73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
13/02/2024, 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3336	b2e.exe
776	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
776	cpuminer-sse2.exe
776	cpuminer-sse2.exe
776	cpuminer-sse2.exe
776	cpuminer-sse2.exe
776	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1060-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 3336	1060	batexe.exe	85
PID 1060 wrote to memory of 3336	1060	batexe.exe	85
PID 1060 wrote to memory of 3336	1060	batexe.exe	85
PID 3336 wrote to memory of 5480	3336	b2e.exe	86
PID 3336 wrote to memory of 5480	3336	b2e.exe	86
PID 3336 wrote to memory of 5480	3336	b2e.exe	86
PID 5480 wrote to memory of 776	5480	cmd.exe	89
PID 5480 wrote to memory of 776	5480	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Users\Admin\AppData\Local\Temp\6C56.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6C56.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6C56.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6F25.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5480
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6C56.tmp\b2e.exe

Filesize
1.5MB

MD5
089aff927790f372a2bc78fc111edf58

SHA1
cb777934ef131d13b21f955681346c555d139e9e

SHA256
a65b176d14ad4880b02ebfb05a3dedf4740853ff822dbe6bd3c568c3fa29bfe8

SHA512
96018dff9e20af8dd9e06c7499ac87c089646a163fc5665387f866e84e60e03731167c7f82c65ef263e86c0120d20e9291831e9721adac8b15ec1910d7483726

Download Submit
C:\Users\Admin\AppData\Local\Temp\6C56.tmp\b2e.exe

Filesize
1.3MB

MD5
a87411e53e95f7ddae80bbf8dc5368f7

SHA1
63c952a3ba1581f2e301b2c4ef439f587fbef2dc

SHA256
8f6229233855fa7a211def569478c20055e552e91744cdde0d040a3fa19f4486

SHA512
5841dfeca65fd076f05b3f8f27941da5b280c128450dca26a2132a72873e0e2a5012cf8efd78f8a210049e67a4bdd51d84702def1d3ebf1b85a913ef83a53ec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\6C56.tmp\b2e.exe

Filesize
1.1MB

MD5
a53219555a50d9e2fc1ec14271816a51

SHA1
bc72cc9003c7c9d900c9504ae5946e3633888c76

SHA256
21af5d440a3db67c0408ac35b7737ad8db02cc62db456b6daf2a3e6e576f915c

SHA512
09512d4b4f846b0b4a71d8c8dc6213590ac7790279ce0ac6c610c4847f9bd2562d1c84cf8439a2be4559f24d7eb782fc08cf623d9c6c1f3bc6ac6559659babec

Download Submit
C:\Users\Admin\AppData\Local\Temp\6F25.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1005KB

MD5
d4cb7a5990da97498e6e2d038e8c3390

SHA1
90fb61c074de94e3dda3b0c75b847ea9dadf416a

SHA256
9d9afe89c91077ac6194ea0f84896766c9abaf2a79534965b931b1da02dd8213

SHA512
c3ff2ffc6d15e800a8da339657cc33b219c18b9570881894a7cc37cb0f1d2e8a70bf16a154185c5d25dbbd4675026c86d8a4633d675ac90e2d23e0467573859e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
512KB

MD5
a879c5fd4613dca566d5b1a782690dd5

SHA1
41c6063b0f0dee953e99713a5326856b55e08366

SHA256
3ee76359d6802a8fe11c5b144e18ffd3833bc7b49d66f190621d41e41ea0fc20

SHA512
e20f8f40822ca215c75767b8d4102583cfb3812c74dbc064a8619f214c164ab94da6bee0ae42c794a0af1847ff30c295b34d3015f87bfe597dba80339871ea96

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
505KB

MD5
6038dcbbce71ea5b4d41ac84f8d352df

SHA1
cb4698c0acd8e787e494a10be3c19a4ce75e74f9

SHA256
14e221863b243e5915db8cd72cbb7cf8f861471c0abfcd68cc63de703be853fd

SHA512
34f738038273de06defab966f9d999087080bb59d87d9d3f695b344e9e208026c51e526fac3a4522ea565d06c9b0f63cc454d55fabc9a0134d03c5bf51148485

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
596KB

MD5
f73af22efd16c77aaf5d9502764922d7

SHA1
a16b2098d7fb58e0264f9f2387db25b0bf3ae56f

SHA256
63d5c35aeee1a51c877273cdacf57a04595b0875eeb57e0f8e00565a826a03cf

SHA512
6a98d08ad78a1615f47d9356065dc224e1f21352a28f87e88d3e13cd0824e48a0115ac25edb431c9d9dc79266cde008ad9db6cef62cf1e348d77799443a2ffa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
843KB

MD5
e69ea88e01fde0657ee454bf8bd8f7eb

SHA1
e4615151b084610277b34b96d885a4369bbde430

SHA256
0828ea8aab8db2c2f7282c5d702392fd6161f10e0e2a9102c81d6df87f237cf0

SHA512
7d785f9ed6751421255d65fbe6029b51d0a29277e0d43e9679d9020ff37dc0ea8c4a8861a81cc64c2592e8086bc047ba59fd0548aca19e97906cead317a0d931

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
347KB

MD5
b08fd4df2bface382cc8279e04137dc2

SHA1
5e285e16ecaee025b7ee3df64e7dabff068ed25e

SHA256
e54114c9f3e2f1ff4fbe2c3d89e90f3414a79bdb85e0a2c1a5627a2de3f703cb

SHA512
ed089bc2219cca8f434a42986ebfd1e4a68fb76bd34918395c868caa969ef38d907e996b7699b7bd5d84340519d4cf5a0b701b66322f8b494074e1280d3448e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
667KB

MD5
f087e9a3f45b6d0fb01d7a324ac8abc5

SHA1
af814bf245b8a3dc6cfb3477e0a5696a9b66139e

SHA256
12992c304a7595b79b3d18986cd74e9ad8d806f8f1bef9ec4e0090d8a5ed07d0

SHA512
ecfe1ab7adce6761ef5cbc659544c762c298a0044fdd7fd463ae6682b821b48d3b28551e5b2e12e08251fac0bae8df7123e76a6497685737f3df2f45ebfe9c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
820KB

MD5
ef24614466b0ad6b994d20b2780cf71e

SHA1
da38c674b4d4e089a23de919067233152d58d0c9

SHA256
70a7d681f704acb1b2b643df0774b7b4a80e9ad7c51a4028ab3cd7a2bc9a9a3f

SHA512
fbd9165cfa5388301a1ea127921e90da767ee7ee395cbc85ec14210381d9a8753e3de2a627e9c92addcb69042908808e42bac4d9714a2bd19beb06687e86af48

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
532KB

MD5
e769e6b7da7dcf110b4a2be17b3eb667

SHA1
693b5d1e741ee966afde251286a2e164f6ec1e8f

SHA256
5664d71f94f1deb29473283fd121826c2b18c2164c16f899e8db4a190f2d6ab2

SHA512
3b12084885fbf1c180413d1c2fc2c768e58d8b4b466477630d1167b280fe0bf6ea3958f58546dfff004bbbc4af8820ce427a2a8f0b51575fef7eb8e9439aa6eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/776-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/776-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/776-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/776-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/776-46-0x0000000058AD0000-0x0000000058B68000-memory.dmp

Filesize
608KB

Download
memory/776-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/776-47-0x0000000000E20000-0x00000000026D5000-memory.dmp

Filesize
24.7MB

Download
memory/776-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/776-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/776-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/776-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/776-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/776-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/776-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/776-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/776-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1060-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3336-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3336-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download