73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72

Analysis

max time kernel
296s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20231215-ja
resource tags

arch:x64arch:x86image:win10v2004-20231215-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
14-02-2024 11:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batexe.exe
Size

9.4MB
MD5

cdc9eacffc6d2bf43153815043064427
SHA1

d05101f265f6ea87e18793ab0071f5c99edf363f
SHA256

73cc2881ef511788661955a624db9baf40ac16bc63266c5c3bb3fe62b4856d72
SHA512

fc6945957e160bf7059c936c329aae438e6c1521e5e43a8434f58058230d89e818eb6ff80331a4b952dbb600b8cc134ecba54e5641bf549723c98f85e993fde6
SSDEEP

196608:ERAefrn9wcsTRAJgwusnWpV3h9XxSeEGaT+TKkGzySdUkI56kBIyky:E5Tn9YVwdnWLXxkvLlzkuv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	b2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	batexe.exe

Executes dropped EXE 2 IoCs

pid	Process
4448	b2e.exe
408	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
408	cpuminer-sse2.exe
408	cpuminer-sse2.exe
408	cpuminer-sse2.exe
408	cpuminer-sse2.exe
408	cpuminer-sse2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2192-9-0x0000000000400000-0x000000000393A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 4448	2192	batexe.exe	84
PID 2192 wrote to memory of 4448	2192	batexe.exe	84
PID 2192 wrote to memory of 4448	2192	batexe.exe	84
PID 4448 wrote to memory of 1472	4448	b2e.exe	85
PID 4448 wrote to memory of 1472	4448	b2e.exe	85
PID 4448 wrote to memory of 1472	4448	b2e.exe	85
PID 1472 wrote to memory of 408	1472	cmd.exe	88
PID 1472 wrote to memory of 408	1472	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\batexe.exe
"C:\Users\Admin\AppData\Local\Temp\batexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\Temp\8A5E.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\8A5E.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\8A5E.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\batexe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\92DA.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1472
  - - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
      cpuminer-sse2.exe -a yespower -o stratum+tcp://yespower.sea.mine.zpool.ca:6234 --userpass=DJXKcu8iouhRppneQL9XbYQ9ovs87y4cYZ:c=doge -t 3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8A5E.tmp\b2e.exe

Filesize
19.3MB

MD5
62973a8fb24fc5804cf265400a30227e

SHA1
d3d42f43b7e5216f9e4212954d1ae7ff5075f260

SHA256
d3af343ede0fed3814d9089e55cfcfeee785da1aedc93160519e442f216f2b44

SHA512
0377cf16be7d1d831f045fbf20df5e15992999c279a09b911b96d45cab32c988283cded89c9de307a3b1b7da9b8879e3928421277d5fa5c0b7ff5fe9cb2da990

Download Submit
C:\Users\Admin\AppData\Local\Temp\8A5E.tmp\b2e.exe

Filesize
4.7MB

MD5
1d6c96590fec9e4d752d34441c14e1de

SHA1
af054f3b150a472fbfd2d7f8181e35758bc4985d

SHA256
fc3d2aeb4c2288088d5c999d0fd8a1c91a2bdc912a9fe0f55fc387d002fdbf76

SHA512
a595bdd9f3d8d0dc4b7f0ddf59384d66d1555ed953ae283cf4ffeb4cdc6b1cb4ae4f99dade07a0134ae5b4bbaf1a851a0c43ae65f87aca1172b9b690e95b0172

Download Submit
C:\Users\Admin\AppData\Local\Temp\8A5E.tmp\b2e.exe

Filesize
2.3MB

MD5
856057ce4c662c8efada362a88016246

SHA1
0ad045d3c68412a8e1500ac11ae255dc1f9abfe0

SHA256
926f8a81133bfcbe40c11855bc455d696e5ef9e9abe373607947ca2e6672591b

SHA512
0f5f38266539e2a91ad794223ed3e1a50cfdfc6b5913fe1ed9a1f8bccac26e59f718eb2a7d4c8a48c857e7f1ff54f12cb405f510b1743b786a25c976f8c5dcfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\92DA.tmp\batchfile.bat

Filesize
136B

MD5
8ea7ac72a10251ecfb42ef4a88bd330a

SHA1
c30f6af73a42c0cc89bd20fe95f9159d6f0756c5

SHA256
65e2674fc9b921a76deaf3740603359794c04e059e8937ab36eb931d65f40ec9

SHA512
a908979d588625aa24eb81238d07d88a56be5388e1265ebd2fe09889ed807aa9a4af77107e72a843c31acadbe06db0d7f6f6a3c95fb481a71e549e8eb74c2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.3MB

MD5
9bdf2f41f81641f72ed3cc26c7796e80

SHA1
75966010d3e1cf760f2735329080e875899fe1ca

SHA256
7435a6aa3ed21a551ea213a36abbf6699d4451e1af77d1bbb11a75d0ed95dec5

SHA512
af41b2e4484f2d96e4e72845209e7e32476cb76c2189443c02855cd12960f4016f57498e0d602b3dc44a993836fb28894e61a1aa53f9d8b01a0b5c2b9e5b60b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.0MB

MD5
450976f08b47b912fb2843d1700c528e

SHA1
5a92ae3f7236133f8bda410d654d1bea47865253

SHA256
0647f53b091b78ec62d5a576bcdf63b6f54b924a7b75455f222a20135b3ad876

SHA512
b90de7079dd98c637f8c2c477090cb3e1a5b55e9c817feacc07a49ee795fafdd605f115a3b43900ce396438ed91f36528770eef264571936f20fc464d77c9970

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.3MB

MD5
5e061099ce820ceb630296bbaf7dc80a

SHA1
4cb235fc424159a1b1010a451279df0274d5a0c1

SHA256
9293684c0ca321f404cdfea0aa8746ffabab9a65bb42ad0693adde13c802c2b7

SHA512
8963bc1ccb9b7d0618b105514e6fbe620a497bc716cdecbadadeb6a206fa37afd5f9a10017cd0ee90b6e8b147d71e31c8b82b6c131944d1564b36b8811b6d881

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.2MB

MD5
636e6f93c175777c98049298c1548c50

SHA1
a1354bdeb5024d665a9fbf767726ad685231dc9b

SHA256
df8672687d27d8f4eea2335bb4671720300e06f8c19e4dd9ec914ad1dd854e79

SHA512
d361b862ee1a014ebc2b17ff6ca70cf2e34113184514299108e75b6b8082e2a2c1a32b5928dfa121bd8397e1da268045515603eb104aafa07e2237016d9369f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
1.4MB

MD5
d7f8c75e99ecf93b33871bf4ff541fad

SHA1
2f619f7f9a7630ad645aaaaa02d0a96c2447e31b

SHA256
b563926d8475a8415a2510260a66a3ef45fdff65a6e49e888f8b0dada58f1ca2

SHA512
7fa67695f6aa9b3f9633ec7536a79fe5384601a20673601261d72babf7ef8d71fc71fbc64b994677e662c904b421101958e9228e30d12943774aa2960984fbe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/408-47-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/408-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/408-43-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/408-46-0x0000000073260000-0x00000000732F8000-memory.dmp

Filesize
608KB

Download
memory/408-45-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/408-44-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/408-99-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/408-94-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/408-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/408-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/408-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/408-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2192-9-0x0000000000400000-0x000000000393A000-memory.dmp

Filesize
53.2MB

Download
memory/4448-53-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4448-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download