73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
297s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
13/02/2024, 23:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3600	b2e.exe
5312	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5312	cpuminer-sse2.exe
5312	cpuminer-sse2.exe
5312	cpuminer-sse2.exe
5312	cpuminer-sse2.exe
5312	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5020-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 3600	5020	batexe.exe	85
PID 5020 wrote to memory of 3600	5020	batexe.exe	85
PID 5020 wrote to memory of 3600	5020	batexe.exe	85
PID 3600 wrote to memory of 2440	3600	b2e.exe	86
PID 3600 wrote to memory of 2440	3600	b2e.exe	86
PID 3600 wrote to memory of 2440	3600	b2e.exe	86
PID 2440 wrote to memory of 5312	2440	cmd.exe	89
PID 2440 wrote to memory of 5312	2440	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Users\Admin\AppData\Local\Temp\6409.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6409.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6409.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\67B3.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6409.tmp\b2e.exe

Filesize
20.4MB

MD5
9de3444765e490b3de84386be74aa25e

SHA1
5b62404a277d9c6735d69f32138a4b126fcff072

SHA256
1a104ec28b5a224256e6fbbd5239eb20859f69648e3204654febaa07826f171e

SHA512
485356beac26dbfb8d67f6d2368c8d07985052d23f03a3f65ba2704a08fb91f7af4baaa6aa5927a76b84ba2e53047eb2e91f8d7dea677acbf72a84d38833fbe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\6409.tmp\b2e.exe

Filesize
9.6MB

MD5
066512bbd82d9caed54516ccd6a454c1

SHA1
36ee068ac478dc57ff83b32e0f04f241333e8974

SHA256
cedc45ae13d2b26f075f66c5e4c2336ab37417e371ac0013b5224909edfda944

SHA512
282387406d5873dcfda61b80bab1ffeacedb55e47d51b05116d3c318932ddbd230b93ccc1a01bd94dabddf93635ce1db8bd89f341cb82fbb1c1c72f9a29a7bd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\6409.tmp\b2e.exe

Filesize
11.2MB

MD5
2a31dd8a3782d07978a708dd5ae69a2d

SHA1
7da96d94e742ba49992af71f79af7436fe95ac33

SHA256
203a0939cc858cd7250d0f6f614a3b7f9f83036cfa5d1c04650e45277f1e2de6

SHA512
82b46066e06449a2b58a884bcdd533f858a480da424cd07586a27831af9a0f7cc4c38fb73331b15f8b04d1d6c97eb4db97212e3b1add2e893d71e40cb2d87e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\67B3.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.3MB

MD5
23d79e5c9aab672f8f60c5eebe49095a

SHA1
a104fcef7239607ddf1efe7b2c23e746dfbd0dcf

SHA256
698e05c0e81105d7f7175ef33574ef428340bd4729564a58f6190349283e636a

SHA512
03fbe3b84107563ea0e7b6b345b4cb4a3bd09153068643c1a96e53bf7504b004458859dfea0c66da065defc293436f3449e568b922f1796f33850f145f8a07eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.3MB

MD5
bde65455185d3146a21d4c812b6559af

SHA1
a2be3cf991abe180152fb5164b8fd84af5ea6f86

SHA256
1ac8a808ed1a81ce694b1996a625785621a85847966985491e904ecf851a8de3

SHA512
cdbc93e6fe39a9b76cfd3a41b2233b1b58fcf4e355143af87b2e882e857a6d7deb3558ffd9ba84f2bb5e442a4ee2dd30f3569b031c6c4deeaee9eb302a25f5e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
2b27b8d246fa1e20140fabc9eb7b7883

SHA1
d801d9a958eaa37b10273b33f74d126013d1cfd5

SHA256
9ef1a0a6d73f2b4d6f897a22c61aac49fd58c31340ee1fdd44abd3b9ff6ebee1

SHA512
50fb9ec6b16a7247ff886a324db54da24ef3281b366b2b20c5b5138d11b5b0063a9a2640bebfe06f1a3d1715a06fae5a970d6ef47e0b36c1c7e0500a1df8d374

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
907KB

MD5
5fa91b102c37c8821556d447018705e4

SHA1
e39efdb8f5410912049f5caabddce0f3bfe99cbd

SHA256
27bd5aa06b0408502541953cc350d4a008723a90e9b49ac1a65848877919ac77

SHA512
95347c03b8b41d50094ed25754d6aeccbec3f6090b4e18cab06575aff3909403e75b38c1a6bd55b8292960a790af572bdd069c3ff28c4ca685ce4c54deecddf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.0MB

MD5
5dd3ab31e49d193aa19801a7b8dae915

SHA1
ad6c786b00018cae944b3f9bca260dd918578d65

SHA256
5e522163a80a930cf7e5957bfd8fe8010f424bfc877a8b8e5677d37d29099ab5

SHA512
552af96ea595395ba5f3139275617669c325eb1b6d54da9594c9c25f950cac2b44655a40935814e025eb7b3cd3696b93c4d28d816b920f1d37ca1773b4caaad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.4MB

MD5
7deebaef16de27b2dfe96eec1f63ae8c

SHA1
ee1d71849c7a32c6067e3c05918b8ce17e4ebe5c

SHA256
fcc617ad89ba00bd720928870fc56c4484e9817a44ee5941418cacc1d23ac5b3

SHA512
7467a4a503b89cf7a631750d9c0954ffa1029894d05c112efc968c1e5cfaf05ab15b97081a36147b46ee1bf88ec05726913811720ea7a969ed06fa9a74d34f25

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.1MB

MD5
0881af01e1a0256c7f888e94660823b6

SHA1
3d89cb6ffa4a66d4e3a04cd572ae5f096f0a480e

SHA256
f1cd85a1ad701c9262714d1ed27dcc996fe7fb8382c067d98f80a24a22df0751

SHA512
3c554c3dd45b1afe879280a1b1a752d796372ac5e94b6f8dee09a02e69ecbef0b52e9681aa437257387de77c62da1b9e31f17d9a1720b5ef6527bf1717af4a42

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/3600-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3600-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5020-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/5312-46-0x0000000055450000-0x00000000554E8000-memory.dmp

Filesize
608KB

Download
memory/5312-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5312-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/5312-47-0x0000000001110000-0x00000000029C5000-memory.dmp

Filesize
24.7MB

Download
memory/5312-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5312-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5312-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5312-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5312-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5312-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5312-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5312-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5312-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download