73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
293s
max time network
297s
platform
windows10-2004_x64
resource
win10v2004-20231222-ja
resource tags

arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
14/02/2024, 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	batexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
5284	b2e.exe
5376	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
5376	cpuminer-sse2.exe
5376	cpuminer-sse2.exe
5376	cpuminer-sse2.exe
5376	cpuminer-sse2.exe
5376	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5496-8-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5496 wrote to memory of 5284	5496	batexe.exe	84
PID 5496 wrote to memory of 5284	5496	batexe.exe	84
PID 5496 wrote to memory of 5284	5496	batexe.exe	84
PID 5284 wrote to memory of 5992	5284	b2e.exe	85
PID 5284 wrote to memory of 5992	5284	b2e.exe	85
PID 5284 wrote to memory of 5992	5284	b2e.exe	85
PID 5992 wrote to memory of 5376	5992	cmd.exe	88
PID 5992 wrote to memory of 5376	5992	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5496
- C:\Users\Admin\AppData\Local\Temp\5B4F.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5B4F.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5B4F.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5E1E.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5992
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5B4F.tmp\b2e.exe

Filesize
7.9MB

MD5
7e4db1a74fb40f8e47c7b2dca7fb192f

SHA1
522f60cdbbb9821c665bde655d53a90c48d05739

SHA256
be7561657167bd3419448343ed0f87d4190009716c643d298bd27fb055864693

SHA512
5e03bf500baf0fe3c4d2a1fbc9a755a51612b2f043c17d27b5808418440196d6ec29b1cc5e9e2ded7d318413d22e27442f7fb983e7d3fae454103de355054f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B4F.tmp\b2e.exe

Filesize
2.7MB

MD5
87a76d55fd7556d9515114de24036bb4

SHA1
9bfb5bcf51aef42e8ea0c6853b435f2f56784f37

SHA256
080436d10a183dc485be92d356df3acc35ad6b05b12b5e6d2985391990372dc0

SHA512
225c46c0ebe7132db9b2826387d8bd7b883a3d6efe1fb41bc475c667101ffd0ae36e2416d2dcba5d18fa24a2d00135487f5577c7d496d32285a51a8e8d0f5a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B4F.tmp\b2e.exe

Filesize
2.6MB

MD5
1ac029e8224528af33fb9052fbd44e47

SHA1
72896fd307855aaf71bd6c3c074d425494bca545

SHA256
3bb0eb13c3b79e90f993a0bf75341af182128a755515711efc7ca40480810eab

SHA512
40a7bbc04052f59a78d0afa109434efac770b9d0994dd146112da32095a01aa90b2ac4072a607dcca72223d3ae1772169b939c2de4e6e6c287238d4b42e1ddde

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E1E.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
704KB

MD5
ce5f200d2d48a057722a957d5acc6426

SHA1
e7a8d4c0dc7b561dfa26e3fddaff015716187305

SHA256
cb450c8c0a952560f35f4b93f14357fc3856ee0b016eabf8bb4d20e9504d82df

SHA512
e7d3b203cc96d08b6d000f6845bbeb5777cd08babadbcb86266193ca68d8183973b3a92f5cf587df1f26bf04a182fa51001b7317c9a9e7ba868d1e26b897ee9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
312KB

MD5
576405cd90da939442ad5362bbc760c2

SHA1
cd3fef434fb1058f9e2171dd08ab8f6979d6fb2a

SHA256
8ea615ec90e852b5a5560a3084391adbb2b95e197c49fd74ec68d821e0dafbff

SHA512
80858aa19a53d931f738bf2d2bfe838433ccd6a750de317acd7b0b1cc392c70f31ecb10a00faddeda99a597aab31c538445e4d402a6b968d55a7c00241ac43b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
389KB

MD5
b2bbc33cad318a878b197a0213e8f8ac

SHA1
a7260d96fab30995d1288b946dca8232c5404dcb

SHA256
25a22907e61ed789c9433f747114497121e3bafb349ad7aa6bc70a5727d90d81

SHA512
e3f0d219ba3fb2beb244f9c2c9b0498229020695d8712b96540baa009e04735797a69b016a67a406db57ae8f93997ef631595e2d08faf397fd3faaacf4643386

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
431KB

MD5
b7dfad7f2c66e8dcb5bf67bff45790b9

SHA1
3d0561a14c487d5747566709ca5ada04864c7407

SHA256
5a6193d0b1b7c58db3be7e1dda7b2f8208df94477098f6f9045f62955e608b4c

SHA512
ba18cd4a7de9e00910202fee48e643bcc7aae125f6563144d5fc5563585d77e7a17ab356c1b9c246b2b421961472210eb398e77ffabd7c4f319506b0046ae980

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
335KB

MD5
df2bae0a63df90b30f0be6f2819b1fd9

SHA1
b312f84cd93c21bef1fd338efbd2ede1f25dc50a

SHA256
0ac9e1e055d8f5802186de680a4b4aa23c1f08ad011024e45c38ceaf328a1385

SHA512
74eccf4bbc5172a0bc407c31163358aa8599d49451c90f6099ce215c81a298bdee4cdbba47efa2bc7cc69c251fdb6d07ccc9f647d7b48f2826a0dd124e4b95aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
410KB

MD5
2fa45ad44b2cd9605b37b4bb205ac3fd

SHA1
253611158400a98de70938806294244258553fae

SHA256
4223ce66f6a4b7bcd2b99354acf42465d778cb41a85aeea9bf4ff593fc9fca25

SHA512
674231ff9a05dc08fa98ab77f7bda44371dc427fa1cb481ebeadd15093eafb5d4b9cd06aa48d46c73d93bfa2217383b967d7d5ceeec207515f477dd925226571

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
382KB

MD5
d23febf23e0acf3260630700c79b9b7c

SHA1
cd8c41fdd094dbe5be6d58de02dec90274ac1a9f

SHA256
ce0a7aba5d5e7e3de204e1e8cbf900bb265a25ca537dc5f540c1678f4eadf4ee

SHA512
856a9a5198e4ab61d526992309fe0dd98ba0d177b832a95a3c547d30205c72c30fda471c354c9f65e0b948a15cc6d007c5c3ad780812cb84711fe27585fc01f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
388KB

MD5
9f88b80a3afd3b91a59059e4b53a72ef

SHA1
5314eed167b43fa38fb3a5fbe4d32d770300d11d

SHA256
423fefcb158428e3b5a8a57284d551370a027d35459d44f0302a616fcabcc7e8

SHA512
30dbbbddad738ec7676ab52a8ec2c983ec60149e5177adf54616915cd4375ee666cac40543843db53767cb6fa19b58fac2d37939efbc916102cac9eecc2a6e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
210KB

MD5
4d96ededcff1a31624d0abf6998880f0

SHA1
f8a69ff7a83f982d0ea0deb8ca7930597aed0d15

SHA256
c991dbb1e1e0d7ca71a7a7db44f13338e25d77401c54ecd8633fe2ae6bd102a9

SHA512
53cc6ec70a411a8d1981c79b8b4bf358010de0cba2bf8ef7cb50b882f6d9a4eb8200b1cb01fd6ea512f2f8e9f43a36935a3e0281bda2ccfcb30d47a10f1075d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
355KB

MD5
eca1199e17e507e9ecf4613c8241edf7

SHA1
c4e71e7cde257daa60139ab737ba19879cbc1041

SHA256
edff5b1402fab23d0cabd4dab515587323e4c3db3dcf726752298e36de302dbf

SHA512
e02b98925bd421b676241c145180c0464f66e128ae5a51a1332fa4db141b667e355431b4a721f2cf1204eb5e2fc82708e5a59c94ec45f6cf753339ae5f03ed03

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
299KB

MD5
6a21ab40049855d1b423f1d5996eedaa

SHA1
fbfd2f45dd961f6bc21eb52f3d810c4429cf7be4

SHA256
27368a9370398613f892faba05aeeae7aedd695707f748c90e148bf80d65cc10

SHA512
c263b1a86f4378ca82a943723aee486b10fd3734c1d5a6b4dfb616b28fc8160f55262b9493d9e46f6c99d94f841f73bb03050172003feb49fd52331aaf2ce19f

Download Submit
memory/5284-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5284-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5376-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5376-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5376-45-0x0000000064990000-0x0000000064A28000-memory.dmp

Filesize
608KB

Download
memory/5376-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5376-47-0x0000000000EA0000-0x0000000002755000-memory.dmp

Filesize
24.7MB

Download
memory/5376-48-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5376-44-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/5376-46-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/5376-104-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5376-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5376-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5376-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5376-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5376-89-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5376-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/5496-8-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download