73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
300s
max time network
307s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
13/02/2024, 05:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
6116	b2e.exe
5452	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5452	cpuminer-sse2.exe
5452	cpuminer-sse2.exe
5452	cpuminer-sse2.exe
5452	cpuminer-sse2.exe
5452	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4608-7-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 6116	4608	batexe.exe	85
PID 4608 wrote to memory of 6116	4608	batexe.exe	85
PID 4608 wrote to memory of 6116	4608	batexe.exe	85
PID 6116 wrote to memory of 5956	6116	b2e.exe	86
PID 6116 wrote to memory of 5956	6116	b2e.exe	86
PID 6116 wrote to memory of 5956	6116	b2e.exe	86
PID 5956 wrote to memory of 5452	5956	cmd.exe	89
PID 5956 wrote to memory of 5452	5956	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Users\Admin\AppData\Local\Temp\412B.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\412B.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\412B.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:6116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\607A.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5956
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\412B.tmp\b2e.exe

Filesize
13.7MB

MD5
8b539af8be367c855ef8ef0c12c90ece

SHA1
7040cd1a4dfd6480572355787535c19acbcaf548

SHA256
b1950609700987d2bd8fa731d2a85c249caa1237075f0757c8fa2e35a62330da

SHA512
f57c1d92e93e4b81995995d9041ca2f765bd9a532d7847af8a73009d3293d5d36f17b8e4467192d0063eb5f63751381602a4a809a0544caa54783c3e6643295c

Download Submit
C:\Users\Admin\AppData\Local\Temp\412B.tmp\b2e.exe

Filesize
2.5MB

MD5
419f84713d9d955a1bd1b8dddcd4f5b9

SHA1
e783e6c6b710b0134c11dd87fed22d1eb58e9ce3

SHA256
754566eade5179c3b96435a76df0a11d03b82062427ea89fdb7d63819c779ed9

SHA512
c6e6dd1e81a92aa3e3df4ea10afc8a35cc5628e995f07ef145cd7e7ae1b112052ef2accacee6a606634f8b8da54ae0384c932ed3aa5105a42e35d9b016c4dc84

Download Submit
C:\Users\Admin\AppData\Local\Temp\412B.tmp\b2e.exe

Filesize
2.3MB

MD5
abe7e384728f00f0802e744a36d35359

SHA1
7237d96df00bd39b76e5cba475eb2e50cf61e076

SHA256
3d9d51102217f398285ddf1592daf53a8a1a01e7ca2676199f9f6de9c27efe4e

SHA512
de8097b2544e9e2d12c7e7338bc22f9739965fedea172792b4cc02726c72708e83f5fcc9b6546025ba46697894357184a85bec764a42171dd9dc968c60d7feac

Download Submit
C:\Users\Admin\AppData\Local\Temp\607A.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
604KB

MD5
b7dd7679c52d9b19bf47228b6a343233

SHA1
ba3e26e9dd48178fbc28636dbf9cbd85c7733009

SHA256
fec22ac58b775fa343068866590097c479055480c00c7de64566839114c8410f

SHA512
ac68b69d474c8595d7188027d63fb6bbb717c9350f9438215edbf17b5ea7496f4aeaf12b6bbdd0eed14cb37e613f6e89b3d2e1fa03009e0cd8233ea2ce361f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.2MB

MD5
088d55e19cee70fd0d0a90fd30f28048

SHA1
52e3aacf49dc9c6e065dab50d4b55cc487448529

SHA256
d1fa228045750a164fbb5a53b1081bf761a347532a13987cd9dc96af04038abf

SHA512
28c175d59ed59af752beda57db09a400d65797fa23a816bde20d74cfe356cbed55798f243fe6651efe85835d68e24c02ff09b3db892dad67a4ed728cb9b89318

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
581KB

MD5
9b1d39a6e736cd9ab864bdcde508b61d

SHA1
0d6ab1c3cdc4b47fb892e10f3903005ab3dd6d6c

SHA256
77b1f6e39b5f43187ebc8a66fea03e8e2209c4cdec5233735a88c5ea21b04641

SHA512
0fe5c7fe8ad3f8391b441831a2ddca2a81047af0af60658874079d7804e8c0f91a535648bd052f9489bee802e0ebcd3e5e23660b3c098070465d8ac083bd43fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
727KB

MD5
86a7c2e4b6374bda76dbfdaa1aaf9a91

SHA1
b7a063bee538f2337bed8da434e3f8c39e933d12

SHA256
733673d09689589f52e280e736dc29a963a2e66eafda860b73387ee4400a3235

SHA512
3822be85410a8c8adff9fb302ffa291cabc6b36a4ef861cbfb022cdc6699e98b4d2e8f540359dd6a3945d944497c73016d28126dcc6a4405e87acf69c49834b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
689KB

MD5
e0e6cffe879713781d56b37a0dede6d5

SHA1
41591d8f24cb4da454e5c547065f09d6d17c806b

SHA256
331ccdb6007669bc670c35f866469c3e0b550daf55fa02695b8f2814682f8197

SHA512
6041f40c6d437ffaf28e785f53112a4ebc1813cb3204fe358c19691b647efd3bf0f916b40784654b5147c1faf94d88c4edb6394bf06aa80b30e48ac691c949ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
654KB

MD5
cebc44ac84f8e06c521d0306dd06f10f

SHA1
2100814ed018ada0273fbc378ada241879eb4f5c

SHA256
305a2710a7be2d7cce1ffe67b22ed161bd902c1db2ecaec4b107b1645ddc47ca

SHA512
435bdab8706922af2c78376b620cd382041a2fd1586685f6a690397867d0f26132e8c00d237294d1affd8600e746e41c000721242c35b70614eb689bcece5910

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
804KB

MD5
0b9e050186d32cf92e9c0bada26b7d65

SHA1
ae316df0b770981722eabe344184aa35ae09cf7b

SHA256
b23bc8ad15890c0db0b169560efcc9798babd5ac79704243455a4d2968cd6bd7

SHA512
45d85600a46b53b52b8da31dd581172a10d5dad2766933ba495da016014651dd7be9ceb0b916663c84ea81cdd563e035b03965eecba3e059a5ac4ec07a36e71d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
840KB

MD5
c700e5c3d4834edcccbe46db0b2965cb

SHA1
5f5002d7c26f3ddcce537a24c758fdc377070d48

SHA256
7c1f4897f29e5da5db233f71c740832a84d5fdbcfbbac421645396cd415b902c

SHA512
1779bba312088d480003985cf56c2c8e91e60bdbbcc32fdd418b164f4c23ff6ee4150e0121e54b22ec94e8b54e3cc06883e6105501e7c4ffe274a8356a8f8075

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/4608-7-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/5452-45-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5452-75-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5452-48-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5452-47-0x0000000065FD0000-0x0000000066068000-memory.dmp

Filesize
608KB

Download
memory/5452-105-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5452-49-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/5452-50-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5452-55-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5452-65-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5452-70-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5452-46-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/5452-80-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5452-95-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/6116-29-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download