73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20231222-ja
resource tags

arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
14/02/2024, 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
2572	b2e.exe
1516	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1516	cpuminer-sse2.exe
1516	cpuminer-sse2.exe
1516	cpuminer-sse2.exe
1516	cpuminer-sse2.exe
1516	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3508-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 2572	3508	batexe.exe	85
PID 3508 wrote to memory of 2572	3508	batexe.exe	85
PID 3508 wrote to memory of 2572	3508	batexe.exe	85
PID 2572 wrote to memory of 3428	2572	b2e.exe	86
PID 2572 wrote to memory of 3428	2572	b2e.exe	86
PID 2572 wrote to memory of 3428	2572	b2e.exe	86
PID 3428 wrote to memory of 1516	3428	cmd.exe	89
PID 3428 wrote to memory of 1516	3428	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Users\Admin\AppData\Local\Temp\B6DC.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\B6DC.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\B6DC.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B98C.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3428
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B6DC.tmp\b2e.exe

Filesize
11.0MB

MD5
b33dddc8215f26c71334afe09a9ca676

SHA1
e6c3bb2e13ecfd797c38f4c76e3a427a3a2554c9

SHA256
baf498655efa5cbdc5345ddef93c2724158bdde3d9c898cbb11b12ee01bb8f0d

SHA512
2cb1989aae3ecf3963794a726d75e7f7415e3c55f1ffc1b3392e67fb08812d75f6ec08d67ea7e043dcf5d60bcc74edde93edfe231e86339611b653532c905431

Download Submit
C:\Users\Admin\AppData\Local\Temp\B6DC.tmp\b2e.exe

Filesize
4.9MB

MD5
13d20f42bcf8f0af4a1a1f2356bd0a3b

SHA1
67eeffca22f7fc8a65edde96c8cd9f4fc7751144

SHA256
a12aae8d40e4dfe6f8038b6cf9a17095b1e35f5a20ff10f45c0a313672ea426e

SHA512
9bd6b202f1cc7eb5bc099063d3af3e57c119ad34f8f3ab3366476939a3737605cfc9111355f5840f779276a966eb1ebdc6139620178aa597eb3663cec837dc9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\B6DC.tmp\b2e.exe

Filesize
5.2MB

MD5
13015dfa459e1048325f8581f5d46054

SHA1
6f6984c9d862d72be22acfca329d88e5544ff4ba

SHA256
5ba4ce2c5f0c79c07e41fbeb186521335ae060de242c49ce54feb64ff973a696

SHA512
46ef05875d1a71097f80d15a5f4db2e9d1447b5505265eca3c17972fd6974afd15387b045856a26f799fd7d2009ae250a11083fcda1ff864fd2fdc1be5002695

Download Submit
C:\Users\Admin\AppData\Local\Temp\B98C.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
2.0MB

MD5
11ac8f7fe62cff2fad5646b81daf078d

SHA1
9c3eefafc439d96d7f5c15da456bd31d765e4884

SHA256
1e8ee5f75c99d8b1c5f2d82bfed4bf2d6ba6a6c126879b7fcdbff1bcb8821442

SHA512
324780efd9d08132d2a68c78c61edfd27d61d9397d305360ee1a05e5e124f09907f13d26609ef58c93b7e1dc0500611d4a1099e854a7d88f7bcde9203b8084d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
2.2MB

MD5
c0390a12c43fa38eb632894b6ca57cba

SHA1
4c6f4f4d2afa1d8c434bbe92aafacbd1b1b2a3ce

SHA256
26ec8deb3b480400134037b26b2f234e841a668a7cd307db0beb26badd033e96

SHA512
35c3ddd7737365c9bc37d9daaead65c4c7245f3399b84f549863bc211b36f2a9c56f3e032ea97df3e68a3a699d378107475315e2d6de1932ebb06dbdaa27f3d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
2.0MB

MD5
f8c37799c80aa237b1d467617965367c

SHA1
e7b09c7c7bb8d87be9b74477a30dc75942ba827c

SHA256
3cb850bc88fcc2200928f65e7e8c36fd4d56e5e1cd69493a8c3b7dcb9516d51e

SHA512
c4ad061e4ae8aeee3e5a00066bdbe8740b0cce944ed05e6c4dd09443b46b122fbea556a91d6ac017918749323fb10d7cac74741cd94e7ab3e89fa7102c2f61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.9MB

MD5
387f1a27710626e7d0c4967101694af1

SHA1
96b80ce98253666091e891cead5e66eefa41258d

SHA256
44c09c74985cce87705a3e7e1e6de05298d3b797160073bf64051f895fd56331

SHA512
594ce512b47dc2a18f3d3b1f3331b57fae0d529ac3beb1a9d96ab63547442e1133e69c49717131a31e93b4c76fcf0b0be10f01d9ee6cd321d11d0010af5508e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.3MB

MD5
6d71457c7a9ca27bfa73b89e5c68ba58

SHA1
5ed74d7c93bf9d940f5d8890402ad5eb842d5e06

SHA256
adc908fbd8e716c8541e9fa38b17de478e05d4e8d8b063394223e12448be88c2

SHA512
29e5cff491c096aac0dee43d00aeb2c9ac1e9f425b67d29759797322c1ba4f4b7b8e6ba9139c348334fc4cbd6c03dfe87b96a0126c299f87fc00957e081503c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/1516-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1516-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1516-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1516-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1516-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1516-45-0x0000000073A60000-0x0000000073AF8000-memory.dmp

Filesize
608KB

Download
memory/1516-47-0x0000000000D40000-0x00000000025F5000-memory.dmp

Filesize
24.7MB

Download
memory/1516-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1516-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1516-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1516-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1516-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1516-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1516-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1516-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2572-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2572-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3508-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download