73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
295s
max time network
290s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
13/02/2024, 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
5624	b2e.exe
3344	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3344	cpuminer-sse2.exe
3344	cpuminer-sse2.exe
3344	cpuminer-sse2.exe
3344	cpuminer-sse2.exe
3344	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/732-7-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 732 wrote to memory of 5624	732	batexe.exe	65
PID 732 wrote to memory of 5624	732	batexe.exe	65
PID 732 wrote to memory of 5624	732	batexe.exe	65
PID 5624 wrote to memory of 544	5624	b2e.exe	83
PID 5624 wrote to memory of 544	5624	b2e.exe	83
PID 5624 wrote to memory of 544	5624	b2e.exe	83
PID 544 wrote to memory of 3344	544	cmd.exe	88
PID 544 wrote to memory of 3344	544	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:732
- C:\Users\Admin\AppData\Local\Temp\707D.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\707D.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\707D.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\733C.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:544
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\707D.tmp\b2e.exe

Filesize
75KB

MD5
cb57d5bc889b34b316a70009e4df5d10

SHA1
db400322e1c8225491a0299dd8bd34991ca94200

SHA256
2e67079adebe6b9e3c50198a06b04116f94db3bd89e02026e4491c224aea4140

SHA512
53d3d98f6c1479351fd0dace240e52e410374ada50b91ea387b5d771b64d19dd55cb1485c748a046e1e188a0554fe753af11176bf9411a0a15993a96982038b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\707D.tmp\b2e.exe

Filesize
75KB

MD5
e0617a0745ec4f9d8ac89fb6a2c31142

SHA1
fd5a165a4d04d11fcf9b010432fa02e0164ef018

SHA256
cb99046c7ef20960c2180fcb49bab132e163556948b07840e23bc5786d613a34

SHA512
b3b836d848ad6423283dc25bf47eb279ca70eaeca6e97c4ee96ea3daa2dacb1cdf2cd8f2990de27d2c43978a8699b679b2418338969443db21456b313a126fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\707D.tmp\b2e.exe

Filesize
12KB

MD5
9321d7aafa6b53b1741e3e440d835659

SHA1
8724e9619888f0751313c90be88b8060e59328a7

SHA256
66f920074dd235835932948a9c597ef87f08da92200b8292abb122bf590d710a

SHA512
c5f44c0f64baacb4d7fb0a15cb40b3cab3f2f6631c340b60bbf5fb6cab94d5ba4daf70c59c93b513d199c112a42988555f8f059f0158bb13fb75e0bd1f88074f

Download Submit
C:\Users\Admin\AppData\Local\Temp\733C.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
190KB

MD5
9238e78e68dd632d7de40a167eb78d16

SHA1
1f17b9666db428418c07086d06cfb8c5e3701204

SHA256
c16c5e5d510fca35ea9283d75c6ad83ae23bb5963cb55b5006a45c120ae2b6fb

SHA512
788543b82f969ebf9699de0fa63edda618ff87b7cc3853123e6bc3a4982aa192f0d24a4fd4dc116e3bd863ee5fa6d5d66e7aedc112f2cca88bf88df2249cc51c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
79KB

MD5
394a3ac6ca55cd97265f1313078af6d6

SHA1
d4effb21e53ae53cfa9c86bfae826cfa7c1e3eab

SHA256
fef32308329dd9640929e835bc93ee8395337e78bf6bb804041bf3d8cd20589e

SHA512
a9fb545d250ce73cc1540372fc7295efa31c16edf9ae99af5636b364166a5fbc2b83f1c5582095ad443fffc38798417a79c90f666b2b40ce3a0388dbd7e306dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
92KB

MD5
e727c96c1f4c853a6b2e00c03110bc90

SHA1
b4179d244c3b16e8ec70424e37ffc37a016f6775

SHA256
556aa4087990a2160c34c55fea1bfc3dd614824a7e8cf2631511a18d36993295

SHA512
add2f735bc54cd9cb2b22750384ff2d2dba79de3dec0ad9a9219db6dc01636e5a56182ffec012f8137d055198917ed91f02d08ed3b2ce8b05c93b0ed9d1a8843

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
173KB

MD5
99c4ee394c9e1bcd0c8195cb630bfd2d

SHA1
b31209326ad107adc659e4ec8edd6706261978ed

SHA256
7b92ab7e90831b43b4e45fa33385f2711a313af839954ce77efceea8f72346f1

SHA512
13ca4cf00e9cf66e9a5df0c97624daf81b74647e972ff29d564e1ed0818e2c57ace223111b10a0cfc3fc928c36e9328591cc06b9367ee6b702f0d769202026d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
122KB

MD5
6bdc429ccf5d1d622b7792d0687247a0

SHA1
ea3c0cd9be8a98014519cd310d9c7e27ec82c418

SHA256
3fd0085311dc59c703de7099ce9f2b811188fae691cb931b7716a9a40687b723

SHA512
764bf1f1ba4387e8d8ca401ac2314640bc01d240c64fc93627fd281482722122f803bcc9ac224704882f716b0006901e6fa80e8bdf7bb9bb02cf3f6f3e5b3e30

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
154KB

MD5
2cd8087496a9ad41433e18146d84aab6

SHA1
7ef5ee75ac50f6d86272b5eb3bad6f5732e5bdf9

SHA256
f7af524e5b18b13f32d1f1c6aafaded34ae914cd1ec4893eda7679e5c7835b4c

SHA512
29e77554ebd2726209e917d774f96cbe02233c68ef6dea91a8ede8c7ced62b7ae65671b873d0768df94ef1f66c56868b5d9f1f6bbb2c324972a9714e67768335

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
211KB

MD5
aeef9bf015075e1a739e1af9205ffb3f

SHA1
9b3f53d1eadfdb236718f34f46581a744461930f

SHA256
1e265bb01e91e2b584933d0c70b8f959715b6a067c085fcbbc6d40815e8608bf

SHA512
103ab066a28815c5c76f834112a53c8d9cda87e4eae610cb8b73c4601c739e2c910545daec2c31ca963119bb57f8e49f38d7471e500ab868db5a8216718090eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
91KB

MD5
bb534db6c77c314758d2ef7b6cbb98aa

SHA1
b6355c25a5702285fa996abfbd2cafac1069bb89

SHA256
d7645e66779df37ae743322b410ebba461d83614591a690caac08ee8e7c727d5

SHA512
5ee652c59d639f245cb4aaccebf52f811d2805f16c987c6f5ea08b49b7f3d49c6f20cd2d973f57de90f78fa36816dd4dc1ed33c980113b258bd7eb4da222c5bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
56KB

MD5
f12dd034386af00026320575455e714f

SHA1
bcdb2b78cc1487f979ba7d17bd0798b978b5047b

SHA256
503dd05316594ddec88ad2322713acb044e00f0cec7881b13b50075456234156

SHA512
0e3e6e1fdeeb3b505072b00f739c5cc3f4e3533175361e5c318ed0752f9d81dd1ea935247899377d610f9dc85124a55032e7570811219a94fa90479d16f4117c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
72KB

MD5
a30987bca1f5190c1a5ac817c852793d

SHA1
ab474c5382e84ccd0409342c4a0440f0886a9c24

SHA256
ff342c08be75275ccc2880dfeb413f716d65b16181228004b7543b46df985e2f

SHA512
987896e29cd1ca993924f740ad63054794dc4286956ba84d98612d3e2ae2deb3724e4efeec2bd10dab31323285eaa6e33e8230e6b0ae796d5df2b98b8908e307

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
70KB

MD5
5b48e80f8b74ef84312c3ff1bedc850b

SHA1
c83fb869b5ef33af2347e1deddafae48ba1300b3

SHA256
516cd99dfdb5046372b19a53194456b81424a2fb3d7da82c04d6d77d0454c7a6

SHA512
ddc9634b8b66752b22f467abd5b2d41c7dd625a0d3e9995c2717b9831600fd7f73131a435538e09db5e2fc710a31d3841f9f8db27e39fcf3bf93c53b2abbe0e2

Download Submit
memory/732-7-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/3344-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3344-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3344-46-0x0000000074D80000-0x0000000074E18000-memory.dmp

Filesize
608KB

Download
memory/3344-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3344-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3344-47-0x00000000010C0000-0x0000000002975000-memory.dmp

Filesize
24.7MB

Download
memory/3344-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3344-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3344-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3344-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3344-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3344-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3344-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5624-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5624-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download