73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
294s
max time network
297s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
14/02/2024, 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
3808	b2e.exe
1444	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1444	cpuminer-sse2.exe
1444	cpuminer-sse2.exe
1444	cpuminer-sse2.exe
1444	cpuminer-sse2.exe
1444	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4580-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4580 wrote to memory of 3808	4580	batexe.exe	85
PID 4580 wrote to memory of 3808	4580	batexe.exe	85
PID 4580 wrote to memory of 3808	4580	batexe.exe	85
PID 3808 wrote to memory of 3392	3808	b2e.exe	86
PID 3808 wrote to memory of 3392	3808	b2e.exe	86
PID 3808 wrote to memory of 3392	3808	b2e.exe	86
PID 3392 wrote to memory of 1444	3392	cmd.exe	89
PID 3392 wrote to memory of 1444	3392	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Users\Admin\AppData\Local\Temp\6AD0.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6AD0.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6AD0.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6D02.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3392
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6AD0.tmp\b2e.exe

Filesize
3.7MB

MD5
66f687f83150ba61194aa35044d93152

SHA1
d7bea519f2750e8c7878407cb23014bfec8dcd0a

SHA256
67f46180508a989496e73bd636b6dd11114b4e2941e69832444a16609f9fb116

SHA512
ef756f8c0f2fc38e829a34787bb68e2e6645fa006dfcdc75d0a4644d5284b7fb9137767df81ae816e73d5da43a94470cd38934f2f7836441fe8cc69c943fd9a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\6AD0.tmp\b2e.exe

Filesize
2.2MB

MD5
21445bdc4009ca344dead766239c8b91

SHA1
f6c0a54e20c0497e1829a334d8f01bcda547a939

SHA256
23128e2063f2267181e4e3a6f732848a950648e534ec02eac4e14e13fb139a46

SHA512
8737c23d30e85a7836502dd559fd984153d6dc1ac971224a174c750e35f56bcd40d4642ab6a43e7a7e27810caa240d77bc1e0b2e66895ade98e269ea7613280d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6AD0.tmp\b2e.exe

Filesize
1.7MB

MD5
f348dbef6088a9c00ec97e89e357b127

SHA1
d9b4a8d6754780097090688f8706ad1350cc77b9

SHA256
f84fddb56de471c53bacefbadc99d739d1730074e6d5a1abcdd38273d92ed64b

SHA512
cf0ea2f6a0448e1a795079cb0904aade0d4504f3b5463d85b5062205301ff3cad99fc7019135cc253a3c65e621e8561040481c02a0f9114df82c4bc7c5107c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D02.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
491KB

MD5
33a548b84119e045b6f764a6f3acdf57

SHA1
976e00ceecadb0d110bd7342e6e9fb53b52c9ae0

SHA256
19fa9413adb07e69069f3074587ee2a0067594558d716f9e2cfc4e2b438d9a1b

SHA512
ed1662ee89deac6918b97abf190fd46421df60e260e7a9bb9ab7084089c84f1e6536ba6276658e5e25c65e09186890fa1c3ccc8b27066b5028bc134b2b9aa182

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
539KB

MD5
353c2763a293112a04df59bd59a0f0fd

SHA1
fe7050aa4a6e6a401966cf20d40fa3adc5e94f5f

SHA256
efc50b4fee22c9aabb9851f6277a1a6af8f7971528c85c5b0cb40b66e97d8e2e

SHA512
fe01bb3b89339505529b7b3d9b3c904dba8e160979264428fffeaebacc7778889293115d5265086a6772aaf75f4297cfabb3fe887e5c77572e035a288f363246

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
184KB

MD5
f5e21ceea00128a78ef890f4fc5b49dd

SHA1
5a0e47015c8ba3ea85f0a6d4067acb1c1bbf43b5

SHA256
5c4f8a08ecc0f0a22c239de53117593924099d992c0e61e2810a22c58140d9cd

SHA512
79941324f341d037f65942a0ce91798144fa68874457b285ce87b875d9531d335aaaeb4ac11af5597927d7b106e1ab21c6224a5d72ab1dab7faa0a8800abfb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
286KB

MD5
e3419a63c4817837d77ff243737fb321

SHA1
f2ecd4046f928db452381bf8fddb0b9ab88ed3cc

SHA256
8a8d4c38cca812502b5811e97f7c5fd8e5ea581fd0b730fda2fd0388540302bc

SHA512
596b385da89544aa889e4f55d4e4ed447a768f832075b7fc9c692c2bc23cdbaee50de95e18fd00518efa975b06a4ec3ae87c48344df053f8dbd897fc8a15c6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
128KB

MD5
48c422e815911804d8322f84e605438f

SHA1
b577cb4575fdf07ead63d0f9831833f4f30788e9

SHA256
3247538f008c10c405b77c7a1ff636bd7f7e72b0cf4b5990870c157958b4e6ea

SHA512
0278d1c8a8bb02bb70bac382c89481451ddd147f2b195fed3cf1105524358a04703be54186e138d0e1f1423441e694cd292eb890cfe66bc421eb160821548f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
165KB

MD5
1fc9453813a11837c444edb020df3fd4

SHA1
e37b43dde64b1bd1d08096e40aef6394b355600f

SHA256
d9c4b2306f2289bfd8b8b79567a6e9fae02555c4f3ff1dcef4877ec228f2c43b

SHA512
ae185b6ca811b3e314116a950dd5447c32eaa68990e3e0c15ae5ee06e8908f283bad53fd3dc35d0f5bb87f412e5fe68d1150ac05107a2869ee030e0305d10bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
533KB

MD5
f92c46c9420b02211f60b8b66073db52

SHA1
d72dafbe81ae356d018d86c2dc2a80f710f45a2a

SHA256
bd87a7c7c7bb29d2147f4354136620760800073222cd9292ce8941afee04e098

SHA512
0f7e1b696221821ad7727da55f1a34de3d062ea9c77422e50e7000103135e9441e7ba45039996cfa1507bb52fa0c1990526c0b622392747f003604d04b6d2910

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
192KB

MD5
62069650d62f76a4cdf0e81172d99993

SHA1
3b20ec5b4a4320ee15b0f7b9715a9ab90f68346e

SHA256
779a5590c667d9a704b79e159259c0646737394fd66a9c0b12d13f9445ca091c

SHA512
ae1954a84fb7543465e77a4cd5cc1bdeee0cf848592958633e6c51702b42131daae64c302d5c9537c59a9b3ba9498e5bf913d1f6f757ccdb8c4183b33224852b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
256KB

MD5
1d86b9560854472453237bcbaa2e253f

SHA1
5a03a7902d250377a3e9f746badcb696e2c98228

SHA256
1493703a430c68bdcedcb4078486daca39a02820199e7b72017c7b1af66e1c8d

SHA512
afbc3d7f8e06e41db25d666999f4d162af7054a66b17a651ac8a7f092f83580a067bfa2f558be65ace5966dffaa8735fe7a579e88bf42b34eaa3e72cdec96699

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
331KB

MD5
10505e8037d1dc2c3966b7280b01679f

SHA1
9b1f0f41e86a5e79abf4b423a4ac991825489f19

SHA256
936b5ee9e8340ea048b0eea5e3a49ddb8e19970026284ecd0be3e3dc092e2f78

SHA512
00bee046ae7ecce21fc622dc037510e007c116f22dabb59ce28c67345521e1e207db0c105bbf36ddc51a6ae617ffc7fce3fca8df73286152b5ff8af3e407f671

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
205KB

MD5
0363937da168689cb106d1ce7a908b09

SHA1
1fa4dfa6ed094659e30c9f4c5294471bfde1e93d

SHA256
a5ef5745570dc335c9111ff4c5a16972f3e29ff14fa52552bd229378b92ceed0

SHA512
1ef5b3b7636e1444fd692a5a58e1716806fbab169f07c65084562efb3684c44fd19bad34f5c3a1d9280ae12cfaaea3f21c438ec1c51458b97bd6c1e2453d52f7

Download Submit
memory/1444-46-0x0000000074D80000-0x0000000074E18000-memory.dmp

Filesize
608KB

Download
memory/1444-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1444-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1444-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1444-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1444-45-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1444-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/1444-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1444-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1444-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1444-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1444-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3808-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3808-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4580-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download