73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20231222-ja
resource tags

arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
13/02/2024, 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2672	b2e.exe
2924	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2924	cpuminer-sse2.exe
2924	cpuminer-sse2.exe
2924	cpuminer-sse2.exe
2924	cpuminer-sse2.exe
2924	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4020-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4020 wrote to memory of 2672	4020	batexe.exe	83
PID 4020 wrote to memory of 2672	4020	batexe.exe	83
PID 4020 wrote to memory of 2672	4020	batexe.exe	83
PID 2672 wrote to memory of 1084	2672	b2e.exe	84
PID 2672 wrote to memory of 1084	2672	b2e.exe	84
PID 2672 wrote to memory of 1084	2672	b2e.exe	84
PID 1084 wrote to memory of 2924	1084	cmd.exe	87
PID 1084 wrote to memory of 2924	1084	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Users\Admin\AppData\Local\Temp\5D33.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5D33.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5D33.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6040.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5D33.tmp\b2e.exe

Filesize
13.4MB

MD5
2217be731c43415bb5a7e99ec2dd2326

SHA1
e1396e776f1416b84385809b84ae9ad580662d52

SHA256
ef3c03144fb8f187f8f3efd27a43e5e477a558e2e2d7467f4ee3540d79b4fdfb

SHA512
dfa9ffecc1dcdce00853b65320d4026fdeba483889b4fd446c92621835771d09ab3bca29cbba9cc8ee91728480705cb0d6c4c019c8a236b4cc4d98d36104478e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5D33.tmp\b2e.exe

Filesize
3.5MB

MD5
280b06fe35ab8fa5b4cd54a281fddd22

SHA1
36dab666a38140f3132dcaba79a972486d1785e0

SHA256
972a76c0d2019cf10c84f1d28ac88fbc6b94f037b3d114ebbfb6129f80f264e2

SHA512
ebed101e25ddb58ca4d6e1fbe3a676da18ec7246d3190ec7dab4ba3bddac29b3e532ea4a6277d9e414c8141fe502432e5da92efa357d366b7a3b384ec8ef2831

Download Submit
C:\Users\Admin\AppData\Local\Temp\5D33.tmp\b2e.exe

Filesize
5.4MB

MD5
d2d21e4a5337b1b208a9f0c9a614a04e

SHA1
aec0cc2306b4f206d677c5e6befa2a48d772cd58

SHA256
891274973ae4486a47d771ad6d5fad7c90377dcb91dccb4e98f5b0d9ad153c0b

SHA512
c7060d89337d618ea442d4c00990ba18484ffe6130233aa4a4fb9d0f41f722cefc24cbd6e188c10889bf3a94c6e35c26655475833c4a3e2a66ac3621fc418c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\6040.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1005KB

MD5
9bbc14d303f7520d471239abe97697f7

SHA1
304814c662619a037b1423b153e195b66ddb3395

SHA256
9d199d0f50a749493e7256afdd1e7de5b8a7c3cb0666b88befa0200a16af7f62

SHA512
f602fa4e3c8f6b7f9a5533b01bd9590a1c4e931cee7158a0d0562ba42a15fba406d25f9dc9200cdd23e2ece64680a1006f1dba30c3d163aa987bfa97c147b26c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
798KB

MD5
713f2b316f8caf84381ac20b94101198

SHA1
1a6ad2540c137edd01e11185fae115d8ee2cab1a

SHA256
845e3081e0f2d877b30d9d14b44bc2c0f0dd8e863f503b2765864341dd1b62c6

SHA512
79eb7a04777d5b3e80dc8d42f9bae1fe6b40c59d9f958e2316b30946bebfd42427fd6ce27d67039e6f5ea81d3a84f0693ce9efa82cb0565f07cdc0817ca6386b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.0MB

MD5
57bb5dc69ae15938b066bc2b913ad54f

SHA1
b9304abbc513da169d01caab3665d9b4c2ecfe39

SHA256
3acddf3962143565919acbf9965e1ce549c80075a7186c0a001cfa29b5ffc2f2

SHA512
d9441aaed3d865a3f4276202dfa8d2b2d5bc2cf8d5e6a838e22756dce69cc47b2c62cac4103cd36c12a0bcaa3613c0bea912851ed4834d99175dad767f7279b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
952KB

MD5
fd3e74a7a98e9483b6c5a0eaa478db5d

SHA1
6a6c8caf9477d84dbdbbc5244d8f050693b09cac

SHA256
1a22f2d0c3ebdb011940495900fdeada7d07d5162b858242a0916b1458f32e6a

SHA512
11eb1d57784e21e2ed2006dc01c23158f2e505bd294602f154dc1fb4f54273a49a9feb3c5294e8b05da640dd6bebfa1ae3fabcfdb3fb2d9f1252d3264e3f5067

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.4MB

MD5
7041dfa30d2ed4f4b58057c414de50fb

SHA1
8429dce1355d790937f27ecac9d18590fd945441

SHA256
c0c1f00c1785035e90624b32172d0a146ea2fbb3edd29389688368ee82a2d042

SHA512
c93607fcee150d528fc3255c9e95981612b4dd7562201866273760e08c0a59f3a0f93ef6753955aa3998c812878784af28dcd2bc3006a66abb5f1c906dfb6248

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/2672-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2672-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2924-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2924-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2924-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2924-46-0x000000006EB00000-0x000000006EB98000-memory.dmp

Filesize
608KB

Download
memory/2924-47-0x0000000001010000-0x00000000028C5000-memory.dmp

Filesize
24.7MB

Download
memory/2924-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2924-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2924-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2924-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2924-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2924-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2924-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2924-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2924-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2924-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2924-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4020-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download