867ef3511897452e6b6cd8a45c5948e559b338cf31951a7a575f8daace690610cfa7a966f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
354KB

MD5
1a78794cb8a32fcedc81ce22be724307

SHA1
988c7393900fc60a87e97949e82c7d071d1ecbae

SHA256
34b42844c9e3e534f8901108aac2ff43d41fb6da15a9294c7269fe1acdf5f0d0

SHA512
6cc0a16222afae03a38f7da633213feca36d3504053b2d195dd4c2fe181aadee5c213d31a2343cd85ff060b21d0c54a89acb11f5787d5c6380a38274af7fb26c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
125KB

MD5
405bf86596d8467622abb000baf7071a

SHA1
b58d099c7ff35f3aae26701bef86d99eb7b9f0cf

SHA256
c1f014bb2eed1d3dc73a80539b8ad8f68cbe1dfdab89392869e8beba4e5d72e3

SHA512
60763126071f6bae8a505f38deb8f2b258480c8245172c9a507e3922bca7bc05285c928d8ec9d8fb52e86b9308dba97351c53ff9017771a864f4693aa0e87e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
81KB

MD5
e6b76e4cf11bf7bbd4069ccf7dd27e91

SHA1
49f387815f6894b3cc5612a91066c8f2a2eb26ae

SHA256
90c8307fbee9f70d73907d70f977a408e8684df5cce828e5d0d0c935cd45dcd9

SHA512
30e8260fb7fb3b5d41c2773464447123e2de33ff65c465cee45e2966cd16d71c99d1d6e285140d06785c2a3a5b5201f49ad4c0b2b7eeb03cad1911bc631cb8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
437KB

MD5
69679679c2c2e0fd69aef4674f0d060d

SHA1
f924d2dcd094783b90fceaa2dd93627ff20e896e

SHA256
5492b35a92236b4ed623ae3fc4a8d6e4525395c52065a846cf734af8914e9e0e

SHA512
856f40f741e731f961881b15c7258254ef1818e741fa3d68b05911fecfb35a51b5e6d53f5e50af160d1bf8752f3af32ee806ab7f34acb67a134ecbb648fb4c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
293KB

MD5
33c648516b026a6362d9d664e010ca5b

SHA1
7521f42364933949317a47ab8850d2952cc4fa2b

SHA256
c7356bcbdc4b0ea1a4763ce1b4a7042810d8eabf656a396c6b4d1b939ded7b14

SHA512
e4d2bc8107a782f3a2d9f722a9385300b254879126359d36186ac50a04c948910b1a9c2a0594fc813b9df5eba7c093f35631a5f05adbc826fe913f2ebf93ea9c

Download Submit
memory/464-47-0x00000000010D0000-0x0000000002985000-memory.dmp

Filesize
24.7MB

Download
memory/464-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/464-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/464-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/464-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/464-46-0x000000006D880000-0x000000006D918000-memory.dmp

Filesize
608KB

Download
memory/464-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/464-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/464-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/464-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/464-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/464-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/464-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1048-7-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/1932-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1932-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download